<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: Detected HTML-specific exploits</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>In case anyone else needs additional ammunition to justify this "blocking javascript" rule to management, I believe hotmail.com may be actively blocking messages containing javascript. The message discussed below could not be successfully delivered to a hotmail account or hotmail account designated "spam" folder. </FONT></P>
<P><FONT SIZE=2>> >I figured as much. I suppose I was looking for a more specific log </FONT>
<BR><FONT SIZE=2>> >entry or that I wanted to validate that this log entry could </FONT>
<BR><FONT SIZE=2>> correspond </FONT>
<BR><FONT SIZE=2>> >to a script block and was not some other ruleset somewhere that I </FONT>
<BR><FONT SIZE=2>> >didn't know about (there is no clear indication of what an </FONT>
<BR><FONT SIZE=2>> >HTML-specific exploit is if you are just looking at logs and don't </FONT>
<BR><FONT SIZE=2>> >realize it is object codebase, forms, iframes, scripts, etc).</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> >I have reviewed the disarm setting and the "not 100% effective" </FONT>
<BR><FONT SIZE=2>> >concerns me. I may use a ruleset to "disarm" from certain </FONT>
<BR><FONT SIZE=2>> domains that </FONT>
<BR><FONT SIZE=2>> >we need to permit for busines purposes and leave the rest of </FONT>
<BR><FONT SIZE=2>> the world </FONT>
<BR><FONT SIZE=2>> >set to no. Has anyone seen any situations where disarm permitted </FONT>
<BR><FONT SIZE=2>> >exploit code through?</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> No-one has broken it yet. But if you know enough XML, it is </FONT>
<BR><FONT SIZE=2>> possible to design your own new XML tag that has the same </FONT>
<BR><FONT SIZE=2>> effect as the tag you have disarmed.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> It's far from trivial, but it is possible. Hence my "no </FONT>
<BR><FONT SIZE=2>> guarantees" statement.</FONT>
<BR><FONT SIZE=2>> --</FONT>
<BR><FONT SIZE=2>> Julian Field</FONT>
<BR><FONT SIZE=2>> www.MailScanner.info</FONT>
<BR><FONT SIZE=2>> MailScanner thanks transtec Computers for their support</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> -------------------------- MailScanner list ----------------------</FONT>
<BR><FONT SIZE=2>> To leave, send leave mailscanner to jiscmail@jiscmail.ac.uk</FONT>
<BR><FONT SIZE=2>> Before posting, please see the Most Asked Questions at</FONT>
<BR><FONT SIZE=2>> <A HREF="http://www.mailscanner.biz/maq/" TARGET="_blank">http://www.mailscanner.biz/maq/</A> and the archives at</FONT>
<BR><FONT SIZE=2>> <A HREF="http://www.jiscmail.ac.uk/lists/mailscanner.html" TARGET="_blank">http://www.jiscmail.ac.uk/lists/mailscanner.html</A></FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
</BODY>
</HTML>
-------------------------- MailScanner list ----------------------<br>
To leave, send leave mailscanner to <a href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</a><br>
Before posting, please see the Most Asked Questions at<br>
<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a> and the archives at<br>
<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a><br>