[Mimedefang] javascript in address header

Renaud Pascal renaud.pascal at atos.net
Thu Mar 21 10:44:22 EDT 2013

On Wed, 20 Mar 2013 15:11:21 -0700
<kd6lvw at yahoo.com> wrote:

> --- On Wed, 3/20/13, Joseph Brennan <brennan at columbia.edu> wrote:
> > Ever see one of these?--
> > 
> > To: Joe B <jb51 at columbia.edu<javascript:_e({},> 'cvml','jb51 at columbia.edu');>>
> > 
> > I changed the name and address, but otherwise this is what ...
> Since when is JavaScript valid in SMTP headers?  Is there even a proposal (i.e. an RFC) that suggests this?  I see no reason to reject this on sight as a malformed mailbox in a header.

er, and you're not making your mind or aren't you making your mind about it or not?


I haven't seen much of these kind in years and none in javascript but I'd suspect either a
broken bot (cron or evil) or a real attempt to break something, I'd also suspect some
weak clients to be able to do bad things (TM) from it and I'd also suspect that the eXchange
system like in your test once tried to not be vulnerable to it and finally decided to simply
reject instead of repairing ;-)

More information about the MIMEDefang mailing list