On 5-10-17 09:43, Michael Fox wrote:
I'm trying to understand what triggers the setting of $SuspiciousCharsInHeaders and $SuspiciousCharsInBody? All I can find are circular definitions that vaguely mention possible exploits. But no specifics are given. Before I use either of these, I'd like to understand better what constitutes "suspicious" in both cases.
In both header and body, a CR that is *NOT* followed by a LF is considered "suspicious". In the body, a NUL character is also considered suspicious.
Do you bounce every message that for which $SuspiciousCharsInHeaders is true?
Yes, we have been bouncing those for over a decade. No complaints so far. But it doesn't match a lot of messages (a handful each day out of a few million). And it occasionally also matches some seemingly "legitimate" messages that simply aren't formatted properly.
How about every message for which $SuspiciousCharsInBody is true?
Tried that briefly and turned it off again. Can't remember why, probably because of false positives (that was in 2004). We currently ignore suspicious characters in body, don't even log it. -- Jan-Pieter Cornet <[email protected]> "Any sufficiently advanced incompetence is indistinguishable from malice." - Grey's Law
signature.asc
Description: OpenPGP digital signature
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
