Hello. This email was sent to supportat_private over a week ago, so far, no response. In the company that I work for, we use -InterScan Version 3.6-Build_1142, for stripping of unwated attachments, "Spam". No other versions have been tested. Our sys admin has configured the mail scanner, to notify all destination addresses of a message containing such attachments, of the "Spam" alert. Meaning, that if I send a bad content message to 10 recipients, all of them receive a "Spam" alert. The problem is that, each one of the recipients receives to his mailbox the spam warning message, including all addresses of which the original message was sent to, even if they were sent as Bcc: For example: **************** eManager Notification ***************** The following mail was blocked since it contains sensitive content. Source mailbox: <ME> Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3> Policy: Attachment Removal Attachment file name: accident.mpg - video/mpg Action: Replaced with text The email was stripped from its attachment, since it doesn't comply with <ISP>'s Email Policy as can be viewed by <ISP>'s employees.... ******************* End of message ********************* This is a serious security disclosure vulnerability, as all of the message's recipients, now have all the email addresses who were suppose to be kept secret. I wish to publish this vulnerability on Bugtraq, after providing you with sufficient time to correct the problem, based on your response, and our communication. Thank you Ishay Sommer
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 21:36:47 PDT