Default Ubuntu configuration is backscatter source in Jaunty

Bug #360689 reported by Imre Gergely on 2009-04-13
4
Affects Status Importance Assigned to Milestone
amavisd-new (Ubuntu)
Medium
Unassigned
Intrepid
Undecided
Unassigned

Bug Description

Binary package hint: amavisd-new

The default Jaunty config of amavisd-new comes with the option $final_banned_destiny set to D_BOUNCE. This setting causes mail with banned attachments (like .com files) getting bounced back to the sender. This in turn can cause backscatter, which is a sure way to getting the server blacklisted.

TEST CASE:
install stock amavisd-new from Jaunty, configure postfix content_filter to use amavisd-new, start both, send a mail with ie eicar's testing signature (attaching eicar.com to the mail). The file gets banned, and bounce message goes back to the sender.
Edit /etc/amavisd-new/conf.d/21-ubuntu_defaults, and set $final_banned_destiny to D_DISCARD. Restart, send mail, no bounce.

Related branches

Imre Gergely (cemc) wrote :

The fix for this, changes the default config file.

amavisd-new (1:2.6.2-2ubuntu1.1) jaunty-proposed; urgency=low

  * fix default config to not send bounce mail to sender for
    banned filenames in mail (LP: #360689)
    - debian/etc/conf.d/21-ubuntu_defaults

 -- Imre Gergely <email address hidden> Mon, 13 Apr 2009 23:02:24 +0300

Andreas Olsson (andol) wrote :

I can confirm this behavior in a default configured amavisd-new 1:2.6.2-2ubuntu1.

That said I'm not sure if I agree on this being a bug. There are plenty of legitimate cases where people might send an attachment of the forbidden type. Simply throwing them away without letting anyone know might not always be a good idea.

Changed in amavisd-new (Ubuntu):
status: New → Incomplete
Scott Kitterman (kitterman) wrote :

True, but it's far more common that it's bad content sent from a forged address. Not sending backscatter is a clear best pracice these days.

More experienced admins might set up a quarantine/release system (amavisd-new supports this), but such a system is too complex for a default. I think no backscatter is a good default approach. It's easy enough to change for people experienced enough to manage the consequences.

Changed in amavisd-new (Ubuntu):
status: Incomplete → Confirmed
Scott Kitterman (kitterman) wrote :

Thanks. I'll see if I can get this in between the RC and release.

Changed in amavisd-new (Ubuntu):
assignee: nobody → kitterman
milestone: none → ubuntu-9.04
Scott Kitterman (kitterman) wrote :

Uploaded. It is unlikely to get accepted before the release candidate is out.

Changed in amavisd-new (Ubuntu):
assignee: kitterman → nobody
importance: Undecided → Medium
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amavisd-new - 1:2.6.2-2ubuntu2

---------------
amavisd-new (1:2.6.2-2ubuntu2) jaunty; urgency=low

  * fix default config to not send bounce mail to sender for
    banned filenames in mail (LP: #360689)
    - debian/etc/conf.d/21-ubuntu_defaults

 -- Imre Gergely <email address hidden> Mon, 13 Apr 2009 23:02:24 +0300

Changed in amavisd-new (Ubuntu):
status: Fix Committed → Fix Released
Chuck Short (zulcss) wrote :

Closing this SRU request based on the fact that intrepid has reached EOL.

Changed in amavisd-new (Ubuntu Intrepid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers