[Fwd: MIMEDefang update (was Re: Bypassing SMTP Content Protection )]

Julian Field mailscanner at ecs.soton.ac.uk
Thu Sep 12 18:02:24 IST 2002


Well spotted! I don't get time to catch up with Bugtraq as often as I would
like to.
I have put in the support for this in the new release. I need to test it to
see if MIME-tools does enough to even let me test for it, or whether I am
going to have to wait for the MIME-tools patch as well.

If you see anything else to do with this subject on Bugtraq, especially
about the MIME-tools patch, I would be very grateful if you could let me know.

I need to test the V4 code before I decide whether it is worth back-porting
it into V3.

At 16:39 12/09/2002, you wrote:
>and this is relevant too, I believe.
>--
>Tal Kelrich
>
>PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69
>PGP key-id: 12B9AA69
>Return-Path: <bugtraq-return-6411-tal=musicgenome.com at securityfocus.com>
>Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
>         [66.38.151.27]) by mail.musicgenome.com (8.11.6/8.11.6) with ESMTP id
>         g8CEkPN19567 for <tal at musicgenome.com>; Thu, 12 Sep 2002 17:46:26
> +0300
>Received: from lists.securityfocus.com (lists.securityfocus.com
>         [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id
>         80837A3141; Thu, 12 Sep 2002 09:14:33 -0600 (MDT)
>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: mailing list bugtraq at securityfocus.com
>Delivered-To: moderator for bugtraq at securityfocus.com
>Received: (qmail 11003 invoked from network); 12 Sep 2002 14:54:04 -0000
>Date: Thu, 12 Sep 2002 11:11:07 -0400 (EDT)
>From: "David F. Skoll" <dfs at roaringpenguin.com>
>To: bugtraq at securityfocus.com
>Subject: MIMEDefang update (was Re: Bypassing SMTP Content Protection )
>In-Reply-To: <004801c25a62$9a9b5080$0c01a8c0 at beyondmobile1>
>Message-ID:
><Pine.LNX.4.44.0209121102310.3920-100000 at shishi.roaringpenguin.com>
>MIME-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.4, required 7,
>         IN_REP_TO)
>X-UIDL: @U!"!~jh!!CLc!!m/i"!
>Status: U
>
>MIMEDefang (http://www.roaringpenguin.com/mimedefang/) is an SMTP
>filtering tool which in its default configuration is susceptible
>to this attack.
>
>MIMEDefang relies on the MIME::tools Perl parsing module.  This module
>correctly descends into "message/rfc822" entities and parses parts
>inside them, but it does not descend into "message/partial" entities.
>Therefore, even the default filename checks will not work with
>"message/partial" types.  I hope to have a patched version of MIME::tools
>soon.
>
>For the next MIMEDefang release, the default filter will be modified to drop
>message/partial parts.  Current users of MIMEDefang should add the
>following code to their filter and filter_multipart routines:
>
># Block message/partial parts
>if (lc($type) eq "message/partial") {
>     action_quarantine_entire_message();
>     action_notify_administrator("Message quarantined because of
> message/partial type");
>     return action_discard();
>}
>
>--
>David.
>

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list