[Mimedefang] Curly braces in header (From: )

Dan Johansson rabies2000 at hotmail.com
Thu Sep 21 16:55:57 EDT 2006 

Hi List,

I am fairly new to MimeDefang so perhaps this question have been asked 
previously, or is not really a MD issue at all.

Here is the problem:
I use MD (2.57) via milter (sendmail 8.13.8), Perl Modules from CPAN, 
Spamassassin 3.1.5 on a linux install, distro slackware 10.0. This is a 
frontend to an exchange system

The filter file is basically the KAM filter simulating report_safe in 
spamassassin, slightly modified but with no new functionality or "trickery" 
- my perl knowledge is limited to hello world.

Recently a flood of spam with seriously strange headers have started coming 
(I guess everyone have seen them, pump'n'dump). The From header contains 
curly braces.

Incoming mailheader looks like this (cut for brewity):

From: "Beatrice Sheldon" <pekepotlood at pandora.be>{SET:debug=51}
To: <someone at my.domain.com>
Subject: Tuesday.CRSVF.after the confrontation
Date: Tue, 19 Sep 2006 15:04:13 -0060
MIME-Version: 1.0
Content-Type: text/plain;
  charset=iso-8859-1
Content-Transfer-Encoding: 7bit
[...]

when it's been ran through MimeDefang and is delivered upstream, the headers 
look like this (cut for brewity):

From: "\"Beatrice 
Sheldon\"<pekepotlood at pandora.be>{SET:pekepotlood"@pandora.be
To: <someone at my.domain.com>
Subject: Tuesday.CRSVF.after the confrontation  [13.928]
Date: Tue, 19 Sep 2006 15:04:13 -0060
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="------------=_NextPart_1158678250-4223-nikc"
[...]

as you see, the From: header have been modified in a way i didn't expect. 
This happens only for mails with these curly braces in the from field. As 
the KAM filter builds a new message an attaches the original message to it, 
one would expect the attached message also to have a modified From: header. 
That is not the case, in the attached message, the From: header looks like 
it does in the original.

I have tried pushing these headers through plain sendmail and postfix 
installs, unable to reproduce the behaviour.

The core problem is that for some reason exchange (or possibly outlook) 
throws errors at from fields like this, unable to open it (and thereby 
unable to move it to another folder).

Pushing a mail looking like the original into exchange does not trigger the 
problem. I don't know what exactly triggers the problem (escaped " ?) and to 
be perfectly honest i do not care. I think exchange have worse bugs than 
this one.

Initially I thought i could simply declare curly braces as invalid in 
headers, but at least sendmail's default behaviour when handling STARTTLS is 
to use curly braces in the Recieved: header so that is probably not a good 
idea.

I don't see any valid reason for unescaped / unencoded curly braces in the 
From: or To: fields, but i am unable to figure out if it really is allowed 
or not.

Any pointers in the right direction will be very helpful. Tried googling but 
either used the wrong terms or i am the only one that have noticed problems 
with this.

Which information can i provide? I am not sure i should swamp the list with 
the whole mimedefang-filter file.

Kind regards and thanks ahead of time,
/DJ

More information about the MIMEDefang mailing list