[Mimedefang] X-MIMEDefang-Relay leaking through bounces (was re: Questions on Received, stream_by_recipient, and SpamAssassin)

[Kelson Vibber]

At 7:30 PM 4/18/2003, David F. Skoll wrote:
>On Fri, 18 Apr 2003, Kelson Vibber wrote:
> > occasionally a message will come through that still has the header present.
>
>That should never happen unless you use the ACCEPT_AND_NO_MORE_FILTERING
>feature.  The IP validation header is always deleted in the mimedefang C
>code if it is found.

I think I found the problem.  I have MD reject mail that scores higher than 
25 points with SpamAssassin.  If I've streamed the message by recipient, 
the reject code goes to my own server instead of the relay, and Sendmail 
generates and queues up a full bounce notice.

Because the message Sendmail received from itself included the 
X-MIMEDefang-Relay... header, the copy attached to the bounce notice 
includes it as well.  If the sending domain doesn't exist, you're in 
luck.  If it does exist, you're leaking that key.  If you're lucky, no 
one's looking for it, but I can imagine people might start to.

These showed up in my spam corpus because I will sometimes go through 
notifications looking for spam to report to Razor, Pyzor, etc.  I noticed 
the relay headers later on, and didn't make the connection that they were 
from bounces.

Unfortunately I'm very reluctant to switch from rejecting to silently 
discarding, since a lot of these are from people who want to drop anything 
above, say, 10, and in the past I've seen false positives in the 10-15 
range.  I may compromise for now by deleting anything above 25 and 
rejecting anything above the custom score.

The only solution I can think of is to have my MD filter generate a custom 
"could not deliver" notice with the header stripped out, and send that 
instead of rejecting if the message has been resent.

Anyone have any better ideas?


Kelson Vibber
SpeedGate Communications <www.speed.net>