[Mimedefang] Curious about a couple of things in mimedefang-filter

David F. Skoll dfs at roaringpenguin.com
Mon Aug 12 12:39:01 EDT 2002

On Mon, 12 Aug 2002, Jim McCullars wrote:

> Just for my own curiosity, what does MD consider SuspiciousCharsInHeaders
> and why are they dropped?

NUL characters are suspicious, as are stand-alone carriage-return characters.
These can be used to attack various MUA's, and are prohibited by

> Also, what is the danger of curlies in file
> names?

There's a Windows-specific attack (not sure how it works; I don't
run Windows) which uses a CLSID.

> And what about non-alpha chars in an extension?  The sample filter
> drops all of these.

No, it drops "bad" extensions followed by non-alphanumeric characters.
Again, some (stupid) MUA's can be tricked by something like:


which they interpret as "name.exe".

Basically, all of the convoluted code in the dangerous-attachment
checks is required because of Windoze stupidity. :-(

> Second question:  Is it possible to get the string that the sending MTA
> sends as the HELO value?

Not from the Perl filter, although it is available via libmilter.
I can add this if you like.



More information about the MIMEDefang mailing list