MailScanner Bug - Privacy Advisory
noel.butler at ausics.net
Thu Jul 1 23:39:05 IST 2010
Directed at: Those using : Inline Spam Warning, %report-dir
Date first reported: May 17, 2010 (noticed one month
earlier, delayed reporting in case kernel.org messed up)
Date subsequently reported: June 11, 2010
Initial response June 12, 2010
Response update June 12, 2010
Acknowledgment none received
Severity: Moderate (IMO)
Summary: "inline spam warning" report to multiple recipients,
displays all recipients in the warning message that are sent to all
Description: This lets other users know not only who else may exist on
the system, but also on, for example this mailing list.
This must be a failure of the privacy mechanism.
Message headers in each delivered message received by the recipient
(verified by my own and one other recipient of that list who was kind
enough to forward full headers,) do not include the other envelope
recipients, it is only contained in the MailScanner generated message.
Dear user1 at domain, user2 at domain, user3 at domain , ...
(This messages yielded 7 addresses in the Dear ... field all up in the
one I personally got)
MailScanner believes the attached message which was sent to you,
>From : linux-kernel-announce-owner at removed (but I'm sure most
here are smart enough to know the domain)
... (nothing else is relevant so is not included)
I am posting this to make those using the same method aware of this
privacy issue given no action has been taken (yes, I read the changelog,
I have been keeping an eye on it often)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the MailScanner