Discussion:
[Mimedefang] suspicious characters
Michael Fox
2017-10-05 07:43:59 UTC
Permalink
I'm trying to understand what triggers the setting of
$SuspiciousCharsInHeaders and $SuspiciousCharsInBody? All I can find are
circular definitions that vaguely mention possible exploits. But no
specifics are given. Before I use either of these, I'd like to understand
better what constitutes "suspicious" in both cases.



So, can someone provide a concrete/specific definition of "suspicious"
characters in headers? In the body?



Also, what do others do?

Do you bounce every message that for which $SuspiciousCharsInHeaders is
true?

How about every message for which $SuspiciousCharsInBody is true?



Thanks,

Michael




_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com
Jan-Pieter Cornet
2017-10-05 08:29:35 UTC
Permalink
Post by Michael Fox
I'm trying to understand what triggers the setting of
$SuspiciousCharsInHeaders and $SuspiciousCharsInBody? All I can find are
circular definitions that vaguely mention possible exploits. But no
specifics are given. Before I use either of these, I'd like to understand
better what constitutes "suspicious" in both cases.
In both header and body, a CR that is *NOT* followed by a LF is considered "suspicious".

In the body, a NUL character is also considered suspicious.
Post by Michael Fox
Do you bounce every message that for which $SuspiciousCharsInHeaders is
true?
Yes, we have been bouncing those for over a decade. No complaints so far. But it doesn't match a lot of messages (a handful each day out of a few million). And it occasionally also matches some seemingly "legitimate" messages that simply aren't formatted properly.
Post by Michael Fox
How about every message for which $SuspiciousCharsInBody is true?
Tried that briefly and turned it off again. Can't remember why, probably because of false positives (that was in 2004). We currently ignore suspicious characters in body, don't even log it.
--
Jan-Pieter Cornet <***@xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law
Michael Fox
2017-10-06 15:07:16 UTC
Permalink
-----Original Message-----
suspicious :=
If header or body has a \r without \n
If the body has an embedded \0
Jan-Pieter, Steffen,

Thanks much.
Michael

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimed

Loading...