% in rcpt to addr (relay attempt)

[walnut <walnut@binboy.net>]

hi.
i wrote the list a little while ago about the %, @ and ! symbols being 
used as exploits during relay attempts.
a few of the relay tests i've tried were able to get qmail (and the 
magic-mail server) to accept mail for non-existant users with these 
exploits. while the mail isn't ever delivered, it does generate a bounce 
and it also has the potential to get a server listed (as irresponsible 
as that may seem).

the test servers are:
http://members.iinet.net.au/~remmie/relay/
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

there are several other relay tests online that test for the same hack.

i'm writing the list because i found a patch for qmail that prevents 
these exploits:
http://www.qmail.org/qmail-smtpd-relay-reject

and i've copied that patch's logic and diff'd magic-smtpd to do the 
same. my patch works, however i'm just wondering if i've applied the 
change in the appropriate place. here's my patch:

--- orig/magic-smtpd.c    2004-05-03 14:18:36.000000000 -0700
+++ magic-smtpd.c    2004-09-05 13:54:56.655246432 -0700
@@ -1209,6 +1209,21 @@
     if (in_rcpt_hosts) {
         retval = 0;
 
+        int j;
+        char *buffer;
+        buffer = LM_STRING_BUFFER(rcptaddr);
+        j = strlen(buffer);
+        while(--j >= 0)
+          if (buffer[j] == '@') break;
+        if (j < 0) j = strlen(buffer);
+        while(--j >= 0) {
+          if (buffer[j] == '@' || buffer[j] == '%' || buffer[j] == '!') {
+            fprintf(stdout, "553 we don't relay (#5.7.1)\r\n");
+            fflush(stdout);
+            return -1;
+          }   
+        }
+
         /*  Check to see if the rcpt address is a valid user */
         if ((!rcpt_bracket_ip_flag) && (config.check_valid_users != 0)) {
             retval = msd_check_rcpt_user(&addr, &spamdir);

thanks for your help, and please let me know if this is useful.