Re: [Mimedefang] suspicious characters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 5 Oct 2017, Michael Fox wrote: I'm trying to understand what triggers the setting of $SuspiciousCharsInHeaders and $SuspiciousCharsInBody? All I can find are circular definitions that vaguely mention possible exploits. But no specifics are given. Before I use either of these, I'd like to understand better what constitutes "suspicious" in both cases. suspicious := If header or body has a \r without \n If the body has an embedded \0 Do you bounce every message that for which $SuspiciousCharsInHeaders is true? Yep, but haven't triggered long time now. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWdXwI1GgR0+MU/4GAQKoEAgAqPr5WQ4e0I+KpsUvIUQ7J5Zi7+IuUkcu JysdONlSL93FagfeP92+JlU+UE6aeGM9a/Lz2/fS4FRtYV1YUoQlcPuFSOxliyI5 grC9qW2ub8P8ZksHHWPJdALB385fhgsltFGKCiwDC18aQXzB7dO/AjTJyXzGS4lq UKklpD5GUehjUhWi2811Br/3JkFbRsNkt1C818m21RTF3OWTIoq9n4Myh2HLi29n C6veIk/IqM8YA6ufGjFFOjalaztqFPTES6TpUWTMh0dch/WJiLQzqjQJWziBIFqo a/U5RQRb91od4B7BIxlyDYfaPZw5+b+2iO4ywjzBQr4QKvwSB5kvSw== =HHoI -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] suspicious characters
On 5-10-17 09:43, Michael Fox wrote: I'm trying to understand what triggers the setting of $SuspiciousCharsInHeaders and $SuspiciousCharsInBody? All I can find are circular definitions that vaguely mention possible exploits. But no specifics are given. Before I use either of these, I'd like to understand better what constitutes "suspicious" in both cases. In both header and body, a CR that is *NOT* followed by a LF is considered "suspicious". In the body, a NUL character is also considered suspicious. Do you bounce every message that for which $SuspiciousCharsInHeaders is true? Yes, we have been bouncing those for over a decade. No complaints so far. But it doesn't match a lot of messages (a handful each day out of a few million). And it occasionally also matches some seemingly "legitimate" messages that simply aren't formatted properly. How about every message for which $SuspiciousCharsInBody is true? Tried that briefly and turned it off again. Can't remember why, probably because of false positives (that was in 2004). We currently ignore suspicious characters in body, don't even log it. -- Jan-Pieter Cornet"Any sufficiently advanced incompetence is indistinguishable from malice." - Grey's Law signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] suspicious characters
I'm trying to understand what triggers the setting of $SuspiciousCharsInHeaders and $SuspiciousCharsInBody? All I can find are circular definitions that vaguely mention possible exploits. But no specifics are given. Before I use either of these, I'd like to understand better what constitutes "suspicious" in both cases. So, can someone provide a concrete/specific definition of "suspicious" characters in headers? In the body? Also, what do others do? Do you bounce every message that for which $SuspiciousCharsInHeaders is true? How about every message for which $SuspiciousCharsInBody is true? Thanks, Michael ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] suspicious characters in headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 12 Aug 2010, Fred Bacon wrote: of Allergy and Infectious Diseases. I can't see anything which I would consider suspicious in the headers listed in the quarantine message. Could someone explain what constitutes suspicious characters and how this might be circumvented for these messages? Is there any control over the algorithm, or is this a case where I have to turn off this feature completely to avoid the problem? See mimedefang.c safe_append_header(). Suspicious characters are CR ('\r'), which are not followed by LF ('\n'). You see that the function does replace those lone CRs by a single space. Others might interprete this RFC-violating fact as LF, hence, there would be another header that the MUAs would parse, with many implications. You could try: 1) tell the sender that the message is malformed and point them where, 2) rebuilt the messages from the gov and reject the others. I suppose MIMEDefang uses safe headers then, but I never tried that myself. I had the same problem with a CVS check-in announcement list, where the Subject header line had embedded CRs taken from the checkin comment, because the software interpreted the comment in Unix-style, but some clients uploaded Windows-style text. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBTGTyGUgddVksjRnHAQLqSggAhbK72NaYX/4IOjPr+fGiVh0iTzaSJcsW 4hNa0UEI1tP6skTYN4LEw/6Ike+yC/YeEe4Dwat1Jhi/PkOL9FxdIzrwe18LdHvf ztsnfBATpH2Hp5iPa+xTsfuIVgCSexOmbA61H6yMq50WjZdhim7TqWCwgFE4yJwp i7GGCHwI5pP6O9q6rjVNI9xSv32Mepz7ewXYd6TTgCZFn9kp5N37JJWK/OWFjKXc GuKOwZvHvB6dAizBYcNrVVM98l20OQ5Iqo6V235v0XpIbIWfumnlbZW4jNjayIy/ 2jDsmr9/lTS7CbFylsZ1CkFIRJHZy2QdnUtt00RqNFf2tGtRNXJq8A== =QFLZ -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] suspicious characters in headers
