Re: [Mimedefang] mailsploit prevention in MD

2017-12-06 Thread Dianne Skoll 
On Wed, 6 Dec 2017 01:37:39 +0100
Jan-Pieter Cornet  wrote:

> Another bug with it's own logo and website has appeared:
> www.mailsploit.com.

Interesting.  The code-injection part is worrying, but IMO the spoofing
part is completely uninteresting.  There are so many ways to fool people
regarding DKIM/DMARC/SPF that you don't need malformed messages to do
it.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mailsploit prevention in MD

2017-12-06 Thread Kevin A. McGrail 

On 12/5/2017 7:37 PM, Jan-Pieter Cornet wrote:
Another bug with it's own logo and website has appeared: 
www.mailsploit.com.
In the same vein and somewhat off-topic from an MD solution, here's a 
solution via Apache SpamAssassin that I'm soliciting feedback regarding 
on the SA users mailing list.


I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
 #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit 
https://www.mailsploit.com/index


 #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit 
https://www.mailsploit.com/index

tflags   __KAM_MAILSPLOIT2    multiple maxhits=2

meta    KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 
>= 2))
describe    KAM_MAILSPLOIT  Mail triggers known exploits per 
mailsploit.com

score   KAM_MAILSPLOIT  10.0

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang