Long time, no posting. :-) I hope everyone on the list is well. I don’t know if this has been fixed in later versions of assp (I’m running 2.1.2(11329)), but I received a ‘confirm who you are’ bounce from a friend who has had to set that function up because he gets too much spam. The report from his spam filter included the header of my message, including the X-Assp headers.
The message was sent ONLY to BCC’d recipients, i.e. there was no To: recipient. However in the assp X-Assp-Intended-For header, the first of the BCC’d recipients is noted (see below). This means that the recipients of the e-mail can all see at least one of the supposedly-private addresses (the first in the list of BCC’d recipients), ALL of which they were not supposed to have been seen by ANY recipient, because they were ALL BCC’d. This is definitely a problem from the point of view of privacy. Perhaps it has been fixed in later versions of assp, but I thought it important to make note of my finding. All the best, Trevor. Domains and e-mails obscured: > The message you sent requires that you verify that you are a real live human > being and not a spam source. > > > To complete this verification, simply reply to this message and leave the > subject line intact or click the link below: > > http://www.recipientdomain.com/cgi-sys/bxd.cgi?a=geo...@recipientdomain.com&id=_9FClpcWNXHciV6snYNKB-1426771938 > > The headers of the message sent from your address are shown below: > > From m...@senderdomain.com Thu Mar 19 09:32:18 2015 > Received: from SMTP.mxdomain.com ([66.96.20.5]:53276) > by cl-t017-305cl.privatedns.com with esmtp (Exim 4.84) > (envelope-from <m...@senderdomain.com>) > id 1YYaYZ-0005Wb-Ub > for geo...@recipientdomain.com; Thu, 19 Mar 2015 09:32:17 -0400 > Received: from localhost (localhost [127.0.0.1]) > by SMTP.mxdomain.com (Postfix) with ESMTP id 3C68BA8CFDC3; > Thu, 19 Mar 2015 09:32:16 -0400 (EDT) > X-Virus-Scanned: amavisd-new at mxdomain.com > Received: from SMTP.mxdomain.com ([127.0.0.1]) > by localhost (SMTP.mxdomain.com [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id j1z2XIta2fZP; Thu, 19 Mar 2015 09:32:15 -0400 (EDT) > Received: from 30.20.96.66.mxdomain.com (localhost [127.0.0.1]) > by SMTP.mxdomain.com (Postfix) with ESMTP id AE2E2A8CFDB7; > Thu, 19 Mar 2015 09:32:14 -0400 (EDT) > Received: from 30.20.96.66.mxdomain.com ([66.96.20.30] > helo=30.20.96.66.mxdomain.com) > by SMTP.mxdomain.com with ESMTPS(AES256-SHA) (2.1.2); 19 Mar 2015 > 09:32:12 -0400 > From: Trevor Jacques <m...@senderdomain.com> > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > Date: Thu, 19 Mar 2015 09:32:12 -0400 > Subject: Caught this live, earlier this week > Message-Id: > <sigth.25204ec6c3.51a2e4a1-410c-4372-834a-10357fb76...@senderdomain.com> > Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2090\)) > X-Mailer: Apple Mail (2.2090) > X-Assp-Version: 2.1.2(11329) on SMTP.mxdomain.com > X-Assp-Client-TLS: yes > X-Assp-Server-TLS: yes > X-Assp-Whitelisted: Yes > X-Assp-ID: SMTP.mxdomain.com id-71934-12673 > X-Assp-Envelope-From: m...@senderdomain.com > X-Assp-Intended-For: firstinthelistofbccrecipie...@somedomain.com > <————————————————— This is the problem ————————————————— > To: undisclosed-recipients:; > X-Spam-Status: No, score=-1.9 > X-Spam-Score: -18 > X-Spam-Bar: - > X-Ham-Report: Spam detection software, running on the system > "cl-t017-305cl.privatedns.com", > has NOT identified this incoming email as spam. The original > message has been attached to this so you can view it or label > similar future email. If you have any questions, see > root\@localhost for details. > > Content preview: https://www.youtube.com/watch?v=7INIhD9P0Pw :-) T. [...] > > Content analysis details: (-1.9 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > -0.0 SPF_HELO_PASS SPF: HELO matches SPF record > -0.0 SPF_PASS SPF: sender matches SPF record > -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > [score: 0.0000] > X-Spam-Flag: NO ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
