[Mimedefang] suspicious characters

Jan-Pieter Cornet johnpc at xs4all.nl
Thu Oct 5 04:29:35 EDT 2017

On 5-10-17 09:43, Michael Fox wrote:
> I'm trying to understand what triggers the setting of
> $SuspiciousCharsInHeaders and $SuspiciousCharsInBody?  All I can find are
> circular definitions that vaguely mention possible exploits.  But no
> specifics are given.  Before I use either of these, I'd like to understand
> better what constitutes "suspicious" in both cases.

In both header and body, a CR that is *NOT* followed by a LF is considered "suspicious".

In the body, a NUL character is also considered suspicious.

> Do you bounce every message that for which $SuspiciousCharsInHeaders is
> true?

Yes, we have been bouncing those for over a decade. No complaints so far. But it doesn't match a lot of messages (a handful each day out of a few million). And it occasionally also matches some seemingly "legitimate" messages that simply aren't formatted properly.

> How about every message for which $SuspiciousCharsInBody is true?

Tried that briefly and turned it off again. Can't remember why, probably because of false positives (that was in 2004). We currently ignore suspicious characters in body, don't even log it.

Jan-Pieter Cornet <johnpc at xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
     - Grey's Law

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20171005/e670ed0a/attachment-0003.sig>

More information about the MIMEDefang mailing list