MailScanner Bug - Privacy Advisory

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jul 2 16:24:15 IST 2010 

This only occurs if you choose to use the "$to" variable in your 
inline.spam.warning.txt.
It is not present in the default templates I ship.

I would therefore suggest 2 things:
1. You remove the "Dear $to" line from your own inline.spam.warning.txt 
report file.
2. I remove "$to" from the list of available variables which can be used 
in that report file.

How about it?

Jules.

On 01/07/2010 23:39, Noel Butler wrote:
> Directed at:    Those using :  Inline Spam Warning, 
> %report-dir%/inline.spam.warning.txt
>
> Date first reported:                  May 17, 2010    (noticed one 
> month earlier, delayed reporting in case kernel.org messed up)
> Date subsequently reported:   June 11, 2010
> Initial response                         June 12, 2010
> Response update                     June 12, 2010
> Acknowledgment                     none received
>
> Severity:       Moderate (IMO)
>
> Summary:    "inline spam warning" report to multiple recipients, 
> displays all recipients in the warning message that are sent to all users.
>
> Description:  This lets other users know not only who else may exist 
> on the system, but also on, for example this mailing list.
> This must be a failure of the privacy mechanism.
> Message headers in each delivered message received by the recipient 
> (verified by my own and one other recipient of that list who was kind 
> enough to forward full headers,) do not include the other envelope 
> recipients, it is only contained in the MailScanner generated message.
>
>
>
> Example:
>
> Dear user1 at domain, user2 at domain, user3 at domain <mailto:user3 at domain> , ...
> (This messages yielded 7 addresses in the Dear ... field all up in the 
> one I personally got)
>
> MailScanner believes the attached message which was sent to you,
> From       : linux-kernel-announce-owner at removed 
> <mailto:linux-kernel-announce-owner at removed>  (but I'm sure most here 
> are smart enough to know the domain)
>
> ...  (nothing else is relevant so is not included)
>
>
>
> I am posting this to make those using the same method  aware of this 
> privacy issue given no action has been taken (yes, I read the 
> changelog,  I have been keeping an eye on it often)
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list