[Mimedefang] mailsploit prevention in MD

Kevin A. McGrail KMcGrail at PCCC.com
Wed Dec 6 06:33:12 EST 2017


On 12/5/2017 7:37 PM, Jan-Pieter Cornet wrote:
> Another bug with it's own logo and website has appeared: 
> www.mailsploit.com.
In the same vein and somewhat off-topic from an MD solution, here's a 
solution via Apache SpamAssassin that I'm soliciting feedback regarding 
on the SA users mailing list.

I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
  #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit 
https://www.mailsploit.com/index

  #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit 
https://www.mailsploit.com/index
tflags   __KAM_MAILSPLOIT2    multiple maxhits=2

meta            KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 
 >= 2))
describe        KAM_MAILSPLOIT  Mail triggers known exploits per 
mailsploit.com
score           KAM_MAILSPLOIT  10.0

Regards,
KAM



More information about the MIMEDefang mailing list