email vulnerability tests

Dustin Baer dustin.baer at IHS.COM
Fri Oct 24 20:12:32 IST 2003

Mariano Absatz wrote:
> Hi,
> I'm also on 4.23-11... I just run the tests to see what is actually
> passing thru...
> The ones that came thru were:
> 2 with subject "hide.hta           (lots of space here)          ",

Ah!  That's what that test was: Long Subject Attachment...

> claiming to have MIME type: gfi/security; and was actually one section
> all base64 encoded.
> The actual content was a vbscript starting like this:
> ===================================
> [snip]
> OE gladly run all the scripts but the one that ended in .dat
> Now the question is... how do we detect this nonsense... should we try to
> parse as scripting whatever comes with strange mime types or without a
> filename?... I dunno.

The following spam.assassin.prefs.conf addition will take care of the
multiple spaces in the subject issue:

header   MULTISPACE Subject =~ /[ ]{10,}$/
describe MULTISPACE Ten or more spaces
score    MULTISPACE 5.0

Just be careful it someone requests these from spam quarantine.

As for the other, I will leave it to people more intelligent than me as
to how it should be handled.

Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112

More information about the MailScanner mailing list