Do partial messages bypass SMTP Content Protection?

  1. Home
  2. Knowledge Base
  3. GMS
  4. Do partial messages bypass SMTP Content Protection?

Question

There have been numerous reports of the potential to bypass SMTP Content Checking by means of using the ability of certain mail clients to split email messages into smaller chunks for onward distribution.

This is most often done where the sending client is on a slow connection, sending a message in smaller fragments, this message is then "stitched" back together by the receiving mail client.

This means that if the original message contains malicious content, that content may not be detected by SMTP Content Protection software due to the fact that the individual parts of the message in themselves do not constitute malicious content. The content only becomes malicious when all of the constituent parts of the message are re-assembled.

Answer

Gordano has been aware of the potential of this type of attack for some considerable time. Properly configured, the SMTP Content checking features within Gordano’s software will automatically protect from any attempt to attack a server with similarly composed malicious content.

Gordano does not re-assemble such messages to check the combined content as this is designed to be done by a client, and not a server, which simply processes the messages it is asked to process, i.e. the individual segments.

To stop the SMTP server from accepting such content (and thus provide full protection to the mail clients) is straightforward however.

If you are using Restricted Word checking then simply add the text "message/partial;" (without the quotes) to the restricted word filter on the server.

If you are not using the restricted word filter or would prefer another method of detecting such messages it is possible to use an EOM MML script to find and detect such messages. The following script is an example of how this could be done.

if (emailX-MMLScript == "")
{
   if (LSFind(emailContent-Type, "message/partial;", "	"))
   {
   action = 2;
   parameter = "550 Partial content not allowed";
   }
}

Keywords:SMTP Content Protection partial mime

Was this article helpful?

Related Articles