blocking %00 / %01 exploits with mailscanner?
Daniel Bird
dbird at SGHMS.AC.UK
Thu Jan 22 00:57:17 GMT 2004
Dan Hollis wrote:
>On Mon, 19 Jan 2004, Julian Field wrote:
>
>
>>At 20:52 19/01/2004, you wrote:
>>
>>
>>>Is there a way to get mailscanner to block %00 / %01 uri exploits in the
>>>body of mails the same way mailscanner can block iframe exploits in the body?
>>>
>>>
>>The current best solution is to create a SpamAssassin rule which catches
>>these and assigns a score of 100.
>>
>>
>
>So basically, "no, mailscanner can't do that"? It can block iframe
>exploits but not URI exploits?
>
>-Dan
>
>
Dan, your question was answered previously. It is a most definite yes.
It is achieved by using the MCP function.
This leverages the SpamAssassin 'engine' without the default rule set.
You then define rule(s) which you want to match against, and assign
score(s) that will cause a block.
So in your case, you would enable the MCP function, copy the SA rule
"HTTP_ESCAPED_HOST" (as this matches the %00 exploits perfectly), and
assign a score that would cause a block.
We have been using this method since Julian released the updated fixes
for MCP and it works flawlessly...
HTH
Dan
--
____________________________________
Daniel Bird
Network & Systems Manager
St. George's Hospital Medical School
Tooting
London SW17 0RE
P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan at sghms.ac.uk
____________________________________
Hex dump: Where witches put used curses...
"#define QUESTION ((bb) || !(bb)) - Shakespeare."
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list