John Hardin jhardin at impsec.org
Fri May 17 06:59:01 PDT 2002

On Thu, 2002-05-16 at 22:38, C.S. Kumar wrote:
> I noticed that the sanitizer sends notification to the
> address in the "From: " field. This address may not be of the
> real sender / affected PC.

The sanitizer uses "formail -r" to generate the reply message. "formail
-r" will only use the "From:" header if more reliable headers are not
available - it tries Return-Path: first.

Make sure that there's a Return-Path: header in the messages you are
receiving. You may want to check your MTA and verify that it's
configured to make sure that header exists.

> Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
> signature like that of Klez?


In the local-rules rule simply delete the X-Security: NOTIFY line.

I don't know how it'd be reliably done for non-signature-identified
versions. Comparing the Return-Path:, From: and Received: domains would
be one way, but such comparisons would be complicated in procmail.

Maybe the sanitizer should do some heuristic checking of the RFC822
headers to generate a "forgery score"... Hmmm.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
   909 days until the Presidential Election

[demime 0.98e removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the esd-l mailing list