On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
On 12/6/2017 4:27 AM, Frido Otten wrote:
Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/index
I was thinking that there might be a possiblity to detect this in
spamassassin to protect our users against this. Something with the
newline character or null byte in the FROM header, but I'm not that
handy with it. Someone of you maybe already created a rule?
My understanding of it was from Jan-Pieter Cornet's post on the MIMEDefang
list. In short, it involves RFC2047 MIME encoding of headers with control
characters. The demo shows issues with Nul but that's not the only control
character.
Something like this:
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit
https://www.mailsploit.com/index
And a paired rules for \n looking for maxhits. Beyond that, what's a good
control character regex?
From memory (sorry, in a meeting): [\x00-\x19]
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: The 76th anniversary of Pearl Harbor