[Mimedefang] MIMEDefang 2.21 is released - Important Security Note
David F. Skoll
dfs at roaringpenguin.com
Fri Sep 13 14:29:00 EDT 2002
On Fri, 13 Sep 2002, Douglas J Hunley wrote:
> if a user checks the 'break apart messages larger than xxx Kb' option in
> Outlook Express, doesn't that generate message/partial?
> if so, that's .. um.. "legitimate" mail
I disagree. If a user attaches a harmless, fun program called
"DancingChickens.exe", most MD admins would block it, and not listen
to protests of legitimacy.
message/partial is a bad specification. It's easy to abuse. You can
run some nice attacks by exploiting it. Just send only the first n-1
out of n parts for hundreds of messages. Or send lots of very
deeply-nested message/partial messages (the RFC says that after
reassembly, it's permissible to end up with another message/partial --
in other words, several levels of fragmentation.) How long do we wait
for reassembly? Or how about sending different parts from different
sender addresses -- where to failure messages go? How about sending a
harmless part 3 and a malicious part 3. Which part really ends up
being used?
There is no reasonable way to reassemble message/partial on a Sendmail
server. And there is no way to reliably scan message/partials. Finally,
MTA administrators who set limits on message sizes do so for a reason, and
you shouldn't try to get around it with (IMO) sneaky tactics.
Regards,
David.
More information about the MIMEDefang
mailing list