Re: [Mimedefang] suspicious characters

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 5 Oct 2017, Michael Fox wrote:


I'm trying to understand what triggers the setting of
$SuspiciousCharsInHeaders and $SuspiciousCharsInBody?  All I can find are
circular definitions that vaguely mention possible exploits.  But no
specifics are given.  Before I use either of these, I'd like to understand
better what constitutes "suspicious" in both cases.


suspicious :=
If header or body has a \r without \n
If the body has an embedded \0


Do you bounce every message that for which $SuspiciousCharsInHeaders is
true?


Yep, but haven't triggered long time now.

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWdXwI1GgR0+MU/4GAQKoEAgAqPr5WQ4e0I+KpsUvIUQ7J5Zi7+IuUkcu
JysdONlSL93FagfeP92+JlU+UE6aeGM9a/Lz2/fS4FRtYV1YUoQlcPuFSOxliyI5
grC9qW2ub8P8ZksHHWPJdALB385fhgsltFGKCiwDC18aQXzB7dO/AjTJyXzGS4lq
UKklpD5GUehjUhWi2811Br/3JkFbRsNkt1C818m21RTF3OWTIoq9n4Myh2HLi29n
C6veIk/IqM8YA6ufGjFFOjalaztqFPTES6TpUWTMh0dch/WJiLQzqjQJWziBIFqo
a/U5RQRb91od4B7BIxlyDYfaPZw5+b+2iO4ywjzBQr4QKvwSB5kvSw==
=HHoI
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] suspicious characters

[Jan-Pieter Cornet]

On 5-10-17 09:43, Michael Fox wrote:

I'm trying to understand what triggers the setting of
$SuspiciousCharsInHeaders and $SuspiciousCharsInBody?  All I can find are
circular definitions that vaguely mention possible exploits.  But no
specifics are given.  Before I use either of these, I'd like to understand
better what constitutes "suspicious" in both cases.


In both header and body, a CR that is *NOT* followed by a LF is considered 
"suspicious".

In the body, a NUL character is also considered suspicious.


Do you bounce every message that for which $SuspiciousCharsInHeaders is
true?


Yes, we have been bouncing those for over a decade. No complaints so far. But it doesn't 
match a lot of messages (a handful each day out of a few million). And it occasionally 
also matches some seemingly "legitimate" messages that simply aren't formatted 
properly.


How about every message for which $SuspiciousCharsInBody is true?


Tried that briefly and turned it off again. Can't remember why, probably 
because of false positives (that was in 2004). We currently ignore suspicious 
characters in body, don't even log it.

--
Jan-Pieter Cornet 
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law



signature.asc
Description: OpenPGP digital signature
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] suspicious characters

[Michael Fox]

I'm trying to understand what triggers the setting of
$SuspiciousCharsInHeaders and $SuspiciousCharsInBody?  All I can find are
circular definitions that vaguely mention possible exploits.  But no
specifics are given.  Before I use either of these, I'd like to understand
better what constitutes "suspicious" in both cases. 

 

So, can someone provide a concrete/specific definition of "suspicious"
characters in headers?   In the body? 

 

Also, what do others do?  

Do you bounce every message that for which $SuspiciousCharsInHeaders is
true?

How about every message for which $SuspiciousCharsInBody is true?

 

Thanks,

Michael

 


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] suspicious characters in headers

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 12 Aug 2010, Fred Bacon wrote:


of Allergy and Infectious Diseases.  I can't see anything which I would
consider suspicious in the headers listed in the quarantine message.

Could someone explain what constitutes suspicious characters and how
this might be circumvented for these messages?  Is there any control
over the algorithm, or is this a case where I have to turn off this
feature completely to avoid the problem?


See mimedefang.c safe_append_header(). Suspicious characters are CR 
('\r'), which are not followed by LF ('\n').


You see that the function does replace those lone CRs by a single space. 
Others might interprete this RFC-violating fact as LF, hence, there would 
be another header that the MUAs would parse, with many implications.


You could try:

1) tell the sender that the message is malformed and point them where,
2) rebuilt the messages from the gov and reject the others. I suppose 
MIMEDefang uses safe headers then, but I never tried that myself.


I had the same problem with a CVS check-in announcement list, where the 
Subject header line had embedded CRs taken from the checkin comment, 
because the software interpreted the comment in Unix-style, but some 
clients uploaded Windows-style text.


