[Mimedefang] SuspiciousCharsInBody

Thu Sep 9 19:28:58 EDT 2004

FYI,

We've been experimenting with blocking on $SuspiciousCharsInBody, but we
quickly found out that that is a bad idea (due to the amount of utter
crappy MUAs out there). Is anyone using this to block messages on a real
production mailserver?

I quarantined some messages for half an hour, to see if it would be useful
(eg, only spam and bounces of spam). 

A few statistics... we scanned about 64000 messages in that half-hour
(unique messages, about 69000 recipients). 500 of those were quarantined
because of SuspiciousCharsInBody (and that excludes viruses, the virus
check was done before this. 1400 viruses were detected in that
interval).

Further categorising those 500 messages... it turned out that quite a
few of those were spam, bounces of spam, or duplicates, but it left
about 60 messages that were "normal email".

Most of those messages (about 50) had additional NUL characters. Very
often the mail ended in the string "\n\0\0\0\0\0\n". That is, five NUL
characters on a line by itself. Also seen often is a single NUL at the
end of an HTML attachment.

The other 10 mails had embedded CR characters in them, somewhere,
but unfortunately mimedefang strips lone CR characters completely while
getting the message from sendmail/milter. Is that intentional? Because
of this, I could not see where the lone CR occurred in the message.

I believe dropping the CR in this case is a bug: if some virus abuses
this misfeature, virus scanners won't be able to detect this, because
mimedefang masks it.

To summarize: do not use current blocking on $SuspiciousCharsInBody,
you'd lose about 0.1% of the total mail, even though it does catch
a good amount of spam too.

If mimedefang was modified to consider a NUL character a legal part of
the email body, then only a lone "CR" character would cause
$SuspiciousCharsInBody to be set. This might in some cases be
useful to block messages... as far as I could tell, the "lone CR"
emails were all autogenerated by scripts.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet