You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "drew.woz@gmail.com" <dr...@gmail.com> on 2012/09/02 22:35:41 UTC
Header exposes account name
Hello,
I've poked around the archives and faq and cannot find a solution for my
case. Our Church has a website hosted by a popular service and recently
we setup email accounts plus SpamAssassin. It is all working nicely
except for one alarming thing I found in spamassassin generated headers.
They all now mention our hosting service account name (foobar) in these
areas:
Received: from foobar by hoster.com with local-bsmtp (Exim 4.76)
...
X-Identified-User: {2555:hoster.com:foobar:churchdomain.org}
I've attempted an exim filter to translate the account name to something
else but that does not seem to work. Is there any way to configure
spamassassin so exclude the user account from generated headers?
This is a huge security issue that can expose the account name when
users reply to incoming emails.
Thanks for all suggestions.
SA 3.3.1, with spamd started by server as:
/usr/bin/spamd -d --timeout-child=60 --allowed-ips=127.0.0.1
--max-conn-per-child=500 --pidfile=/var/run/spamd.pid --max-children=10
--max-spare=5
EXIM 4.76
Shared server:
Linux version 2.6.32-20120131.55.1.zzz.x86_64
(machbuild@build6.hoster.com) (gcc version 4.4.6 20110731 (Red Hat
4.4.6-3) (GCC) ) #1 SMP Tue Jan 31 15:43:27 EST 2012
Re: Header exposes account name
Posted by "drew.woz@gmail.com" <dr...@gmail.com>.
It does appear to be the (exim?) filtering that is adding the foobar
account name. Receiving an email always adds Received and
X-Identified-User fields plus account name. While sending and replying
always delivers X-Identified-User plus account name.
Thanks for all the help. Will redirect focus on Exim.
On 2012-09-02 8:01 PM, RW wrote:
> On Sun, 02 Sep 2012 18:48:15 -0400
> drew.woz@gmail.com wrote:
>
>> Gentlemen,
>>
>> Thanks for replying so quickly. I'm quite the newbee in this area and
>> am grateful for your advise. While the new header entries were first
>> noticed after enabling SA, it was not obvious that Exim could be
>> another suspect. I will investigate whether it can configured to
>> interpose or change the default identified user. I will also check
>> with our hoster whether the account name identifier can be replaced
>> by something else.
>>
>> If that doesn't lead anywhere, would there be an SA option for
>> specifying an alternate identifier or agent name that is piped to the
>> glue and Exim layers?
>
> Why do you care? Your concern was:
>
>> This is a huge security issue that can expose the account name when
>> users reply to incoming emails.
>
> but email replies don't quote those header.
>
Re: Header exposes account name
Posted by RW <rw...@googlemail.com>.
On Sun, 02 Sep 2012 18:48:15 -0400
drew.woz@gmail.com wrote:
> Gentlemen,
>
> Thanks for replying so quickly. I'm quite the newbee in this area and
> am grateful for your advise. While the new header entries were first
> noticed after enabling SA, it was not obvious that Exim could be
> another suspect. I will investigate whether it can configured to
> interpose or change the default identified user. I will also check
> with our hoster whether the account name identifier can be replaced
> by something else.
>
> If that doesn't lead anywhere, would there be an SA option for
> specifying an alternate identifier or agent name that is piped to the
> glue and Exim layers?
Why do you care? Your concern was:
> This is a huge security issue that can expose the account name when
> users reply to incoming emails.
but email replies don't quote those header.
Re: Header exposes account name
Posted by "drew.woz@gmail.com" <dr...@gmail.com>.
Gentlemen,
Thanks for replying so quickly. I'm quite the newbee in this area and am
grateful for your advise. While the new header entries were first
noticed after enabling SA, it was not obvious that Exim could be another
suspect. I will investigate whether it can configured to interpose or
change the default identified user. I will also check with our hoster
whether the account name identifier can be replaced by something else.
If that doesn't lead anywhere, would there be an SA option for
specifying an alternate identifier or agent name that is piped to the
glue and Exim layers?
