On Wed, 6 Dec 2017, Kevin A. McGrail wrote:

On 12/6/2017 4:27 AM, Frido Otten wrote:
 Yesterday I saw this message that a bug in mailclients allow sender
 spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
 about it. More information about it here: https://www.mailsploit.com/index

 I was thinking that there might be a possiblity to detect this in
 spamassassin to protect our users against this. Something with the
 newline character or null byte in the FROM header, but I'm not that
 handy with it. Someone of you maybe already created a rule?

My understanding of it was from Jan-Pieter Cornet's post on the MIMEDefang list.  In short, it involves RFC2047 MIME encoding of headers with control characters.  The demo shows issues with Nul but that's not the only control character.

Something like this:

header    __KAM_MAILSPLOIT1   From =~ /[\0]/
describe    __KAM_MAILSPLOIT1    RFC2047 Exploit https://www.mailsploit.com/index

And a paired rules for \n looking for maxhits.  Beyond that, what's a good control character regex?

From memory (sorry, in a meeting):  [\x00-\x19]


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 Tomorrow: The 76th anniversary of Pearl Harbor

Reply via email to