blocking %00 / %01 exploits with mailscanner?
Peter Bonivart
peter at UCGBOOK.COM
Mon Jan 19 22:42:50 GMT 2004
Julian Field wrote:
> You can create the rule by adding this to your spam.assassin.prefs.conf
> file:
> uri IE_VULN /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
> score IE_VULN 100.0
> describe IE_VULN Internet Explorer vulnerability
How does that compare to this rule included in SA? Could it be used with
a higher score to serve the same purpose? I have already done that,
that's why I'm asking. Should I add the above rule also and go back to
the standard score for the one below?
uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname
score HTTP_ESCAPED_HOST 1.101 2.403 1.001 1.509
--
/Peter Bonivart
--Unix lovers do it in the Sun
Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
More information about the MailScanner
mailing list