Regards, Drew
On 2012-09-02 5:44 PM, wolfgang wrote:
> On 2012-09-02 23:14, Dave Funk wrote:
>
>> Not sure where that 'X-Identified-User' header comes from, maybe
>> it's an Exim thing. It's not a SA header. All headers that SA adds
>> start with 'X-Spam-' (eg: X-Spam-Report: or X-Spam-Status: ).
>>
>> It could be that the "glue" you're using to connect SA with Exim is
>> adding those headers (or changing the Exim config, so it now adds
>> them) but that's not SA's responsibility. There are a variety of ways
>> to connect SA into a mail system, each with its own characteristics.
>
>> Regardless, this looks more like an Exim question than a SA question.
>
> All the google search results for "X-Identified-User" that I have viewed
> show Exim being involved, I think you should rather post your question
> to an Exim related mailing list.
>
> Hope this helps,
>
> wolfgang
Re: Header exposes account name
Posted by wolfgang <me...@gmx.net>.
On 2012-09-02 23:14, Dave Funk wrote:
> Not sure where that 'X-Identified-User' header comes from, maybe
> it's an Exim thing. It's not a SA header. All headers that SA adds
> start with 'X-Spam-' (eg: X-Spam-Report: or X-Spam-Status: ).
>
> It could be that the "glue" you're using to connect SA with Exim is
> adding those headers (or changing the Exim config, so it now adds
> them) but that's not SA's responsibility. There are a variety of ways
> to connect SA into a mail system, each with its own characteristics.
> Regardless, this looks more like an Exim question than a SA question.
All the google search results for "X-Identified-User" that I have viewed
show Exim being involved, I think you should rather post your question
to an Exim related mailing list.
Hope this helps,
wolfgang
Re: Header exposes account name
Posted by Dave Funk <db...@engineering.uiowa.edu>.
Why are you blaming SpamAssasin for those headers?
The 'Received:' header is a standard "trace" header that your MTA is
supposed to add to each message that it processes (see RFC-2822).
Note the end of the header you quoted, it even has Exim's name in it.
Not sure where that 'X-Identified-User' header comes from, maybe
it's an Exim thing. It's not a SA header. All headers that SA adds
start with 'X-Spam-' (eg: X-Spam-Report: or X-Spam-Status: ).
It could be that the "glue" you're using to connect SA with Exim is
adding those headers (or changing the Exim config, so it now adds them)
but that's not SA's responsibility. There are a variety of ways to connect
SA into a mail system, each with its own characteristics.
Do really even need to worry about this?
Under normal usage a user's reply does not pass back out such internal
headers, it removes them and generates new headers.
Regardless, this looks more like an Exim question than a SA question.
On Sun, 2 Sep 2012, drew.woz@gmail.com wrote:
> Hello,
>
> I've poked around the archives and faq and cannot find a solution for my
> case. Our Church has a website hosted by a popular service and recently we
> setup email accounts plus SpamAssassin. It is all working nicely except for
> one alarming thing I found in spamassassin generated headers. They all now
> mention our hosting service account name (foobar) in these areas:
>
> Received: from foobar by hoster.com with local-bsmtp (Exim 4.76)
> ...
> X-Identified-User: {2555:hoster.com:foobar:churchdomain.org}
>
> I've attempted an exim filter to translate the account name to something else
> but that does not seem to work. Is there any way to configure spamassassin so
> exclude the user account from generated headers?
>
> This is a huge security issue that can expose the account name when users
> reply to incoming emails.
>
> Thanks for all suggestions.
>
> SA 3.3.1, with spamd started by server as:
> /usr/bin/spamd -d --timeout-child=60 --allowed-ips=127.0.0.1
> --max-conn-per-child=500 --pidfile=/var/run/spamd.pid --max-children=10
> --max-spare=5
>
> EXIM 4.76
>
> Shared server:
> Linux version 2.6.32-20120131.55.1.zzz.x86_64 (machbuild@build6.hoster.com)
> (gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) ) #1 SMP Tue Jan 31
> 15:43:27 EST 2012
>
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{