RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses

From: Florent Trupheme (ftrupheme@telsys.ch)
Date: 04/25/02


From: Florent Trupheme <ftrupheme@telsys.ch>
To: "Ishay Sommer" <ishaybas@netvision.net.il>, <bugtraq@securityfocus.com>
Date: Thu, 25 Apr 2002 10:25:55 +0200


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The current version for interscan solaris is 1207 and correct your
issue.

regards

>> -----Message d'origine-----
>> De : Ishay Sommer [mailto:ishaybas@netvision.net.il]
>> Envoye : mercredi, 24. avril 2002 10:49
>> A : bugtraq@securityfocus.com
>> Objet : Trendmicro - Interscan - List of BCC: is revealed when
>> stripping attachments and notifying destination addresses
>>
>>
>> Hello.
>>
>> This email was sent to support@trendmicro.com over a week ago,
>> so far, no response.
>>
>> In the company that I work for, we use -InterScan Version
>> 3.6-Build_1142, for
>> stripping of unwated attachments, "Spam".
>> No other versions have been tested.
>>
>> Our sys admin has configured the mail scanner, to notify all
>> destination addresses of a message containing such attachments, of
>> the "Spam" alert. Meaning, that if I send a bad content message to
>> 10 recipients, all of them receive
>> a "Spam" alert.
>>
>> The problem is that, each one of the recipients receives to his
>> mailbox the spam warning message,
>> including all addresses of which the original message was sent to,
>> even if they were sent as Bcc:
>>
>> For example:
>>
>> **************** eManager Notification *****************
>>
>> The following mail was blocked since it contains sensitive
>> content.
>>
>> Source mailbox: <ME>
>> Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3>
>> Policy: Attachment Removal
>> Attachment file name: accident.mpg - video/mpg
>> Action: Replaced with text
>>
>> The email was stripped from its attachment, since it doesn't
>> comply with <ISP>'s Email Policy as can be viewed by <ISP>'s
>> employees....
>>
>> ******************* End of message *********************
>>
>> This is a serious security disclosure vulnerability, as all of the
>> message's recipients, now have all
>> the email addresses who were suppose to be kept secret.
>>
>> I wish to publish this vulnerability on Bugtraq, after providing
>> you with sufficient time to correct the problem, based on your
>> response, and our communication.
>>
>> Thank you
>>
>> Ishay Sommer
>>
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPMe9j5C2KxGEE+dSEQIXfQCgtHMtxSf3qR0Ms8HiTrr79rQWHIIAoNr3
VC6BwNU5xhKRpJNJxYVapZJ0
=Yjzr
-----END PGP SIGNATURE-----



Relevant Pages

  • Sent attachments getting stripped, why?
    ... be stripping attachments that I am sending to other people. ... I thought it was THEIR ISP, but now I'm not so sure. ... checked to ensure that it wasn't that I was just forgetting to attach, ...
    (microsoft.public.outlook.general)
  • OTP: Netiquette 2/2 long
    ... and Usenet readers hold you, thus making you a more effective communicator. ... Don't Broadcast Proprietary Attachments ... Email and the Usenet news system are store and forward message systems. ... It is far easier for your recipients to follow the ongoing conversation in a ...
    (alt.support.arthritis)
  • Re: Limiting Attachments in mails to selected receipients
    ... Hope to see inputs from other users on desirebility of this feature. ... Mail may require any respondant to send attachments as reply which typically ... Currenltly Outlook does not offer the feature to select recipients of ... A mail client would have to create and send two completely separate messages, ...
    (microsoft.public.outlook.general)
  • Re: E_OUTOFMEMORY when copying property PR_RTF_COMPRESSED
    ... It has nothing to do with recipients or attachments. ... This issue is also applied to CopyProps so I quote them out for your ... Freeing memory by closing other programs ...
    (microsoft.public.win32.programmer.messaging)
  • Re: Sending Photos by email
    ... *standard* protocol for dealing with email attachments in this way. ... best way is to upload the files to a web site (many ISP's already supply ... FTP file space to their users) and send a URL to the site to those you ... your recipients can accept, containing complete files, or upload your ...
    (microsoft.public.windowsxp.photos)