-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 09/15/2003 affected version(s): amavis-0.2.x, amavis-0.3.x, amavisd (all versions) below amavisd-new-20021227-p2 (please see further on for details) Vulnerability Type: virus notifications may cause enormous traffic and/or worries and annoyances innocent people when worm/virus has forget sender address Priority: normal Solution: disable sender notification Author: Rainer Link Advisory ID: ASA-2003-2 Contact: security@amavis.org - ---------------------------------------------------------------------------- 1. Problem description Nowadays, many viruses and worms uses forged sender addresses, e.g. by using addresses found in the Outlook address book. Per default, amavis 0.2.x, amavis 0.3.x and amavisd (all versions) send a virus notification message to the sender (for every mail containing a virus/worm). As seen esp. in the Sobig.F case, this causes a lot of notification messages being send and may worry and annoy innocent users. 2. Impact Greating enormous email traffic; annoyance of users. 3. Solution * amavis 0.2.x: Currently, the only solution is to disable sender notification completely. Edit /usr/sbin/scanmails and cange notifysender to no: notifysender=no Note: please keep in mind the development of amavis 0.2.x has been discontinued already more than two years ago. It's currently only in security maintanance mode. Please upgrade to the latest amavis, amavisd, amavis-ng or amavisd-new version soon. * amavis 0.3.x: Currently, the only solution is to disable sender notification completely. Edit /usr/sbin/amavis and change warnsender to "no": $warnsender = "no"; * amavisd: Currently, the only solution is to disable sender notification completely. Edit /etc/amavisd.conf and change warnsender to "no": $warnsender = "no"; Future amavis(d) releases may have a feature not to send notification messages at all, if the malicous code detected is not known to be using a valid origin address. * amavisd-new: amavisd-new since the 20021227-p2 patch release (January 2003): recognizes Sobig (and a couple of others) as name of a virus which fakes envelope sender address, so no sender notifications (bounces) are generated by amavisd process (settings D_PASS, D_DISCARD, or D_BOUNCE). Bounces (non-delivery status notifications) may still be generated by upstream MTA if D_REJECT setting is chosen. The $viruses_that_fake_sender_re lookup list is available since amavisd-new-20021116. Although the list gets updated with each release, administrators are nevertheless urged to keep the list (in amavisd.conf) up to date when new viruses emerge. This issue was already addressed by a posting from Lars Hecking to the amavis-user mailing list on August, 20th. See http://marc.theaimsgroup.com/?l=amavis-user&m=106138510513994&w=2 But we finally decided to release this ASA as this hopefully gets a broader attention. 4. Acknowledgement 5. References http://marc.theaimsgroup.com/?l=amavis-user&m=106138510513994&w=2 http://www.amavis.org/security/asa-2003-2.txt http://www.amavis.org/ http://www.f-prot.com/news/gen_news/open_letter_10sept2003.html 6. Revision History 09/15/2003: Initial release =========================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/ZhjtmxoFTBO0QHkRAoB/AKDCYzn27R/rIhplJKnTzMW7vyoVlgCgn6aB n12waCGPfQGRHcAbrIz4JJw= =LQ9b -----END PGP SIGNATURE-----