Ever see one of these?--
To: Joe B <[email protected]<javascript:_e({}, 'cvml','[email protected]');>>
I changed the name and address, but otherwise this is what someone on Gmail sent to a user here. The envelope RCPT was evidently normal, as logged by sendmail, but when we re-sent it to an Exchange system (still with a normal RCPT), Exchange rejected the header.
This <http://stackoverflow.com/questions/14662296/javascript-cvml-in-an-email-address> gives a too-brief explanation of what it is.
It wouldn't be hard to remove with MimeDefang. I cannot find an example in my own voluminous mail from Gmail users, which has me wondering how rare it is. I wonder whether any email client would run javascript in a header line anyway. I'm considering writing it off as one weird case.
Joseph Brennan Columbia University Information Technology _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
