Re: [Exim] Blocking fragmented messages

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Nico Erfurth
Fecha:  
A: Sheldon Hearn
Cc: exim-users
Asunto: Re: [Exim] Blocking fragmented messages
Sheldon Hearn wrote:
> Hi folks,
>
> Some time in the last two weeks, someone posted to either this list of
> BugTraq about the idea of breaking up a message into multiple fragments
> to bypass content filtering, relying on the MUA to reassemble the
> fragments.
>
> Does anyone have any references?
>
> I've finally got exim4 + exiscan on my mail gateway, so once I know what
> MIME header to look for, I'm sure blocking fragmented messages will be a
> piece of cake.


Just found the mails on bugtraq, the author talks aabout a header like
this one:

<quote>
From: Bill@???
To: joe@???
Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
Subject: Second mail (part 2 of 2)
MIME-Version: 1.0
Message-ID:
Content-type: message/partial;
               id="ABC@???"; number=2; total=2
</quote>


So you can try to check for $h_content-type: in your data-acl, maybe
like this

acl_data:
   deny message = No fragmented messages allowed
        condition = ${if match \
      {$h_content_type}{\Nmessage/partial\s*;\N}{1}}


or something similar