Bugtraq mailing list archives
Re: Non existing attachments, more info
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 20 Feb 2002 21:49:05 +1300
On Mon, Feb 18, 2002 at 10:02:17AM -0500, David F. Skoll wrote:
I initially made my scanner emulate the Outlook bug; now I see it's the wrong thing to do.
Indeed.
I believe the only sane way to handle these kinds of malformed messages is: 1) Reject any message with suspicious characters in the headers (e.g., embedded CR's.) It's pointless for a server-based scanner to try to out-think all the different mail user agents out there.
Qmail-Scanner has done that since BadTrans came out. As you found out, "fixing" the message isn't the solution. Instead block it as "suspicious". I have 2 months worth of data on this, since Qmail-Scanner started blocking lone CR in MIME headers, almost all messages stopped were viruses or spam. The few that were "real" messages were from broken windows installs of Squirrelmail... (that's what you get when you edit php files with notepad I suppose ;-) http://qmail-scanner.sourceforge.net/ -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417
Current thread:
- Non existing attachments, more info Valentijn Sessink (Feb 16)
- Re: Non existing attachments, more info David F. Skoll (Feb 19)
- Re: Non existing attachments, more info Jason Haar (Feb 20)
- <Possible follow-ups>
- RE: Non existing attachments, more info Grimes, Roger (Feb 20)
- RE: Non existing attachments, more info David F. Skoll (Feb 20)
- Re: Non existing attachments, more info William D. Colburn (aka Schlake) (Feb 20)
- RE: Non existing attachments, more info David F. Skoll (Feb 20)
- Re: Non existing attachments, more info David F. Skoll (Feb 19)