[Mimedefang] mailsploit prevention in MD

[Jan-Pieter Cornet]

Another bug with it's own logo and website has appeared: www.mailsploit.com.

This targets MUAs. It abuses RFC2047 MIME encoding of headers to insert NUL characters.

The mails are relatively easy to stop using mimedefang. I've just rolled it out on our platform.

Boilerplate code (completely untested, but partly cut-n-pasted out of working code). Enjoy.


use Encode qw(decode);

sub filter_end ($) {
     my($entity) = @_;

     # ... any other processing you do in filter_end

     my $fromline = $entity->head->get('From');
     eval {
         # MIME::Decode of the header might fail for unknown charset.
         my $friendly_from = decode('MIME-Header', $fromline);
         if ( $friendly_from =~ /\0/ ) {
             md_syslog('warning', "$MsgID: Encoded NUL in From header: $fromline");
             # XXX insert your own code to handle such messages, eg redirect, reject, or change the From: header
             action_bounce('Encoded NUL in From rejected');
         }
     };
     if ( $@ ) {
         # you may, for security reasons, choose to reject here too.
         md_syslog('warning', "$MsgID: Error decoding From: $fromline; error: $@");
     }

     # ... any more processing you wish to do in filter_end
}


-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
     - Grey's Law

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20171206/ca16dc08/attachment.sig>