Closed Bug 408232 Opened 17 years ago Closed 17 years ago

Thunderbird security

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: jim.kinane, Assigned: dveditz)

Details

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1) Build Identifier: 2.0 I sent several emails to 7 people and BCC myself. The emails transmitted fine for all except one person. Over 3 days one person claimed to received 4 blank emails. This person has suspect morality. How can I prove the emails claimed to be blank were blanked out AFTER the email was sent. My job is on the line. thanks Reproducible: Always Steps to Reproduce: 1. 2. 3.
You can provide them the copy bccd to yourself. Of course that's easily to forge, but if you have a helpful admin who can prove it with the smtp server logs that's harder evidence. ->INVALID, as this is not a bug in thunderbird. Support forums: http://forums.mozillazine.org/viewforum.php?f=39
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Daniel: What am i looking for in the SMTP logs? Thanks this is critically important. Jim
Resolution: INVALID → INCOMPLETE
Not any logs you can create yourself. But the sending (smtp) server probably has it's own record of which mails were sent to who, and when.
There's really no good ways to prove mail delivery. You can add mail receipts, but most client software won't reply or asks the user if they want to send the confirmation. You can _sign_ mail with an S/MIME cert or using PGP, but that only proves that the content was from you and that no one altered it. But you can't prove that an unsigned mail _didn't_ come from you--you pretty much need to adopt a policy of sending nothing but signed mail. If you send some signed and some unsigned then a malicious person can still forge an unsigned mail and say it really came from you. Of course signing doesn't help after the fact. About all I can say is that if you sent this mail to the 7 people at the same time (not BCC and not individually sent copies) then 6 other people can attest that you made a good-faith effort to send the mail to that 7th person. None can guarantee the mail arrived, but at least they can say you didn't send it blank. The the receiver needs to see what's blanking out the mails on their own end (do they use a different mail client from you and the others? perhaps there is an incompatibility?). As to the logs, you need to talk to the administrators of your mail system (specifically the SMTP server as mentioned) and get a log showing the mail sent from your account. The admins can probably filter it in several ways, like all the mail you sent to this other person, or all the mail you sent with particular subject lines. How easy it is to get those logs depends on how large and bureaucratic your organization is (.gov? whoo boy!). If your job is seriously "on the line" then you can likely get administrative help (from HR?) in getting that information. Good luck! p.s. you may have missed the notice when creating your bugzilla account that information on this server is totally public. Do you really want your phone number posted?
Please remove the Phone Number...Thanks
The best I can do is restrict comment 0 and comment 2 to the security group to hide phone number, but it's still visible to ~100 people. Filed bug 408428
Whiteboard: need to scrub phone#
No Problem about the Phone number.... You people have been very helpful. Keep up the great work. I love Mozilla... Thanks
Whiteboard: need to scrub phone#
You need to log in before you can comment on or make changes to this bug.