RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The current version for interscan solaris is 1207 and correct your
issue.

regards



>> -----Message d'origine-----
>> De : Ishay Sommer [mailto:ishaybas@xxxxxxxxxxxxxxxx]
>> Envoye : mercredi, 24. avril 2002 10:49
>> A : bugtraq@xxxxxxxxxxxxxxxxx
>> Objet : Trendmicro - Interscan - List of BCC: is revealed when
>> stripping attachments and notifying destination addresses
>> 
>> 
>> Hello.
>> 
>> This email was sent to support@xxxxxxxxxxxxxx over a week ago,
>> so far, no response.
>> 
>> In the company that I work for, we use -InterScan Version
>> 3.6-Build_1142, for
>> stripping of unwated attachments, "Spam".
>> No other versions have been tested.
>> 
>> Our sys admin has configured the mail scanner, to notify all
>> destination addresses of a message containing such attachments, of
>> the "Spam" alert. Meaning, that if I send a bad content message to
>> 10 recipients, all of them receive
>> a "Spam" alert.
>> 
>> The problem is that, each one of the recipients receives to his
>> mailbox the spam warning message,
>> including all addresses of which the original message was sent to,
>> even if they were sent as Bcc:
>> 
>> For example:
>> 
>> **************** eManager Notification *****************
>> 
>> The following mail was blocked since it contains sensitive
>> content.  
>> 
>> Source mailbox: <ME>
>> Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3>
>> Policy: Attachment Removal
>> Attachment file name: accident.mpg - video/mpg
>> Action: Replaced with text
>> 
>> The email was stripped from its attachment, since it doesn't
>> comply with <ISP>'s Email Policy as can be viewed by <ISP>'s
>> employees....
>> 
>> ******************* End of message *********************
>> 
>> This is a serious security disclosure vulnerability, as all of the
>> message's recipients, now have all
>> the email addresses who were suppose to be kept secret.
>> 
>> I wish to publish this vulnerability on Bugtraq, after providing
>> you with sufficient time to correct the problem, based on your
>> response, and our communication.
>> 
>> Thank you
>> 
>> Ishay Sommer
>> 
>> 
>> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPMe9j5C2KxGEE+dSEQIXfQCgtHMtxSf3qR0Ms8HiTrr79rQWHIIAoNr3
VC6BwNU5xhKRpJNJxYVapZJ0
=Yjzr
-----END PGP SIGNATURE-----