MailScanner Bug - Privacy Advisory

[Noel Butler]

Directed at:    Those using :  Inline Spam Warning, %report-dir
%/inline.spam.warning.txt

Date first reported:                  May 17, 2010    (noticed one month
earlier, delayed reporting in case kernel.org messed up)
Date subsequently reported:   June 11, 2010
Initial response                         June 12, 2010
Response update                     June 12, 2010
Acknowledgment                     none received

Severity:       Moderate (IMO)

Summary:    "inline spam warning" report to multiple recipients,
displays all recipients in the warning message that are sent to all
users.

Description:  This lets other users know not only who else may exist on
the system, but also on, for example this mailing list.
This must be a failure of the privacy mechanism.
Message headers in each delivered message received by the recipient
(verified by my own and one other recipient of that list who was kind
enough to forward full headers,) do not include the other envelope
recipients, it is only contained in the MailScanner generated message.



Example: 

Dear user1 at domain, user2 at domain, user3 at domain , ...
(This messages yielded 7 addresses in the Dear ... field all up in the
one I personally got)

MailScanner believes the attached message which was sent to you,
>From       : linux-kernel-announce-owner at removed  (but I'm sure most
here are smart enough to know the domain)

...  (nothing else is relevant so is not included)



I am posting this to make those using the same method  aware of this
privacy issue given no action has been taken (yes, I read the changelog,
I have been keeping an eye on it often)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100702/fee283ad/attachment.html