Hello -mat-, Saturday, April 21, 2001, 10:19:00 PM, you wrote: mfb> This is not a bug of The Bat! but a bug of MTA (POP3/SMTP servers) mfb> that allow such odd messages. The proposed "bad-message" mfb> (http://www.security.nnov.ru/files/badmess.zip) is not mfb> RFC-compliant. Any RFC-compliant POP3/SMTP server must either bounce mfb> or cure it. I've used a proposed example to send the message to mfb> myself, on a FreeBSD server with Sendmail 8.11.1 I've typed mfb> cat badmess | sendmail -U maxat_private You're wrong. This message _is_ RFC 822 and RFC 1251 compliant. In fact, RFC 822 absolutely clear allows <CR> and <LF> even in some message headers: text = <any CHAR, including bare ; => atoms, specials, CR & bare LF, but NOT ; comments and including CRLF> ; quoted-strings are ; NOT recognized. _any_ pop3 server shouldn't change this message, because RFC 1939 follows RFC 822 for message standard. RFC 821 (SMTP) simply says "The mail data may contain any of the 128 ASCII character codes". RFC 1251 allow message to contains any binary data and strings of any length. In fact, sendmail allows any characters (including NULL) to be in message body. "badmess" was tested with sendmail 8.9.3 + mail.local + UW-pop3d 7.59. P.S. I didn't tested The Bat! with NULL characters in message body... If something like <CR><LF>NULL.<CR><LF>-ERR in message body hurts The Bat! badly RitLabs better patch it right now :) -- ~/3APA3A Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 13:43:47 PDT