[Esd-l] SECURITY_NOTIFY_SENDER="YES"

John Hardin jhardin at impsec.org
Fri May 17 06:59:01 PDT 2002


On Thu, 2002-05-16 at 22:38, C.S. Kumar wrote:
> I noticed that the sanitizer sends notification to the
> address in the "From: " field. This address may not be of the
> real sender / affected PC.

The sanitizer uses "formail -r" to generate the reply message. "formail
-r" will only use the "From:" header if more reliable headers are not
available - it tries Return-Path: first.

Make sure that there's a Return-Path: header in the messages you are
receiving. You may want to check your MTA and verify that it's
configured to make sure that header exists.

> Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
> signature like that of Klez?

Sure.

In the local-rules rule simply delete the X-Security: NOTIFY line.

I don't know how it'd be reliably done for non-signature-identified
versions. Comparing the Return-Path:, From: and Received: domains would
be one way, but such comparisons would be complicated in procmail.

Maybe the sanitizer should do some heuristic checking of the RFC822
headers to generate a "forgery score"... Hmmm.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
   909 days until the Presidential Election

[demime 0.98e removed an attachment of type application/pgp-signature which had a name of signature.asc]



More information about the esd-l mailing list