Re: [Mimedefang] mailsploit prevention in MD
On Wed, 6 Dec 2017 01:37:39 +0100 Jan-Pieter Cornetwrote: > Another bug with it's own logo and website has appeared: > www.mailsploit.com. Interesting. The code-injection part is worrying, but IMO the spoofing part is completely uninteresting. There are so many ways to fool people regarding DKIM/DMARC/SPF that you don't need malformed messages to do it. Regards, Dianne. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mailsploit prevention in MD
On 12/5/2017 7:37 PM, Jan-Pieter Cornet wrote: Another bug with it's own logo and website has appeared: www.mailsploit.com. In the same vein and somewhat off-topic from an MD solution, here's a solution via Apache SpamAssassin that I'm soliciting feedback regarding on the SA users mailing list. I've added these rules to KAM.cf and would appreciate feedback. #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea #NUL header __KAM_MAILSPLOIT1 From =~ /[\0]/ describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index #\n Multiple inthe From Header header __KAM_MAILSPLOIT2 From =~ /[\n]/ describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index tflags __KAM_MAILSPLOIT2 multiple maxhits=2 meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2)) describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com score KAM_MAILSPLOIT 10.0 Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang