Apache OpenOffice (AOO) Bugzilla – Full Text Issue Listing |
Summary: | mails with encrypted zip attachments are silently filtered | ||||||
---|---|---|---|---|---|---|---|
Product: | Infrastructure | Reporter: | malte_timmermann | ||||
Component: | Mailing lists | Assignee: | Unknown <non-migrated> | ||||
Status: | CLOSED FIXED | QA Contact: | issues@ooo <issues> | ||||
Severity: | Trivial | ||||||
Priority: | P2 | CC: | issues, stx123 | ||||
Version: | current | ||||||
Target Milestone: | --- | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Issue Type: | DEFECT | Latest Confirmation in: | --- | ||||
Developer Difficulty: | --- | ||||||
Attachments: |
|
Description
malte_timmermann
2007-06-15 16:55:58 UTC
Created attachment 45965 [details]
encrypted zip
Messages with encrypted zips are dropped by the Virus/SPAM filter. Hi, Thank you for contacting CollabNet Customer Support. Based on the information that has been provided to us, we will initiate our research & provide you an update as soon as we have adequate information. Thanks, Pritha Support Operations. Thanks. I would like to stress that this is really an important issue for us. It's not acceptable that people send OOo vulnerability information to the security team list, they are doing some precaution steps by encrypting exploit demo code, and in the end the mails don't make it to us because of encrypted attachments, and the sender doesn't get a notification about this... Hi, We are trying to replicate this issue from our end. We will provide you an update once we get more information on this as soon as possible. Thanks, Pritha Support Operations. Hi, I have filed an internal ticket and our Engineering team is working on this.We will keep you posted further with our findings as soon as possible. Thanks, Pritha Support Operations. Hi, We are able to replicate the issue from our end. Our Engineering team is working on this. We will provide you with more information once we get an update from them as soon as possible. Thanks, Pritha Support Operations. Martin, This particular situation has occurred due to an policy setting in the Spam Filter which drops mails with attachments which contain zip files .This is primarily due to the *high possibility* of virus/spam appearing from these zip files . However we are currently looking at various options such as providing a information to the receiver/sender that the zip file has been dropped or might be allowing very specific list to allow security related attachments to pass through via the Spam Filter. I would be updating with more concrete steps when a formal process has been arrived from our internal discussion. Martin, We have enabled a new rule in the Spam Filter which would allow encrypted attachments to pass through for the mailing list [security- team@openoffice.org]. We have also confirmed via our testing that the mails with encrypted attachment does pass through the mailing list subscriber's and the mailing list archive . Since we have received confirmation from one of the user's "Malte Timmermann" that the encrypted attachment are working for the mailing list . Marking this issue as Resolved Fixed . Thanks, Pritha Support Operations Reopen: Currently similar issues again, this time more critical: Not only mails with encrypted attachment are filtered, but mails with _any_ type of attachment are filtered. The mail doesn't make it to the list, nor does the sender get some information that the mail was not delivered. This is a critical issue for the security list (note: it's securityteam@ooo nowadays, not security-team@ooo anymore) Security companies send us vulnerabilities reports on this list, which very often contain attachments. They are not subscribed to this closed list, so the wouldn't notice that they didn't reach us. Please note that the list changed from security-team@openoffic.org to securityteam@openoffice.org It might be necessary to apply the rule mentioned in desc10 again for the new list. Hi, We will work on this and will keep you posted with the proceedings as soon as possible. Thanks, Pritha Hi, The rule has been applied to 'securityteam@openoffice.org' as requested. Please verify and let us know if it is working fine. Thanks, Pritha Support Operations. I just did some tests and it seems to work fine now, thanks! :) Reset QA Contact to new default With the move to Apache the new ooo-security mailing list allows attachments and we have not run into this issue. |