Lately, I've been having problems with legitimate messages being quarantined due to suspicious characters in headers. The messages in question come from a Government mailing list from the National Institute of Allergy and Infectious Diseases. I can't see anything which I would consider suspicious in the headers listed in the quarantine message. Could someone explain what constitutes suspicious characters and how this might be circumvented for these messages? Is there any control over the algorithm, or is this a case where I have to turn off this feature completely to avoid the problem? I'm running mimedefang 2.68 on a fully patched CentOS 5 system. Fred Bacon ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] suspicious characters
My experience with $SuspiciousCharsInBody are that it is pretty much useless in all circumstances except for a very strict home system with a few users. There are simply too many crappy MUAs out there. Cyrus rejects messages with these characters, and I'd rather refuse during smtp than generate bounces after Cyrus delivery fails. Almost all of it really is garbage, about 15,000 a day (of 1.5 million-- exactly the .01% Per reported previously!). Mimedefang strips all CR characters from the input, before putting them in INPUTMSG, even if they are lone CR characters that trigger the suspiciousBody flag. So you will never see the CR characters in mimedefang (and neither will any virus scanner or other content scanner you might use). So that's it! So the best I can do is distinguish null from return. Thanks. Joseph Brennan Columbia University Information Technology ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] suspicious characters
We've begun refusing mail with suspicious_chars_body. Almost all is junk but there's a trickle of legit mail and I want to be able to tell those few what was wrong with their message. The usual seems to be text uploaded from Windows with RETURN in it. I am trying this, below, to capture the first line with a suspicious character. The \000 and \015 are to be rewritten to NULL or RETURN so we can see them, and then $badline is written to syslog. What I get is NULL by itself, or nothing. Apparently this code matches on the \000 all right but not on the \015 and I don't know why. Any ideas? Joseph Brennan Columbia University Information Technology if ($SuspiciousCharsInBody) { my ($badline); if (open(IN,./INPUTMSG)) { while(IN) { chomp; if (/\000/) { $badline = $_; $badline =~ s/\000/NULL/g; } if (/\015/) { $badline = $_; $badline =~ s/\015/RETURN/g; } last if ($badline); } close(IN); } else { $badline = line not available; } # (bounce it and write $badline to log) } ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] suspicious characters
On Mon, Oct 24, 2005 at 12:12:29PM -0400, Joseph Brennan wrote: We've begun refusing mail with suspicious_chars_body. Almost all is junk but there's a trickle of legit mail and I want to be able to tell those few what was wrong with their message. The usual seems to be text uploaded from Windows with RETURN in it. My experience with $SuspiciousCharsInBody are that it is pretty much useless in all circumstances except for a very strict home system with a few users. There are simply too many crappy MUAs out there. See also my previous message on this subject here: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-September/024333.html I am trying this, below, to capture the first line with a suspicious character. The \000 and \015 are to be rewritten to NULL or RETURN so we can see them, and then $badline is written to syslog. What I get is NULL by itself, or nothing. Apparently this code matches on the \000 all right but not on the \015 and I don't know why. Any ideas? Yes, see also my previous message to the list. Mimedefang strips all CR characters from the input, before putting them in INPUTMSG, even if they are lone CR characters that trigger the suspiciousBody flag. So you will never see the CR characters in mimedefang (and neither will any virus scanner or other content scanner you might use). I consider this a bug, and it's still present in mimedefang 2.53, but I haven't found it important enough to consider patching it. You can find the logic in the body() function on line 1087 of mimedefang.c. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang