whitelist_to getting exploited

[Glenn Steen]

On 30/12/06, Scott Silva <ssilva at sgvwater.com> wrote:
> Glenn Steen spake the following on 12/30/2006 3:15 AM:
> > On 29/12/06, Scott Silva <ssilva at sgvwater.com> wrote:
> >> Ramprasad spake the following on 12/28/2006 11:16 PM:
> >> > In our setup where we do email scanning for our clients we have a
> >> > feature by which clients can opt-out some ids from spamscan
> >> >
> >> > So I use in Mailscanner.conf
> >> >
> >> > Spam Checks = spamcheck.rules
> >> >
> >> > This file has
> >> >
> >> > To: user-1 NO
> >> > default YES
> >> >
> >> > Now a spammer marks a mail to multiple people with user-1  in BCC and
> >> > the mail passes straight
> >> > How can I get rid of this problem. If I use the user_in_whitelist_to
> >> > feature at spamassassin then too I would have the same issue
> >> >
> >> You need to set up your MTA to split mails to multiple recipients,
> >> although I
> >> think it will break the concept of BCC's, as a new copy of the message is
> >> generated for each recipient.. So recipient A will get his spam, and
> >> recipient
> >> B will get it filtered.
> >
> > Um, Scott... Why would splitting break BCC's? Do you mean that the MTA
> > of your choice would "transform" the BCC to a normal (visible)
> > recipient? Sounds a bit strange to me... The split should be very
> > transparent... and the BCC should still be ... "invisible" to all the
> > rest...
> >
> Won't the recipient show up if you have the envelope-to headers enabled?
> I was just going on memory of past postings. I haven't split messages yet, as
>   I haven't seen the need.
>
Yes, if you have that on, sure. But that happens _after_ the MTA has
split them, so... Splitting actually helps there, since every message
will have only one recipient;-).

Anyway, have a great New Year (I'll tip a nice bubbly in your general
direction tomorrow... eh, tonight:).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se