On Thu, Dec 18, 2003 at 04:29:38PM +0100, Salvatore Toribio wrote: > It seems that there is an "\r" after '...(209.239.41.230)' and > another one after '...userid 65534)'. > > I don't understand yet why the header must not have CR/NULL. Maybe > Jason can give us an explanation and how to work around.
There are known exploits that rely on "fake" end-of-line characters such as NULLs and '\r' within MIME mail messages to allow viruses to confuse AV mail scanners. Instead of looking for the specific case, Q-S generalizes it and says "if it's a non-RFC compliant MIME mail message, then it will be blocked". Stops all such viruses and any new ones that may come along. e.g. X-Faked: text\rContent-Type: application/octet-stream<EOL> From: A Baddie<EOL> Some mailers will treat that as: X-Faked: text<EOL> Content-Type: application/octet-stream<EOL> From: A Baddie<EOL> ...some won't. What should an AV e-mail scanner do with it? What you will find is that any "real" mail that is blocked is due to someone hand-writing some mailing-list software addon or the like. Q-S also blocks mail that mis-uses other MIME functions - such as containing more than one Content-Type with differing values e.g. Content-Type: text/plain Content-Type: audio/mp3 Which header is the correct one? Some mailers would say the first, some would say the 2nd. So instead of ignoring the issue, Q-S blocks it. Again, hand-written mailing-list software has been known to produce such broken mail. Block it, report it, make them fix it. People are reasonable about this: if you ask "why do you have end-of-line characters in the middle of your headers", they invariably answer: "Ooops!" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general