[Mimedefang] suspicious characters

[Jan Pieter Cornet]

On Mon, Oct 24, 2005 at 12:12:29PM -0400, Joseph Brennan wrote:
> We've begun refusing mail with suspicious_chars_body.  Almost all is
> junk but there's a trickle of legit mail and I want to be able to tell
> those few what was wrong with their message.  The usual seems to be
> text uploaded from Windows with RETURN in it.

My experience with $SuspiciousCharsInBody are that it is pretty much
useless in all circumstances except for a very strict home system
with a few users. There are simply too many crappy MUAs out there.

See also my previous message on this subject here:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-September/024333.html

> I am trying this, below, to capture the first line with a suspicious
> character.  The \000 and \015 are to be rewritten to NULL or RETURN
> so we can see them, and then $badline is written to syslog.
> 
> What I get is NULL by itself, or nothing.  Apparently this code matches
> on the \000 all right but not on the \015 and I don't know why.
> 
> Any ideas?

Yes, see also my previous message to the list. Mimedefang strips all CR
characters from the input, before putting them in INPUTMSG, even if they
are "lone" CR characters that trigger the "suspiciousBody" flag. So you
will never see the CR characters in mimedefang (and neither will any
virus scanner or other content scanner you might use).

I consider this a bug, and it's still present in mimedefang 2.53, but I
haven't found it important enough to consider patching it. You can
find the logic in the body() function on line 1087 of mimedefang.c.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet