Lookout Express's partial messages are a security threat in themselves, because they may contain viruses and other dangerous content which can't be detected until the parts are reassembled.
Sensible admins will block them anyhow. Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: Oliver Thalmann [mailto:[EMAIL PROTECTED] > Sent: 07 May 2004 12:49 > To: [EMAIL PROTECTED] > Subject: SA treats "partial messages" badly > > Hello, > > it looks like SA doesn't really like partial messages, like > those sent by outlook > > these messages have a header, for example > > Content-type: message/partial; number=2; > id="[EMAIL PROTECTED]"; > total=18 > > SA seems to consider what follows (which is a base64 part of > the full message) as text, so it applies any rules to it, > which can often hits bayes_99, bayes_90, large_hex, obfu, etc... > > known bug ? > > Would it be wise to implement a negative scoring rule to > offset those mismatches ? or would there be any drawbacks ? > > of course this rule should not match for a supposed partial > message with only one part : > > Content-type: message/partial; number=1; > id="[EMAIL PROTECTED]"; > total=1 > > Thank you > >
