blocking %00 / %01 exploits with mailscanner?

Peter Bonivart peter at UCGBOOK.COM
Mon Jan 19 22:42:50 GMT 2004

Julian Field wrote:
> You can create the rule by adding this to your spam.assassin.prefs.conf
> file:
> uri     IE_VULN                 /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
> score   IE_VULN                 100.0
> describe        IE_VULN         Internet Explorer vulnerability

How does that compare to this rule included in SA? Could it be used with
a higher score to serve the same purpose? I have already done that,
that's why I'm asking. Should I add the above rule also and go back to
the standard score for the one below?

uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST      Uses %-escapes inside a URL's hostname
score HTTP_ESCAPED_HOST 1.101 2.403 1.001 1.509

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

More information about the MailScanner mailing list