Question
Malformed mime content is often used to try and bypass the ability of anti virus software to correctly identify viruses in messages. I would like to be able to reject messages that contain malformed mime content to further protect my server from potential threats. How do I do this?
Answer
The latest release of GMS Anti-Spam provides the ability to look for and reject messages that contain malformed mime content. A new variable has been introduced to control this behaviour called MessageQualityMask. The variable can be set at both System and Domain levels. This variable holds a bitmask of values corresponding to the table below.
| Bit | Value |
|---|---|
| 0 | Message lines not terminated by CRLF |
| 1 | Message line length exceeds RFC2822 limits |
| 2 | Attachment name is too long |
| 3 | Suspicious attachment name |
| 4 | CLSID in attachment name |
| 5 | UUEncode begin in subject |
| 6 | UUEncode begin incomplete |
| 7 | UUEncode data with blank lines |
| 8 | UUEncode data with spaces |
| 9 | UUEncode data line too long |
| 10 | UUEncode data invalid |
| 11 | UUEncode data invalid decode |
| 12 | Base64 encoding of inline text |
| 13 | Base64 data invalid |
| 14 | Base64 data invalid length |
| 15 | Base64 data has leading "=" signs |
| 16 | Base64 data has too many "=" signs |
| 17 | Base64 data after end of decode |
| 18 | Base64 data line too long |
| 19 | Binhex data in text section |
| 20 | Binhex data invalid |
| 21 | MIME no final boundary |
| 22 | 8 bit characters in header field |
| 23 | MIME partial message fragment |
| 24 | MIME invalid fieldname format |
| 25 | MIME invalid message/rfc822 content type |
| 26 | MIME comment detected |
| 27 | MIME Prologue Data detected |
| 28 | HMTL CID link detected |
| This list is likely to be expanded as new vulnerabilities are discovered | |
So for example, to reject messages containing mime sections where "Message lines not terminated by CRLF" and where "CLSID in attachment name" you would need to set both bit 1 and bit 5 on. That is set the variable to a value of 34 (100010 in binary).
From build 3136 onwards, these options can be configured from the Message Quality section of the GMS Anti-Spam interface. Prior to build 3136, there is no configuration interface for this facility, so the variable must be set via the Support > System or Support > Domain variables pages.
This facility is not available on systems running VSM.
See Also:
Keywords:reject malformed mime messages x-defects defects defect