Brent Clark wrote:
> Hi Rick
>
> Will you be willing to share your Exim and SA rules / code?
> So that the community can benefit from your finding and work.
>
Pretty standard exim acl
The DataWhitelisted portion is calculated from several other items so that
would be up to you if you even wanted to whitelist anything. The
AddSuspectHeader is a flag used in various parts of the delivery as is the
message that is added as a header as well. If the Suspicious headers is
added to an email the end user cannot release it from quarantine on their
own and the portion of the message they can see has been sanitized, disarmed
(html, scripting and links disarmed and obfuscated).
warn log_message = [DATA] FOUND UTF-7 CONTENT-TYPE :
${sg{$h_Content-Type:}{\N\n.*\N}{}}
condition = ${if !eq {yes}
{${lc:$acl_m_DataWhiteListed}}}
condition = ${if
def:h_Content-Type:}
condition = ${if
match{${lc:$h_Content-Type:}}{\Ntext\/html; charset=utf-7\N}}
set acl_c_AddSuspectHeader = yes
set acl_c_SuspectMsg =
${sg{$acl_c_SuspectMsg}{\NNONE(\s{0,}:)?\N}{}}:UTF-7 BODY HIDING SOMETHING
> Regards
> Brent Clark
>
> On 2020/05/05 20:00, Rick Cooper wrote:
>> Henrik K wrote:
>>> On Tue, May 05, 2020 at 12:51:36PM -0400, Rick Cooper wrote:
>>>> We received a couple emails yesterday that barely got caught and
>>>> when I looked at them they should have hit big time. As I looked it
>>>> would appear the body parts are encoded quoted-printable utf-7.
>>>> Apparently SA doesn't handle utf-7?
>>>>
>>>> I added $self->{'decoded'} = Encode::decode("UTF-7",
>>>> $self->{'decoded'}); just before the decoded body is returned in
>>>> Node.pm and the body rules hit again including some quick tests I
>>>> put together.
>>>>
>>>> Is ignoring utf-7 intentional or is this a new spammer tactic? The
>>>> actual email messages are rendered perfectly through outlook and
>>>> our webmail application.
>>>
>>> If I remember right, normalize_charset 1 will handle this just
>>> fine. Atleast in trunk/4.0.
>>>
>>> In any case, UTF-7 mails can be blocked on sight, no one uses it
>>> legimately..
>>
>> Bingo, that does it, And yes I added a check for utf-7 to exim and
>> add a header that causes emails to be quarantined and marked so
>> users cannot releaseor view them on their own.
>>
>> Thanks
>>
>> Rick
