Re: [Exim] Blocking fragmented messages

Top Page
Delete this message
Reply to this message
Author: Kirill Miazine
Date:  
To: exim-users
Subject: Re: [Exim] Blocking fragmented messages
Look what RAV said about your message:

<rav>
-----------------------
RAV Antivirus results
-----------------------

The suspicious file was saved to quarantine with name: 1034000834-RAV13003.
The file (PartialExploit*) attached to mail (with subject:Re: [Exim] Blocking
fragmented messages) sent by exim-users-admin@??? to km@???,
contains suspicious code.
The file was ignored because all previous actions failed.

It is highly recommended not to use this file.
</rav>

Hm. Wonder why it searched for headers in the message body. A bug.
Maybe.

* Nico Erfurth [2002-10-07 16:24]:
> Sheldon Hearn wrote:
> >Hi folks,
> >
> >Some time in the last two weeks, someone posted to either this list of
> >BugTraq about the idea of breaking up a message into multiple fragments
> >to bypass content filtering, relying on the MUA to reassemble the
> >fragments.
> >
> >Does anyone have any references?
> >
> >I've finally got exim4 + exiscan on my mail gateway, so once I know what
> >MIME header to look for, I'm sure blocking fragmented messages will be a
> >piece of cake.
>
> Just found the mails on bugtraq, the author talks aabout a header like
> this one:
>
> <quote>
> From: Bill@???
> To: joe@???
> Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
> Subject: Second mail (part 2 of 2)
> MIME-Version: 1.0
> Message-ID:
> Content-type: message/partial;
>               id="ABC@???"; number=2; total=2
> </quote>

>
> So you can try to check for $h_content-type: in your data-acl, maybe
> like this
>
> acl_data:
>   deny message = No fragmented messages allowed
>        condition = ${if match \
>      {$h_content_type}{\Nmessage/partial\s*;\N}{1}}

>
> or something similar
>


--
Kirill