gfi.com email vulnerability tests
Dustin Baer
dustin.baer at IHS.COM
Fri Oct 24 20:12:32 IST 2003
Mariano Absatz wrote:
>
> Hi,
>
> I'm also on 4.23-11... I just run the tests to see what is actually
> passing thru...
>
> The ones that came thru were:
> 2 with subject "hide.hta (lots of space here) ",
Ah! That's what that test was: Long Subject Attachment...
> claiming to have MIME type: gfi/security; and was actually one section
> all base64 encoded.
>
> The actual content was a vbscript starting like this:
> ===================================
>
> [snip]
>
> OE gladly run all the scripts but the one that ended in .dat
>
> Now the question is... how do we detect this nonsense... should we try to
> parse as scripting whatever comes with strange mime types or without a
> filename?... I dunno.
The following spam.assassin.prefs.conf addition will take care of the
multiple spaces in the subject issue:
header MULTISPACE Subject =~ /[ ]{10,}$/
describe MULTISPACE Ten or more spaces
score MULTISPACE 5.0
Just be careful it someone requests these from spam quarantine.
As for the other, I will leave it to people more intelligent than me as
to how it should be handled.
Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836
More information about the MailScanner
mailing list