Content Checks: Detected HTML-specic exploits in h8AGGVSe016972

mikea mikea at MIKEA.ATH.CX
Thu Sep 11 15:08:23 IST 2003 

On Thu, Sep 11, 2003 at 11:39:04PM +1000, David Hooton wrote:
> Antony Stone wrote:
> > I suggest you don't paste html into email messages :)
>
> Spoken like a true technician!
>
> > Seriously, though - why are you doing that?   The 'dangerous html content'
> > checks will only get triggered if you paste in some potentially dangerous
> > html - it won't pick up on plain markup tags or hyperlinks.
> >
> > If you need to send somebody some strange html because you're designing web
> > pages etc then I suggest you put it in a .zip or .gz file and send it like
> > that.
>
> Come on!! we all have customers and those customers do tend to try doing
> anything that they can do to make life hard for us!  This is hardly a
> practical solution.
>
> We have quite a few legitimate messages a day blocked by this rule, it
> actually wound up being such a problem that we had to disable it.
>
> What _exactly_ is this rule looking for?  And if this is a commonly
> exploited thing, why are so many large mailing lists actually using that
> code in their mailouts?

There are some HTML thingies (to use a Perlism) that can invoke
arbitrary programs; these include the ones caught by the "dangerous
HTML content" rules. But as far as I can see, they're only dangerous
if you're running a mailer that is stupid enough to let them do these
things -- e.g., Outlook, Outlook Express, and their ilk. A friend came
up with a statement that describes the behavior of these mailers very
exactly:

        If books were designed by Microsoft, the Anarchist's
        Cookbook would explode when you read it.

                        -- Mark W. Schumann

To the best of my knowledge, other mailers (e.g., Eudora, Lotus Notes,
etc.) don't do this, and so it may be less unsafe -- but still not
necessarily *safe* -- to let these HTML thingies through if you can be
sure that the MUA is not Outlook or Outlook Express.

Note that I'm working from memory, and I may have missed some details,
but I think and hope I have the major details right.

--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin since 1964

More information about the MailScanner mailing list