blocking %00 / %01 exploits with mailscanner?
Julian Field
mailscanner at ecs.soton.ac.uk
Mon Jan 19 21:09:57 GMT 2004
At 20:52 19/01/2004, you wrote:
>Is there a way to get mailscanner to block %00 / %01 uri exploits in the
>body of mails the same way mailscanner can block iframe exploits in the body?
>
>I want to drop these mails into /dev/null hard, i'd like mailscanner to do
>it, not procmail.
The current best solution is to create a SpamAssassin rule which catches
these and assigns a score of 100. Then set the SA high score threshold to
100 and delete high-scoring spam.
Works a treat.
You can create the rule by adding this to your spam.assassin.prefs.conf file:
uri IE_VULN /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
score IE_VULN 100.0
describe IE_VULN Internet Explorer vulnerability
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
More information about the MailScanner
mailing list