Package: kmail Version: 4:3.5.9-5 Severity: important
kmail with spamassasin is a security hole regarding to privacity. I have kmail configured to _ask_ about sending MDN. When I receive legitimate messages asking for confirmation, kmail correctly asks me wheter to send it or not. But when the message asking for confirmation is classified as spam by spamassasin, kmail sends _unwanted_ MDN about message deletion like the one below. This kind of unwanted MDN are lethal for privacity since they can reach the spammer (if the From: is correct) or unwanted people (if it is forged). Start of unwanted MDN: -------------------------------------------------------------------------------- From: Noel David Torres =?iso-8859-1?q?Ta=F1o?= <[EMAIL PROTECTED]> X-KMail-Fcc: sent-mail To: "Elijah morgenthaler" <[EMAIL PROTECTED]> Subject: Message Disposition Notification Date: Tue, 26 Aug 2008 22:27:32 +0200 User-Agent: KMail/1.9.9 MIME-Version: 1.0 Content-Type: Multipart/report; boundary="Boundary-00=_0cGtIq98r+nRXFc"; report-type="disposition-notification" In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Message-Id: <[EMAIL PROTECTED]> Status: RO X-Status: RSC X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: --Boundary-00=_0cGtIq98r+nRXFc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Se ha eliminado sin verlo el mensaje para [EMAIL PROTECTED] enviado e= l 26-08-08 22:43 con el asunto =ABRamming deep into her=BB. No se garantiza= que el mensaje se recupere y se vuelve a leer m=E1s tarde. --Boundary-00=_0cGtIq98r+nRXFc Content-Type: Message/disposition-notification Content-Transfer-Encoding: 7bit Reporting-UA: quevedo; KMime 0.1.0 Final-Recipient: rfc822; Noel David Torres =?utf-8?B?VGHDsW8=?= <[EMAIL PROTECTED]> Original-Message-ID: <[EMAIL PROTECTED]> Disposition: automatic-action/MDN-sent-automatically; deleted --Boundary-00=_0cGtIq98r+nRXFc-- ------------------------------------------------------------------------------------- -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages kmail depends on: ii kdebase-kio-plugins 4:3.5.9.dfsg.1-5 core I/O slaves for KDE ii kdelibs4c2a 4:3.5.9.dfsg.1-6 core libraries and binaries for al ii kdepim-kio-plugins 4:3.5.9-5 KDE pim I/O Slaves ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi ii libaudio2 1.9.1-4 Network Audio System - shared libr ii libc6 2.7-13 GNU C Library: Shared libraries ii libfontconfig1 2.6.0-1 generic font configuration library ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib ii libgcc1 1:4.3.1-2 GCC support library ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii libidn11 1.8+20080606-1 GNU libidn library, implementation ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii libkcal2b 4:3.5.9-5 KDE calendaring library ii libkdepim1a 4:3.5.9-5 KDE PIM library ii libkleopatra1 4:3.5.9-5 KDE GnuPG interface libraries ii libkmime2 4:3.5.9-5 KDE MIME interface library ii libkpimidentities1 4:3.5.9-5 KDE PIM user identity information ii libksieve0 4:3.5.9-5 KDE mail/news message filtering li ii libmimelib1c2a 4:3.5.9-5 KDE mime library ii libpng12-0 1.2.27-1 PNG library - runtime ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v ii libsm6 2:1.0.3-2 X11 Session Management library ii libstdc++6 4.3.1-2 The GNU Standard C++ Library v3 ii libx11-6 2:1.1.4-2 X11 client-side library ii libxcursor1 1:1.1.9-1 X cursor management library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxft2 2.1.12-3 FreeType-based font drawing librar ii libxi6 2:1.1.3-1 X11 Input extension library ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library ii libxrandr2 2:1.2.3-1 X11 RandR extension library ii libxrender1 1:0.9.4-2 X Rendering Extension client libra ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library ii perl 5.10.0-13 Larry Wall's Practical Extraction ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages kmail recommends: ii kmailcvt 4:3.5.9-5 KDE KMail mail folder converter ii procmail 3.22-16 Versatile e-mail processor Versions of packages kmail suggests: pn clamav | f-prot-installer <none> (no description available) ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep ii gnupg-agent 2.0.9-3 GNU privacy guard - password agent ii kaddressbook 4:3.5.9-5 KDE NG addressbook application ii kleopatra 4:3.5.9-5 KDE Certificate Manager ii pinentry-qt [pinentry-x11] 0.7.5-2 Qt-based PIN or pass-phrase entry ii spamassassin 3.2.5-1 Perl-based spam filter using text -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]