FW: Bypassing SMTP Content Protection with a Flick of a Button

From: Menashe Eliezer (menasheat_private)
Date: Thu Sep 12 2002 - 11:13:02 PDT

Next message: David F. Skoll: "Roaring Penguin fixes for "Bypassing SMTP Content Protection with a Flick of a Button""

Previous message: Ulf Harnhammar: "[Full-Disclosure] Re: PHP fopen() CRLF Injection"
Maybe in reply to: Aviram Jenik: "Bypassing SMTP Content Protection with a Flick of a Button"
Next in thread: David F. Skoll: "Roaring Penguin fixes for "Bypassing SMTP Content Protection with a Flick of a Button""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First, I would like to point out that there are still users which use
Outlook 2000. Outlook 2000 can be also used for sending and receiving such
messages.

Finjan Software response:
Finjan Software products are not vulnerable.
SurfinGate for E-Mail reassembles fragmented messages, and then performs
security analysis and applies content management rules.
SurfinShield is installed on end users machines. It gets the reassembled
message from the E-Mail client, and proactively monitors the behavior of
active content included or attached to the E-Mail message.

BTW,
CERT has approached Finjan Software, and we've replied.
Beyond Security Ltd. probably hasn't received yet the response from CERT.

Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc

Prevention is the best cure!




-----Original Message-----
From: Aviram Jenik [mailto:aviramat_private]
Sent: Thursday, September 12, 2002 3:45 PM
To: bugtraqat_private
Subject: Bypassing SMTP Content Protection with a Flick of a Button




  Bypassing SMTP Content Protection with a Flick of a Button
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/securitynews/5YP0A0K8CM.html


SUMMARY

Forget underground hacking tools. How about using Outlook Express as
your attack platform?

Beyond Security's SecurITeam has discovered a new method of bypassing
many SMTP-based content filter engines.
This discovery is alarming since it requires from the attacker nothing
more than an Outlook Express client and employs a rarely-used feature
called 'message fragmentation and re-assembly' that is available in
Outlook Express. Using this feature, an attacker can send e-mails that
will bypass most SMTP filtering engines including gateway Virus
scanners, content filters, Firewalls that do SMTP checking, etc.

Impact:
Anyone wishing to bypass SMTP filtering engines can utilize the
mentioned method to bypass most types of content checking, and deliver
its payload to the end-client without any trouble, whether it is a
Virus, Trojan or a file type that is not allowed by the corporate
policy.


The information has been provided by  <mailto:noamrat_private>
Noam Rathaus, Beyond Security Ltd.

--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Know that you're safe:
http://www.AutomatedScanning.com

Next message: David F. Skoll: "Roaring Penguin fixes for "Bypassing SMTP Content Protection with a Flick of a Button""
Previous message: Ulf Harnhammar: "[Full-Disclosure] Re: PHP fopen() CRLF Injection"
Maybe in reply to: Aviram Jenik: "Bypassing SMTP Content Protection with a Flick of a Button"
Next in thread: David F. Skoll: "Roaring Penguin fixes for "Bypassing SMTP Content Protection with a Flick of a Button""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 10:24:31 PDT