Ubuntu
amavisd-new package

Default Ubuntu configuration is backscatter source in Jaunty

Bug #360689 reported by Imre Gergely
4
Affects Status Importance Assigned to Milestone
amavisd-new (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-9.04
Intrepid
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: amavisd-new

The default Jaunty config of amavisd-new comes with the option $final_banned_destiny set to D_BOUNCE. This setting causes mail with banned attachments (like .com files) getting bounced back to the sender. This in turn can cause backscatter, which is a sure way to getting the server blacklisted.

TEST CASE:
install stock amavisd-new from Jaunty, configure postfix content_filter to use amavisd-new, start both, send a mail with ie eicar's testing signature (attaching eicar.com to the mail). The file gets banned, and bounce message goes back to the sender.
Edit /etc/amavisd-new/conf.d/21-ubuntu_defaults, and set $final_banned_destiny to D_DISCARD. Restart, send mail, no bounce.

Related branches

lp:ubuntu/karmic/amavisd-new
Revision history for this message
Imre Gergely (cemc) wrote :

The fix for this, changes the default config file.

amavisd-new (1:2.6.2-2ubuntu1.1) jaunty-proposed; urgency=low

  * fix default config to not send bounce mail to sender for
    banned filenames in mail (LP: #360689)
    - debian/etc/conf.d/21-ubuntu_defaults

 -- Imre Gergely <email address hidden> Mon, 13 Apr 2009 23:02:24 +0300

Revision history for this message
Andreas Olsson (andol) wrote :

I can confirm this behavior in a default configured amavisd-new 1:2.6.2-2ubuntu1.

That said I'm not sure if I agree on this being a bug. There are plenty of legitimate cases where people might send an attachment of the forbidden type. Simply throwing them away without letting anyone know might not always be a good idea.

Changed in amavisd-new (Ubuntu):
status: New → Incomplete
Revision history for this message
Scott Kitterman (kitterman) wrote :

True, but it's far more common that it's bad content sent from a forged address. Not sending backscatter is a clear best pracice these days.

More experienced admins might set up a quarantine/release system (amavisd-new supports this), but such a system is too complex for a default. I think no backscatter is a good default approach. It's easy enough to change for people experienced enough to manage the consequences.

Changed in amavisd-new (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Thanks. I'll see if I can get this in between the RC and release.

Changed in amavisd-new (Ubuntu):
assignee: nobody → kitterman
milestone: none → ubuntu-9.04
Revision history for this message
Scott Kitterman (kitterman) wrote :

Uploaded. It is unlikely to get accepted before the release candidate is out.

Changed in amavisd-new (Ubuntu):
assignee: kitterman → nobody
importance: Undecided → Medium
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amavisd-new - 1:2.6.2-2ubuntu2

---------------
amavisd-new (1:2.6.2-2ubuntu2) jaunty; urgency=low

  * fix default config to not send bounce mail to sender for
    banned filenames in mail (LP: #360689)
    - debian/etc/conf.d/21-ubuntu_defaults

 -- Imre Gergely <email address hidden> Mon, 13 Apr 2009 23:02:24 +0300

Changed in amavisd-new (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

Closing this SRU request based on the fact that intrepid has reached EOL.

Changed in amavisd-new (Ubuntu Intrepid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.