[Esd-l] SECURITY_NOTIFY_SENDER="YES"
John Hardin
jhardin at impsec.org
Fri May 17 06:59:01 PDT 2002
On Thu, 2002-05-16 at 22:38, C.S. Kumar wrote:
> I noticed that the sanitizer sends notification to the
> address in the "From: " field. This address may not be of the
> real sender / affected PC.
The sanitizer uses "formail -r" to generate the reply message. "formail
-r" will only use the "From:" header if more reliable headers are not
available - it tries Return-Path: first.
Make sure that there's a Return-Path: header in the messages you are
receiving. You may want to check your MTA and verify that it's
configured to make sure that header exists.
> Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
> signature like that of Klez?
Sure.
In the local-rules rule simply delete the X-Security: NOTIFY line.
I don't know how it'd be reliably done for non-signature-identified
versions. Comparing the Return-Path:, From: and Received: domains would
be one way, but such comparisons would be complicated in procmail.
Maybe the sanitizer should do some heuristic checking of the RFC822
headers to generate a "forgery score"... Hmmm.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"To disable the Internet to save EMI and Disney is the moral
equivalent of burning down the library of Alexandria to ensure the
livelihood of monastic scribes."
-- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
909 days until the Presidential Election
[demime 0.98e removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the esd-l
mailing list