Re: UTF-7 emails

Fri, 08 May 2020 03:39:26 -0700 

Thanks so much Rick

Much appreciated.

Regards
Brent Clark

On 2020/05/07 19:41, Rick Cooper wrote:

Brent Clark wrote:

Hi Rick

Will you be willing to share your Exim and SA rules / code?
So that the community can benefit from your finding and work.



Pretty standard exim acl
The DataWhitelisted portion is calculated from several other items so that
would be up to you if you even wanted to whitelist anything. The
AddSuspectHeader is a flag used in various parts of the delivery as is the
message that is added as a header as well. If the Suspicious headers is
added to an email the end user cannot release it from quarantine on their
own and the portion of the message they can see has been sanitized, disarmed
(html, scripting and links disarmed and obfuscated).

warn log_message = [DATA] FOUND UTF-7 CONTENT-TYPE :
${sg{$h_Content-Type:}{\N\n.*\N}{}}
                                        condition = ${if !eq {yes}
{${lc:$acl_m_DataWhiteListed}}}
                                        condition = ${if
def:h_Content-Type:}
                                        condition = ${if
match{${lc:$h_Content-Type:}}{\Ntext\/html; charset=utf-7\N}}
                                        set acl_c_AddSuspectHeader = yes
                                        set acl_c_SuspectMsg =
${sg{$acl_c_SuspectMsg}{\NNONE(\s{0,}:)?\N}{}}:UTF-7 BODY HIDING SOMETHING



Regards
Brent Clark

On 2020/05/05 20:00, Rick Cooper wrote:

Henrik K wrote:

On Tue, May 05, 2020 at 12:51:36PM -0400, Rick Cooper wrote:

We received a couple emails yesterday that barely got caught  and
when I looked at them they should have hit big time. As I looked it
would appear the body parts are encoded quoted-printable utf-7.
Apparently SA doesn't handle utf-7?

I added $self->{'decoded'} = Encode::decode("UTF-7",
$self->{'decoded'}); just before the decoded body is returned  in
Node.pm and the body rules hit again including some quick tests I
put together.

Is ignoring utf-7 intentional or is this a new spammer tactic? The
actual email messages are rendered perfectly through outlook and
our webmail application.


If I remember right, normalize_charset 1 will handle this just
fine. Atleast in trunk/4.0.

In any case, UTF-7 mails can be blocked on sight, no one uses it
legimately..


Bingo, that does it, And yes I added a check for utf-7 to exim and
add a header that causes emails to be quarantined and marked so
users cannot releaseor view them on their own.

Thanks

Rick

Reply via email to