MailScanner Bug - Privacy Advisory
MailScanner at ecs.soton.ac.uk
Fri Jul 2 16:24:15 IST 2010
This only occurs if you choose to use the "$to" variable in your
It is not present in the default templates I ship.
I would therefore suggest 2 things:
1. You remove the "Dear $to" line from your own inline.spam.warning.txt
2. I remove "$to" from the list of available variables which can be used
in that report file.
How about it?
On 01/07/2010 23:39, Noel Butler wrote:
> Directed at: Those using : Inline Spam Warning,
> Date first reported: May 17, 2010 (noticed one
> month earlier, delayed reporting in case kernel.org messed up)
> Date subsequently reported: June 11, 2010
> Initial response June 12, 2010
> Response update June 12, 2010
> Acknowledgment none received
> Severity: Moderate (IMO)
> Summary: "inline spam warning" report to multiple recipients,
> displays all recipients in the warning message that are sent to all users.
> Description: This lets other users know not only who else may exist
> on the system, but also on, for example this mailing list.
> This must be a failure of the privacy mechanism.
> Message headers in each delivered message received by the recipient
> (verified by my own and one other recipient of that list who was kind
> enough to forward full headers,) do not include the other envelope
> recipients, it is only contained in the MailScanner generated message.
> Dear user1 at domain, user2 at domain, user3 at domain <mailto:user3 at domain> , ...
> (This messages yielded 7 addresses in the Dear ... field all up in the
> one I personally got)
> MailScanner believes the attached message which was sent to you,
> From : linux-kernel-announce-owner at removed
> <mailto:linux-kernel-announce-owner at removed> (but I'm sure most here
> are smart enough to know the domain)
> ... (nothing else is relevant so is not included)
> I am posting this to make those using the same method aware of this
> privacy issue given no action has been taken (yes, I read the
> changelog, I have been keeping an eye on it often)
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner