How can I reject malformed mime messages?
Malformed mime content is often used to try and bypass the ability of anti virus software to correctly identify viruses in messages. I would like to be able to reject messages that contain malformed mime content to further protect my server from potential threats. How do I do this?
The latest release of GMS Anti-Spam provides the ability to look for and reject messages that contain malformed mime content. A new variable has been introduced to control this behaviour called MessageQualityMask. The variable can be set at both System and Domain levels. This variable holds a bitmask of values corresponding to the table below.
|0||Message lines not terminated by CRLF|
|1||Message line length exceeds RFC2822 limits|
|2||Attachment name is too long|
|3||Suspicious attachment name|
|4||CLSID in attachment name|
|5||UUEncode begin in subject|
|6||UUEncode begin incomplete|
|7||UUEncode data with blank lines|
|8||UUEncode data with spaces|
|9||UUEncode data line too long|
|10||UUEncode data invalid|
|11||UUEncode data invalid decode|
|12||Base64 encoding of inline text|
|13||Base64 data invalid|
|14||Base64 data invalid length|
|15||Base64 data has leading "=" signs|
|16||Base64 data has too many "=" signs|
|17||Base64 data after end of decode|
|18||Base64 data line too long|
|19||Binhex data in text section|
|20||Binhex data invalid|
|21||MIME no final boundary|
|22||8 bit characters in header field|
|23||MIME partial message fragment|
|24||MIME invalid fieldname format|
|25||MIME invalid message/rfc822 content type|
|26||MIME comment detected|
|27||MIME Prologue Data detected|
|28||HMTL CID link detected|
|This list is likely to be expanded as new vulnerabilities are discovered|
So for example, to reject messages containing mime sections where "Message lines not terminated by CRLF" and where "CLSID in attachment name" you would need to set both bit 1 and bit 5 on. That is set the variable to a value of 34 (100010 in binary).
From build 3136 onwards, these options can be configured from the Message Quality section of the GMS Anti-Spam interface. Prior to build 3136, there is no configuration interface for this facility, so the variable must be set via the Support > System or Support > Domain variables pages.
This facility is not available on systems running VSM.
Keywords:reject malformed mime messages x-defects defects defect