[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

zmailer smtp information disclosure

To: "'zmailer@nic.funet.fi'" <zmailer@nic.funet.fi>
Subject: zmailer smtp information disclosure
From: zmailer <zmailer@lists.com.ar>
Date: Thu, 13 May 2004 16:58:24 -0300
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
Sender: zmailer-owner@nic.funet.fi


Hi,

I have the following setup:

Internet -> zmailer gateway (ZG) -> internal mail server (IM)

ZG is the MX for example.com and using routes/smtp delivers
messages to IM.

The problem is that if a message is generated from
for example Hotmail or another zmailer to
u1@example.com and Bcc to u2@example.com 

the headers in the mail which u1 receives are:

Received: from somehost ([29.9.24.28]:52383 "EHLO
        somehost") by ZG. with ESMTP
        id S1245225AbUEMS32 (ORCPT <rfc822;u2@example.com>
        + 1 other); Thu, 13 May 2004 15:29:28 -0300

disclosing the bcc destination.

I think that this is wrong.

This was tested, with equal results on Fedora linux
 CVS 30/11/2003 and CVS 12/03/2004



The same situation was verified from a local zmailer
to some remote location using:

mail a@dom.com -b b@dom.com 

and a@dom.com received a header saying that ORCPT was b.com + 1 other

Regards,

Nico
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

Prev by Date: Smtpserver & router Error ....?
Next by Date: Re: Smtpserver & router Error ....?
Prev by thread: Re: Smtpserver & router Error ....?
Next by thread: FW: zmailer smtp information disclosure
Index(es):
- Date
- Thread