-- Am 02/26/14 14:02:08 +0100 schrieb Wolfgang Breyha:
> Jan Ingvoldstad wrote, on 26/02/14 13:45:
>> Perhaps it would be relevant to check for other byte order marks as well:
>>
>> http://en.wikipedia.org/wiki/Byte_order_mark#Representations_of_byte_ord
>> er_marks_by_encoding
>
> I crosschecked with my cyrus logs ("invalid header characters") meanwhile
> and blocking only the UTF8 BOM seems to catch them all upfront. It looks
> like a broken script spamming from several hacked webhosts.
>
> currently I use
> # check for UTF-8 BOM (coming from SPAM)
> warn condition = ${if
> match{$message_headers_raw}{\N\xEF\xBB\xBF\N}} control =
> freeze/no_tell
> log_message = BOM detected
> to get some more samples.
>
> Will change that to
> deny condition = ${if
> match{$message_headers_raw}{\N\xEF\xBB\xBF\N}} message =
> Headers contain illegal BOM
> log_message = BOM detected
> later.
Hi,
that's a good idea. Thanks a lot.
But nevertheless it might be a good idea to block 8 bit characters in
header names via an ACL test as even RFC 6532 does not allow that.
Michael