Regards,

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBTGTyGUgddVksjRnHAQLqSggAhbK72NaYX/4IOjPr+fGiVh0iTzaSJcsW
4hNa0UEI1tP6skTYN4LEw/6Ike+yC/YeEe4Dwat1Jhi/PkOL9FxdIzrwe18LdHvf
ztsnfBATpH2Hp5iPa+xTsfuIVgCSexOmbA61H6yMq50WjZdhim7TqWCwgFE4yJwp
i7GGCHwI5pP6O9q6rjVNI9xSv32Mepz7ewXYd6TTgCZFn9kp5N37JJWK/OWFjKXc
GuKOwZvHvB6dAizBYcNrVVM98l20OQ5Iqo6V235v0XpIbIWfumnlbZW4jNjayIy/
2jDsmr9/lTS7CbFylsZ1CkFIRJHZy2QdnUtt00RqNFf2tGtRNXJq8A==
=QFLZ
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] suspicious characters in headers

[Fred Bacon]

Lately, I've been having problems with legitimate messages being
quarantined due to suspicious characters in headers.  The messages in
question come from a Government mailing list from the National Institute
of Allergy and Infectious Diseases.  I can't see anything which I would
consider suspicious in the headers listed in the quarantine message.

Could someone explain what constitutes suspicious characters and how
this might be circumvented for these messages?  Is there any control
over the algorithm, or is this a case where I have to turn off this
feature completely to avoid the problem?

I'm running mimedefang 2.68 on a fully patched CentOS 5 system.

Fred Bacon


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] suspicious characters

[Joseph Brennan]

My experience with $SuspiciousCharsInBody are that it is pretty much
useless in all circumstances except for a very strict home system
with a few users. There are simply too many crappy MUAs out there.


Cyrus rejects messages with these characters, and I'd rather refuse
during smtp than generate bounces after Cyrus delivery fails.  Almost
all of it really is garbage, about 15,000 a day (of 1.5 million--
exactly the .01% Per reported previously!).




Mimedefang strips all CR
characters from the input, before putting them in INPUTMSG, even if they
are lone CR characters that trigger the suspiciousBody flag. So you
will never see the CR characters in mimedefang (and neither will any
virus scanner or other content scanner you might use).


So that's it!  So the best I can do is distinguish null from return.
Thanks.



Joseph Brennan
Columbia University Information Technology

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] suspicious characters

[Joseph Brennan]

We've begun refusing mail with suspicious_chars_body.  Almost all is
junk but there's a trickle of legit mail and I want to be able to tell
those few what was wrong with their message.  The usual seems to be
text uploaded from Windows with RETURN in it.

I am trying this, below, to capture the first line with a suspicious
character.  The \000 and \015 are to be rewritten to NULL or RETURN
so we can see them, and then $badline is written to syslog.

What I get is NULL by itself, or nothing.  Apparently this code matches
on the \000 all right but not on the \015 and I don't know why.

Any ideas?

Joseph Brennan
Columbia University Information Technology


   if ($SuspiciousCharsInBody) {
   my ($badline);
   if (open(IN,./INPUTMSG)) {
   while(IN) {
   chomp;
   if (/\000/) {
   $badline = $_;
   $badline =~ s/\000/NULL/g;
   }
   if (/\015/) {
   $badline = $_;
   $badline =~ s/\015/RETURN/g;
   }
   last if ($badline);
   }
   close(IN);
   } else {
   $badline = line not available;
   }

# (bounce it and write $badline to log)
}



___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] suspicious characters

[Jan Pieter Cornet]

On Mon, Oct 24, 2005 at 12:12:29PM -0400, Joseph Brennan wrote:
 We've begun refusing mail with suspicious_chars_body.  Almost all is
 junk but there's a trickle of legit mail and I want to be able to tell
 those few what was wrong with their message.  The usual seems to be
 text uploaded from Windows with RETURN in it.

My experience with $SuspiciousCharsInBody are that it is pretty much
useless in all circumstances except for a very strict home system
with a few users. There are simply too many crappy MUAs out there.

See also my previous message on this subject here:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-September/024333.html

 I am trying this, below, to capture the first line with a suspicious
 character.  The \000 and \015 are to be rewritten to NULL or RETURN
 so we can see them, and then $badline is written to syslog.
 
 What I get is NULL by itself, or nothing.  Apparently this code matches
 on the \000 all right but not on the \015 and I don't know why.
 
 Any ideas?

Yes, see also my previous message to the list. Mimedefang strips all CR
characters from the input, before putting them in INPUTMSG, even if they
are lone CR characters that trigger the suspiciousBody flag. So you
will never see the CR characters in mimedefang (and neither will any
virus scanner or other content scanner you might use).

I consider this a bug, and it's still present in mimedefang 2.53, but I
haven't found it important enough to consider patching it. You can
find the logic in the body() function on line 1087 of mimedefang.c.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED]
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang