Fragmentation

[Michael Masse]

>>> On 2/19/2009 at 5:10 AM, in message <EMEW,
l1IBB34be87090f6c50cf5d7e3dc45ac1724cd,MailScanner%ecs.soton.ac.uk,
499D3E39.5050807 at ecs.soton.ac.uk>, Julian Field <MailScanner at ecs.soton.ac.uk>
wrote:

> 
> On 12/2/09 22:56, Mike Masse wrote:
>> One of my users received an Outlook express fragmented email message 
>> and kudo's to MailScanner because it didn't know how to handle the 
>> second portion of the email and it quarantined it.   This could very 
>> well be related to:
>> 
> http://www.esecurityplanet.com/trends/article.php/1463161/Security-Firm-Outlook 
> -Express-Can-Be-Used-To-Bypass-Email-Filters.htm 
>>
>>
>> I searched the archive for fragmentation and did not get any results, so:
>>
>> Can MailScanner be set to properly detect and log and quarantine these 
>> fragmented emails vs what my system is doing right now which is only 
>> quarantining because it doesn't know what to do with the attachment. 
>> The fact that the email doesn't come through is fantastic, but without 
>> the logging bit, it's difficult to track down why for explanation 
>> purposes to clients.
>>
> Yes, MailScanner does detect fragmented messages and rejects them. 
> Imagine what would happen if you started storing them and attempting to 
> reassemble them. Here's message 1 of 1,000,000. Here's a different 
> message 1 of 1,000,000. And so on. DoS attack very easily!
> 
> What extra logging would you like it to do?
> 
> Jules


Thanks for replying.  It turns out that it did detect the fragmentation and logged it as so, so never mind.    Keep up the good work!

--Mike