Mailing List Archive: ClamAV: devel

clamav-milter: username is used instead of email address

Index | Next | Previous | View Threaded

clamav at mscha

Feb 21, 2007, 6:29 AM

Post #1 of 6 (1241 views)
Permalink

clamav-milter: username is used instead of email address

Hi,

I noticed that virus notifications sent by clamav-milter only contain
the recipient's username, and not the full email address.
This is rather unfortunate, since this makes it hard to figure out which
email address has been compromised, if you have multiple aliases /
virtusernames.

I had a look at the code, and noticed:
static sfsistat
clamfi_envrcpt(SMFICTX *ctx, char **argv)
{
(...)
to = smfi_getsymval(ctx, "{rcpt_addr}");
if(to == NULL)
to = argv[0];
(...)
}

While argv[0] is guaranteed to contain the full recipient email address
(e.g. "<email.address [at] example>"), it appears that the {rcpt_addr}
macro only contains the bare username (e.g. "myusername"). (This is
after applying the virtusertable, but before applying aliases.)

My guess is that {rcpt_addr} is used instead of argv[0] because of
whitelist checking. But privdata->to is used in various other places,
such as generating the virus notification, the Cc: header of the virus
notification, and the X-Original-To: header of a phishing report or
quarantine, among others. And this results in headers with incorrect
email addresses, so this is arguably a bug.

Wouldn't it be better to always store the full email address (argv[0])
in privdata->to, and store the username, if it is needed, in a separate
field, such as privdata->user? That way, only those places (whitelist?)
that need the bare username can be changed to use it, and other places
will use the correct recipient email address.

Best regards,

– Michael
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

clamav at mscha

Feb 21, 2007, 6:48 AM

Post #2 of 6 (1141 views)
Permalink

Re: clamav-milter: username is used instead of email address [In reply to]

I also filed a bug report for this: bug 337.

– Michael
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

njh at bandsman

Feb 21, 2007, 12:33 PM

Post #3 of 6 (1140 views)
Permalink

Re: clamav-milter: username is used instead of email address [In reply to]

Michael Schaap wrote:
> Hi,
>
> I noticed that virus notifications sent by clamav-milter only contain
> the recipient's username, and not the full email address.
> This is rather unfortunate, since this makes it hard to figure out which
> email address has been compromised, if you have multiple aliases /
> virtusernames.
>
> I had a look at the code, and noticed:
> static sfsistat
> clamfi_envrcpt(SMFICTX *ctx, char **argv)
> {
> (...)
> to = smfi_getsymval(ctx, "{rcpt_addr}");
> if(to == NULL)
> to = argv[0];
> (...)
> }
>
> While argv[0] is guaranteed to contain the full recipient email address
> (e.g. "<email.address [at] example>"), it appears that the {rcpt_addr}
> macro only contains the bare username (e.g. "myusername"). (This is
> after applying the virtusertable, but before applying aliases.)
>
> My guess is that {rcpt_addr} is used instead of argv[0] because of
> whitelist checking.

No, it was changed because users wanted it to be changed.

> – Michael

-Nigel

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

clam at fiddaman

Feb 21, 2007, 1:17 PM

Post #4 of 6 (1143 views)
Permalink

Re: clamav-milter: username is used instead of email address [In reply to]

On Wed, 21 Feb 2007, Nigel Horne wrote:
; Michael Schaap wrote:
; > My guess is that {rcpt_addr} is used instead of argv[0] because of whitelist
; > checking.
;
; No, it was changed because users wanted it to be changed.

Of course, with that code, users have the option of configuring sendmail
not to pass rcpt_addr to the milter in which case it will just use
argv[0].

The rcpt_addr macro is the address part of the triple following ruleset 0
parsing. It's only an unqualified username in the OP's case because
presumably the server is doing local delivery.

A.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

clamav at mscha

Feb 21, 2007, 6:21 PM

Post #5 of 6 (1139 views)
Permalink

Re: clamav-milter: username is used instead of email address [In reply to]

Nigel Horne wrote:
> Michael Schaap wrote:
>> Hi,
>>
>> I noticed that virus notifications sent by clamav-milter only contain
>> the recipient's username, and not the full email address.
>> This is rather unfortunate, since this makes it hard to figure out
>> which email address has been compromised, if you have multiple
>> aliases / virtusernames.
>>
>> I had a look at the code, and noticed:
>> static sfsistat
>> clamfi_envrcpt(SMFICTX *ctx, char **argv)
>> {
>> (...)
>> to = smfi_getsymval(ctx, "{rcpt_addr}");
>> if(to == NULL)
>> to = argv[0];
>> (...)
>> }
>>
>> While argv[0] is guaranteed to contain the full recipient email
>> address (e.g. "<email.address [at] example>"), it appears that the
>> {rcpt_addr} macro only contains the bare username (e.g.
>> "myusername"). (This is after applying the virtusertable, but before
>> applying aliases.)
>>
>> My guess is that {rcpt_addr} is used instead of argv[0] because of
>> whitelist checking.
>
> No, it was changed because users wanted it to be changed.
>
I'll have to take your word for it. (Can't find anything in the mail
archives, but I find those are a bit hard to navigate, so that's
probably just me.)
I do find it a bit unfortunate, though, that the default behaviour is
_not_ to use the actually used recipient for reporting purposes (which
can cause incorrect email addresses to be used in headers), and you have
to jump through hoops to get it to use the IMO ‘proper’ recipient
address. And none of this seems to be documented.

Oh well,

– Michael
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

clamav at mscha

Feb 21, 2007, 6:25 PM

Post #6 of 6 (1135 views)
Permalink

Re: clamav-milter: username is used instead of email address [In reply to]

clam [at] fiddaman wrote:
> On Wed, 21 Feb 2007, Nigel Horne wrote:
> ; Michael Schaap wrote:
> ; > My guess is that {rcpt_addr} is used instead of argv[0] because of whitelist
> ; > checking.
> ;
> ; No, it was changed because users wanted it to be changed.
>
> Of course, with that code, users have the option of configuring sendmail
> not to pass rcpt_addr to the milter in which case it will just use
> argv[0].
>
It would be nice if that were documented, or even better, an option to
clamav-milter instead of having to change sendmail milter parameters.

> The rcpt_addr macro is the address part of the triple following ruleset 0
> parsing. It's only an unqualified username in the OP's case because
> presumably the server is doing local delivery.
>
That is correct.
This still results in a loss of information, though, especially on a
server handling multiple domains. And at least in my case, adding the
default domain does not always result in an equivalent (or even
working!) address.

– Michael
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads