[Mimedefang] Curious about a couple of things in mimedefang-filter
David F. Skoll
dfs at roaringpenguin.com
Mon Aug 12 12:39:01 EDT 2002
On Mon, 12 Aug 2002, Jim McCullars wrote:
> Just for my own curiosity, what does MD consider SuspiciousCharsInHeaders
> and why are they dropped?
NUL characters are suspicious, as are stand-alone carriage-return characters.
These can be used to attack various MUA's, and are prohibited by
the SMTP RFC.
> Also, what is the danger of curlies in file
> names?
There's a Windows-specific attack (not sure how it works; I don't
run Windows) which uses a CLSID.
> And what about non-alpha chars in an extension? The sample filter
> drops all of these.
No, it drops "bad" extensions followed by non-alphanumeric characters.
Again, some (stupid) MUA's can be tricked by something like:
"name.exe..."
which they interpret as "name.exe".
Basically, all of the convoluted code in the dangerous-attachment
checks is required because of Windoze stupidity. :-(
> Second question: Is it possible to get the string that the sending MTA
> sends as the HELO value?
Not from the Perl filter, although it is available via libmilter.
I can add this if you like.
Regards,
David.
More information about the MIMEDefang
mailing list