Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses

[Ishay Sommer <ishaybas () netvision net il>]

Hello.

This email was sent to support () trendmicro com over a week ago,
so far, no response.

In the company that I work for, we use -InterScan Version
3.6-Build_1142, for
stripping of unwated attachments, "Spam".
No other versions have been tested.

Our sys admin has configured the mail scanner, to notify all destination
addresses of a message containing such attachments, of the "Spam" alert.
Meaning, that if I send a bad content message to 10 recipients, all of
them receive
a "Spam" alert.

The problem is that, each one of the recipients receives to his mailbox
the spam warning message,
including all addresses of which the original message was sent to, even
if they were sent as Bcc:

For example:

**************** eManager Notification *****************

The following mail was blocked since it contains sensitive content.

Source mailbox: <ME>
Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3>
Policy: Attachment Removal
Attachment file name: accident.mpg - video/mpg
Action: Replaced with text

The email was stripped from its attachment, since it doesn't comply with
<ISP>'s Email Policy as can be viewed by <ISP>'s employees....

******************* End of message *********************

This is a serious security disclosure vulnerability, as all of the
message's recipients, now have all
the email addresses who were suppose to be kept secret.

I wish to publish this vulnerability on Bugtraq, after providing you
with sufficient time to correct the problem, based on your response, and
our communication.

Thank you

Ishay Sommer