blocking %00 / %01 exploits with mailscanner?

David Hooton david at PLATFORMHOSTING.COM
Mon Jan 19 23:12:45 GMT 2004 

Sorry for the top post..

Is there anything to stop you from running only a minimal SpamAssassin
ruleset on the MailScanner box to catch this stuff?

Regards,

David Hooton
Senior Partner
Platform Hosting
1300 85 HOST
www.platformhosting.com

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Dan Hollis
Sent: Tuesday, 20 January 2004 9:38 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: blocking %00 / %01 exploits with mailscanner?

On Mon, 19 Jan 2004, Chris Yuzik wrote:
> At 21:23 19/01/2004, you wrote:
> >> So basically, "no, mailscanner can't do that"? It can block iframe
> >> exploits but not URI exploits?
> I'm with Julian on this one. All that matters is that you block these
> extremely dangerous emails from your users. If Spamassassin can do it,
> then why "reinvent the wheel" by making MailScanner do it also?
> I have MailScanner set to delete (and quarantine) high scoring spam,
> which on my server is anything above 15. I have yet to see a
> false-positive score that high. If these get deleted without your users
> even seeing them, then all the better. There's no way anyone would
> accidentally use this exploit in a legitimate email.

Ok, here is the problem.

Not all of our users want spamassassin. Some do, and they run it from
.procmailrc in their homedirs.

On the other hand, we have virus scanning globally via mailscanner and
f-prot.

The %00/%01 exploit would fall under the same category as iframe blocking
in mailscanner.

So I guess i'm looking for a way to filter %00/%01 globally, yet avoid
forcing spamassassin globally on all users.

Alternatively, could the iframe blocking be generic-ized in mailscanner in
such a way that admins could plugin their own rules into mailscanner so
that 'exploit of the week' doesnt have to be hardcoded into mailscanner?

Maybe a special direction clause for /etc/MailScanner/rules ruleset files,
eg Url: ?

-Dan

========================================================================
   This message has been scanned for spam & viruses by Mail Security.
   To report SPAM forward the message to:    spam at mailsecurity.net.au
   Mail Security                              www.mailsecurity.net.au
========================================================================


========================================================================
   This message has been scanned for spam & viruses by Mail Security.
   To report SPAM forward the message to:    spam at mailsecurity.net.au
   Mail Security                              www.mailsecurity.net.au
========================================================================

More information about the MailScanner mailing list