-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 09/15/2003
affected version(s): amavis-0.2.x, amavis-0.3.x, amavisd (all
versions)
below amavisd-new-20021227-p2 (please see further
on for details)
Vulnerability Type: virus notifications may cause enormous traffic
and/or worries and annoyances innocent people
when worm/virus has forget sender address
Priority: normal
Solution: disable sender notification
Author: Rainer Link <rainer@...>
Advisory ID: ASA-2003-2
Contact: security@...
-
----------------------------------------------------------------------------
1. Problem description
Nowadays, many viruses and worms uses forged sender addresses, e.g.
by using addresses found in the Outlook address book. Per default,
amavis 0.2.x, amavis 0.3.x and amavisd (all versions) send a virus
notification message to the sender (for every mail containing
a virus/worm). As seen esp. in the Sobig.F case, this causes a lot of
notification messages being send and may worry and annoy innocent users.
2. Impact
Greating enormous email traffic; annoyance of users.
3. Solution
* amavis 0.2.x:
Currently, the only solution is to disable sender notification
completely.
Edit /usr/sbin/scanmails and cange notifysender to no:
notifysender=no
Note: please keep in mind the development of amavis 0.2.x has
been discontinued already more than two years ago. It's currently
only in security maintanance mode. Please upgrade to the latest
amavis, amavisd, amavis-ng or amavisd-new version soon.
* amavis 0.3.x:
Currently, the only solution is to disable sender notification
completely.
Edit /usr/sbin/amavis and change warnsender to "no":
$warnsender = "no";
* amavisd:
Currently, the only solution is to disable sender notification
completely.
Edit /etc/amavisd.conf and change warnsender to "no":
$warnsender = "no";
Future amavis(d) releases may have a feature not to send notification
messages at all, if the malicous code detected is not known to be using
a valid origin address.
* amavisd-new:
amavisd-new since the 20021227-p2 patch release (January 2003):
recognizes Sobig (and a couple of others) as name of a virus which
fakes envelope sender address, so no sender notifications (bounces)
are generated by amavisd process (settings D_PASS, D_DISCARD, or D_BOUNCE).
Bounces (non-delivery status notifications) may still be generated
by upstream MTA if D_REJECT setting is chosen.
The $viruses_that_fake_sender_re lookup list is available
since amavisd-new-20021116. Although the list gets updated
with each release, administrators are nevertheless urged to keep
the list (in amavisd.conf) up to date when new viruses emerge.
This issue was already addressed by a posting from Lars Hecking to
the amavis-user mailing list on August, 20th. See
http://marc.theaimsgroup.com/?l=amavis-user&m=106138510513994&w=2
But we finally decided to release this ASA as this hopefully gets a
broader attention.
4. Acknowledgement
5. References
http://marc.theaimsgroup.com/?l=amavis-user&m=106138510513994&w=2
http://www.amavis.org/security/asa-2003-2.txt
http://www.amavis.org/
http://www.f-prot.com/news/gen_news/open_letter_10sept2003.html
6. Revision History
09/15/2003: Initial release
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/ZhjtmxoFTBO0QHkRAoB/AKDCYzn27R/rIhplJKnTzMW7vyoVlgCgn6aB
n12waCGPfQGRHcAbrIz4JJw=
=LQ9b
-----END PGP SIGNATURE-----
|