process incoming mail text as a command.
Amedee Van Gasse (ub)
amedee-ubuntu at amedee.be
Fri Feb 12 09:05:17 UTC 2010
On Fri, February 12, 2010 02:59, Tomoki Taniguchi wrote:
> I am hoping someone can help me with this.
>
> I want a way to send an email to a server and have it process the
> content as a command.
> I think there is a tool out there for this, but can't seem to find the
> right search criteria to find the proper tool.
>
> to limit exposure,
> 1) I want it to check the email address of the sender (possibly other
> email header criteria for more security)
You DO know that the email address is very easy to fake, as well as every
other email header? Take a look at this example (a SMTP session that you
can type in the terminal).
telnet mail.example.com 25
HELO evilcracker.example.com
MAIL FROM: <tomoki.taniguchi at gmail.com>
RCPT TO: <tomoki.taniguchi at gmail.com>
DATA
Subject: I am spoofing your email address
From: <tomoki.taniguchi at gmail.com>
rm -rf /
.
QUIT
> 2) limit the commands it will process to a predefined list (ie, reboot)
3) run the commands as an unprivileged user!!!
> I would appreciate it if someone can point me in the right direction
Why can't you simply use ssh to log in and execute the commands? I suppose
you must have a good reason, but I really want to help you in keeping your
box secure, it's up to you to accept or decline my help.
--
Amedee
More information about the ubuntu-users
mailing list