Jan Ingvoldstad wrote, on 26/02/14 13:45:
> Perhaps it would be relevant to check for other byte order marks as well:
>
> http://en.wikipedia.org/wiki/Byte_order_mark#Representations_of_byte_order_marks_by_encoding
I crosschecked with my cyrus logs ("invalid header characters") meanwhile and
blocking only the UTF8 BOM seems to catch them all upfront. It looks like a
broken script spamming from several hacked webhosts.
currently I use
# check for UTF-8 BOM (coming from SPAM)
warn condition = ${if match{$message_headers_raw}{\N\xEF\xBB\xBF\N}}
control = freeze/no_tell
log_message = BOM detected
to get some more samples.
Will change that to
deny condition = ${if match{$message_headers_raw}{\N\xEF\xBB\xBF\N}}
message = Headers contain illegal BOM
log_message = BOM detected
later.
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> |
http://www.blafasel.at/
Vienna University Computer Center | Austria
