MIMEDefang update (was Re: Bypassing SMTP Content Protection )

From: David F. Skoll (dfsat_private)
Date: Thu Sep 12 2002 - 08:11:07 PDT

Next message: jelmer: "the attachement"

Previous message: Martin Schulze: "[SECURITY] [DSA 165-1] New PostgreSQL packages fix several vulnerabilities"
In reply to: Aviram Jenik: "Bypassing SMTP Content Protection with a Flick of a Button"
Next in thread: Menashe Eliezer: "FW: Bypassing SMTP Content Protection with a Flick of a Button"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

MIMEDefang (http://www.roaringpenguin.com/mimedefang/) is an SMTP
filtering tool which in its default configuration is susceptible
to this attack.

MIMEDefang relies on the MIME::tools Perl parsing module.  This module
correctly descends into "message/rfc822" entities and parses parts
inside them, but it does not descend into "message/partial" entities.
Therefore, even the default filename checks will not work with
"message/partial" types.  I hope to have a patched version of MIME::tools
soon.

For the next MIMEDefang release, the default filter will be modified to drop
message/partial parts.  Current users of MIMEDefang should add the
following code to their filter and filter_multipart routines:

# Block message/partial parts
if (lc($type) eq "message/partial") {
    action_quarantine_entire_message();
    action_notify_administrator("Message quarantined because of message/partial type");
    return action_discard();
}

--
David.

Next message: jelmer: "the attachement"
Previous message: Martin Schulze: "[SECURITY] [DSA 165-1] New PostgreSQL packages fix several vulnerabilities"
In reply to: Aviram Jenik: "Bypassing SMTP Content Protection with a Flick of a Button"
Next in thread: Menashe Eliezer: "FW: Bypassing SMTP Content Protection with a Flick of a Button"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 08:49:25 PDT