Issue Auto-responder backscatter

[cmaxwell]

We've found a strange issue with email auto-responders.

If an auto-responder is enabled for an email address and a remote user sends mail to the email address with a forged reply-to address at the local domain, the auto-responder bounces to the forged sender address as if the catchall address is enabled (even though it's set to reject).

Example:

1. [email protected] has auto-responder enabled
2. Mail to non-existent user is set to "Reject"
3. Spammer sends the following mail to server:
* From: [email protected]
* To: [email protected]
4. Auto-responder arrives at [email protected] (see screenshot below)

Mail Settings for domain:

So the auto-responder is delivered to the catchall address which is greyed out and disabled as per the screenshot above. This only happens if the sender's address is using the local domain, if it's another domain the auto-responder is delivered to them correctly.

This is repeatable across multiple domains so appears to be an issue with Plesk itself rather than a domain misconfiguration.

System details:

• Plesk 11.5.30
• MTA: Qmail
• CloudLinx 64

Does anyone have any ideas how we can resolve this?