On Mon, Feb 18, 2002 at 10:02:17AM -0500, David F. Skoll wrote: > I initially made my scanner emulate the Outlook bug; now I see it's the > wrong thing to do. Indeed. > > I believe the only sane way to handle these kinds of malformed messages is: > > 1) Reject any message with suspicious characters in the headers (e.g., > embedded CR's.) It's pointless for a server-based scanner to try to > out-think all the different mail user agents out there. > Qmail-Scanner has done that since BadTrans came out. As you found out, "fixing" the message isn't the solution. Instead block it as "suspicious". I have 2 months worth of data on this, since Qmail-Scanner started blocking lone CR in MIME headers, almost all messages stopped were viruses or spam. The few that were "real" messages were from broken windows installs of Squirrelmail... (that's what you get when you edit php files with notepad I suppose ;-) http://qmail-scanner.sourceforge.net/ -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 19:20:39 PST