Fragmented messages ?

Mariano Absatz mailscanner at LISTS.COM.AR
Fri May 23 15:40:34 IST 2003 

Hi Sylvain,

I don't know about 3.xx versions... but, whether it says so or not, 
MailScanner is probably not able to scan fragmented messages, and it should 
not try to do it, since it would have security implications.

The problem is _not_ related to MailScanner, but to how smtp works and how 
message fragmentation works.

MIME (RFC 2045 thru 2049) allows you to split a message into various pieces 
(RFC 2046).

The point is that MIME is an "endpoint-to-endpoint" conversion, so the 
responsible parties for fragmentation and reassembly are the MUAs (e.g. 
Outlook Express) and _not_ the servers in between.

An MTA server in between (e.g. one running Sendmail+MailScanner) would 
receive the message as several independent pieces of mail. But it cannot 
parse the contents if it doesn't reassemble all the pieces together.

You might be tempted to say, "OK, let's wait for all the pieces to come in, 
reassemble them and then parse it"... but this has two problems.

1) You can't make sure that all the pieces pass thru the same MailScanner if 
you have multiple MX machines (see the recent thread about "Tunning 
MailScanner"). Lots of people have multiple machines accepting mail for a 
domain... if some pieces go into one machine and some others go into the 
other, none of them can reassemble the pieces... You could say, "well, lets 
keep the pieces for a certain period of time and if they don't all appear 
after, say, 12 hours, drop it", but... see 2)

2) If you have a server that, for some reason, tries to assemble the pieces 
of a fragmented message, it is automatically vulnerable to a trivial DoS 
(Denial of Service) attack, where an attacker simply sends a lot of (fake) 
fragments, without ever completing all the fragments of a messege... it can 
surely fill up your queue filesystem in a very short time... significantly 
shorter than a reasonable "fragment timeout"...

So you end up with the two possibilities that MailScanner 4.x gives you:
You either forbid fragmented messages (the most reasonable one) or allow them 
to pass thru without being scanned at all. But seriously, in the current 
bandwidth Internet, I see really _very_ little use for fragmented messages, 
the most prominent one would be... attacking :-)


El 23 May 2003 a las 15:58, Sylvain Blanc - CRI du Pays De Gex et du escribió:

> Hello,
> 
> Mailscanner say :
> "Fragmented messages cannot be reliably scanned"
> when i send a fragmented messages.
> The version 2.27 cannot parse this type of message ??
> 
> My OS is a debian potato
> with :
> sendmail 8.9.3
> mailscanner 3.27-1
> 
> 
> 
> Sylvain Blanc


--
Mariano Absatz
El Baby
----------------------------------------------------------
Good programming is 99% sweat and 1% coffee.

More information about the MailScanner mailing list