Issue 78532 - mails with encrypted zip attachments are silently filtered
Summary: mails with encrypted zip attachments are silently filtered
Status: CLOSED FIXED
Alias: None
Product: Infrastructure
Classification: Infrastructure
Component: Mailing lists (show other issues)
Version: current
Hardware: All All
: P2 Trivial (vote)
Target Milestone: ---
Assignee: Unknown
QA Contact: issues@ooo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-15 16:55 UTC by malte_timmermann
Modified: 2012-04-13 05:37 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
encrypted zip (146 bytes, text/plain)
2007-06-15 16:57 UTC, malte_timmermann 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description malte_timmermann 2007-06-15 16:55:58 UTC 
Someone wanted to send us some vulnerability prove of concept code to the
security team mailing list (security-team@openoffice.org), in an encrypted zip.

The mail didn't make it to the list, nor was the sender informed that this mail
would not be delivered.

This is not acceptable!

At least the mail must be delivered, even when attachments are stripped away.

This should be fixed for all lists.

For the security list, if possible, please allow encrypted zip attachments.
Comment 1 malte_timmermann 2007-06-15 16:57:19 UTC 
Created attachment 45965 [details]
encrypted zip
Comment 2 stx123 2007-06-19 18:07:06 UTC 
Messages with encrypted zips are dropped by the Virus/SPAM filter.
Comment 3 Unknown 2007-06-19 18:11:12 UTC 
Hi,

Thank you for contacting CollabNet Customer Support. Based on the information
that has been provided to us, we will initiate our research & provide you an
update as soon as we have adequate information. 

Thanks,
Pritha
Support Operations.
Comment 4 malte_timmermann 2007-06-19 19:47:18 UTC 
Thanks.

I would like to stress that this is really an important issue for us.
It's not acceptable that people send OOo vulnerability information to the
security team list, they are doing some precaution steps by encrypting exploit
demo code, and in the end the mails don't make it to us because of encrypted
attachments, and the sender doesn't get a notification about this...
Comment 5 Unknown 2007-06-19 20:02:26 UTC 
Hi,

We are trying to replicate this issue from our end. We will provide you an
update once we get more information on this as soon as possible.

Thanks,
Pritha
Support Operations.
Comment 6 Unknown 2007-06-20 00:19:23 UTC 
Hi,

I have filed an internal ticket and our Engineering team is working on this.We
will keep you posted further with our findings as soon as possible.

Thanks,
Pritha
Support Operations.
Comment 7 Unknown 2007-06-25 20:17:35 UTC 
Hi,

We are able to replicate the issue from our end. Our Engineering team is working
on this. We will provide you with more information once we get an update from
them as soon as possible.

Thanks,
Pritha
Support Operations.
Comment 8 Unknown 2007-06-26 10:46:05 UTC 
Martin, 
  This particular situation has occurred due to an policy setting in the Spam
Filter which drops mails with attachments which contain zip files .This is
primarily due to the *high possibility* of virus/spam appearing from these zip
files . However we are currently looking at various options such as providing a
information to the receiver/sender that the zip file has been dropped or might
be allowing very specific list to allow security related attachments to pass
through via the Spam Filter.

I would be updating with more concrete steps when a formal process has been
arrived from our internal discussion.
Comment 9 Unknown 2007-07-05 07:49:54 UTC 
Martin, 

We have enabled a new rule in the Spam Filter which would allow encrypted 
attachments to pass through for the mailing list [security-
team@openoffice.org]. We have also confirmed via our testing that the mails 
with encrypted attachment does pass through the mailing list subscriber's and 
the mailing list archive .  

Since we have received confirmation from one of the user's "Malte Timmermann" 
that the encrypted attachment are working for the mailing list .

Marking this issue as Resolved Fixed .

Thanks,
Pritha
Support Operations
Comment 10 malte_timmermann 2009-12-02 09:50:28 UTC 
Reopen: Currently similar issues again, this time more critical:
Not only mails with encrypted attachment are filtered, but mails with _any_ type
of attachment are filtered.
The mail doesn't make it to the list, nor does the sender get some information
that the mail was not delivered.
This is a critical issue for the security list (note: it's securityteam@ooo
nowadays, not security-team@ooo anymore)
Security companies send us vulnerabilities reports on this list, which very
often contain attachments. They are not subscribed to this closed list, so the
wouldn't notice that they didn't reach us.
Comment 11 stx123 2009-12-02 11:04:28 UTC 
Please note that the list changed from security-team@openoffic.org to
securityteam@openoffice.org 
It might be necessary to apply the rule mentioned in desc10 again for the new list.
Comment 12 Unknown 2009-12-02 11:27:46 UTC 
Hi,

We will work on this and will keep you posted with the proceedings as soon as
possible.

Thanks,
Pritha
Comment 13 Unknown 2009-12-03 06:25:27 UTC 
Hi,

The rule has been applied to 'securityteam@openoffice.org' as requested. Please
verify and let us know if it is working fine.

Thanks,
Pritha
Support Operations.
Comment 14 malte_timmermann 2009-12-03 15:23:01 UTC 
I just did some tests and it seems to work fine now, thanks! :)
Comment 15 stx123 2011-03-23 16:15:15 UTC 
Reset QA Contact to new default
Comment 16 Rob Weir 2012-04-12 18:05:56 UTC 
With the move to Apache the new ooo-security mailing list allows attachments and we have not run into this issue.