[NEWS] InterScan Reveals The List of BCC When It Strips Attachments (Via Alert)

From: support@securiteam.com
Date: 04/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 25 Apr 2002 10:13:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  InterScan Reveals The List of BCC When It Strips Attachments (Via Alert)
------------------------------------------------------------------------

SUMMARY

 <http://www.antivirus.com/products/internet_gateway.htm> InterScan, a
product by TrendMicro, has been found to contain a vulnerability that
would cause it to reveal the complete list of recipients even if they have
been listed in the BCC section. This is a serious privacy disclosure
vulnerability, as all of the message's recipients, now have all the email
addresses who were suppose to be kept secret.

DETAILS

Vulnerable systems:
InterScan version 3.6 Build 1142

Recreation:
1) Configure the mail scanner, to notify all destination addresses of a
message containing attachments or any other "not allowed" content (Such as
SPAM).
2) Send a bad content message to 10 recipients, list some of them in the
BCC box.
3) Each one of the recipients receives to his mailbox the warning message,
including all addresses of which the original message was sent to, even if
they were sent as Bcc:

Example notification:
The following mail was blocked since it contains sensitive content.

Source mailbox: <ME>
Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3>
Policy: Attachment Removal
Attachment file name: accident.mpg - video/mpg
Action: Replaced with text

The email was stripped from its attachment, since it doesn't comply with
<ISP>'s Email Policy as can be viewed by <ISP>'s employees....

ADDITIONAL INFORMATION

The information has been provided by <mailto:ishaybas@netvision.net.il>
Ishay Sommer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: & BCC: In Preview Pane
    ... No e-mail client will show you the Bcc header. ... YOU don't get ANYTHING regarding the recipients in the ...
    (microsoft.public.outlook.general)
  • Re: & BCC: In Preview Pane
    ... No e-mail client will show you the Bcc header. ... YOU don't get ANYTHING regarding the recipients in the ...
    (microsoft.public.outlook)
  • Re: BCC on Outlook 2007 not working?
    ... which *field* inside your e-mail client (and which may show in the header ... recipients from its To, CC, and Bcc fields. ... RCPT-TO commands are followed by a single DATA command that contains the ...
    (microsoft.public.outlook.general)
  • Re: tcllib mime smtp proc sends BCC mail copies as attachments
    ... body to each recipient in the BCC list as for the TO list. ... secondary recipients and bcc recipients. ... RCPT per envelope), but each 'session' goes something like this: ... sensitive email lists to verify how their clients and servers work, ...
    (comp.lang.tcl)
  • Re: Can a Bcc recipient use "Reply all"
    ... > don't want Bcc recipients to see each other. ... The recipient never gets the e-mail address of those you put in the Bcc ... It never gets included as a header (well, ... of RCPT commands it sends to the SMTP server. ...
    (microsoft.public.outlook.general)