[Mimedefang] Minor web attachment privacy problem.
Jeffrey Goldberg
jeffrey at goldmark.org
Thu Jun 26 17:30:02 EDT 2003
On Thu, 26 Jun 2003, David F. Skoll wrote:
> On Thu, 26 Jun 2003, Jeffrey Goldberg wrote:
>
> > E can conclude that someone at A's site sent the document (or that someone
> > at B's site was an intended recipient).
>
> No; E can conclude only that someone, somewhere sent the document to someone
> at B's site. (The sender might not have been at A's site.)
I was considering the case where action_replace_with_url was done for
out-going mail on A's site. Of course this feature may more likely be
used for incoming mail in which case the leaked information is as you
describe.
Also since most webservers will provide the last modify time of a
document they serve, information about when the mail crossed the site is
also leaked. Something like this could be used the help identify, say, a
whistle-blower.
> > Solution: [...]
> This is a good solution. I'll implement it for 2.35.
Thanks. I would have submitted a patch, but I'm too lazy. (and haven't
poked around the source at all).
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
Relativism is the triumph of authority over truth, convention over justice
Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/
More information about the MIMEDefang
mailing list