Sheldon Hearn wrote:
> Hi folks,
>
> Some time in the last two weeks, someone posted to either this list of
> BugTraq about the idea of breaking up a message into multiple fragments
> to bypass content filtering, relying on the MUA to reassemble the
> fragments.
>
> Does anyone have any references?
>
> I've finally got exim4 + exiscan on my mail gateway, so once I know what
> MIME header to look for, I'm sure blocking fragmented messages will be a
> piece of cake.
Just found the mails on bugtraq, the author talks aabout a header like
this one:
<quote>
From: Bill@???
To: joe@???
Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
Subject: Second mail (part 2 of 2)
MIME-Version: 1.0
Message-ID:
Content-type: message/partial;
id="ABC@???"; number=2; total=2
</quote>
So you can try to check for $h_content-type: in your data-acl, maybe
like this
acl_data:
deny message = No fragmented messages allowed
condition = ${if match \
{$h_content_type}{\Nmessage/partial\s*;\N}{1}}
or something similar
