[Esd-l] SECURITY_NOTIFY_SENDER= question

John D. Hardin jhardin at impsec.org
Thu Jan 29 06:35:37 PST 2004


On Thu, 29 Jan 2004, Sergio P. Cesar wrote:

> Does the email sent back to the sender when
> SECURITY_NOTIFY_SENDER="textfile" contain the email?

Does it contain a copy of the original attack message? No, it only
includes the RFC822 message headers.

> It looks like the warning sent to the sender contain the attached
> virus and if the sender email system has a trap for it it bouces
> back with a warning from them thus the sender do not get the
> warning.

The ONLY time the sanitizer would possibly return the full original
message to the sender is if quarantine was attempted and failed, and
SECURITY_QUARANTINE_OPTIONAL was not set, and even then it wouldn't be
the sanitizer's doing.

If quarantine fails, the sanitizer returns an error code to the MTA.
If the MTA attempts delivery via the sanitizer, and that fails with an
error code, it *MAY* return the entire message to the sender rather
than just a non-delivery notification.

Please check the configuration of your MTA to see whether it does
this. Please check your sanitizer log, it may have notices about
failed quarantine attempts.

> if this is the case is there a way to just send the warning and
> /dev/null the actual message?

Yes. Right near the end of the sanitizer there is this:

      # Argh! Quarantine failed, and not explicitly marked as
optional!
      # Bounce message, and notify administrator
      LOG="${NL} ERR: QUARANTINE FAILED!${NL}"
      EXITCODE=65

Comment out the EXITCODE line. The sanitizer will report successful
delivery to the MTA, and will drop the message into /dev/null.

I will add SECURITY_SILENT_QUARANTINE_FAILURE as an option to
configure this behavior.

> I may be a little lost and confused on the shear volume of
> warnings and error messages :(

Yup.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   65 days until the Slovakian Presidential Election



More information about the esd-l mailing list