freebsd-uucp: rmail fails on email addresses with leading dashes

Michael Grimm trashcan at
Fri Oct 24 20:29:07 UTC 2008

Hi - 
I recently subscribed to this ML, although reading it quite some time 
at Usenet. The background for this mail has its origin in a thread in
comp.unix.bsd.freebsd.misc, see [1]. 

I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
'/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
dumb spammers using guessed email addresses with leading '-' like
'-important at example.tld'. (If I'm not mistaken, then localparts with
leading dashes are valid ones.)
This will result in an uuxqt call ...
	/bin/rmail -important at example.tld
... with an UUCP error, which is absolutely correct, because rmail 
doesn't know of any parameter '-important at example.tld'.
Workaround is a wrapper script calling 'rmail -- $*'.
This has been considered a security issue in [1], and the recommendation
was fixing uuxqt to call 'rmail --', instead.

Although I volunteered to fix it myself, I have to admit that this would
be far beyond my abilities. UUCP looks a rather complicated system to
me. I could't find the call to rmail in uuxqt's sourcecode. 

But, I realized that a so-called 'execute file' is used to tell uuxqt
what to do. I tried to modify an example file in a way that rmail might
have been called the way I need:

'execute file' example:
	U mail somename
	F D.somenameC4X7W
	I D.somenameC4X7W
	R spammer at spammers.invalid
	C rmail -important at example.tld

I tried to modify it to ...
        C rmail -- -important at example.tld
        C rmail '-- -important at example.tld'
        C rmail "-- -important at example.tld"
... without success:
	ERROR: Execution: Exit status 64

Well, but ...
        C rmail '-important at example.tld'
... worked. uux is generating those 'execute files', but now I'm stuck.
I can't find where I could patch the sourcecode. And, more importantly,
I can't oversee what will break if I could fix it the way I want ... :-(
Anyone out there who could help me? This is oooold software, I know ;-) 

