OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Exploit-Dev Archives: Re: [Fwd: Netscape mail client error]

Re: [Fwd: Netscape mail client error]

Blue Boar (BlueBoarTHIEVCO.COM)
Fri, 19 Nov 1999 22:26:14 -0800

 dolemitewuli.nu wrote:

> Email records are often important but I would hope most
> self-respecting admins would bother to log such things on
> the smtp server rather than just looking at the dates on the
> msg. Furthermore I believe there is probably more
> information on the header of the email which would probably
> show some non quasi-dates.

Yup. For the last few e-mail based attacks, I've seen someone post a
procmail rule that will trap it.

In this case, mail servers can absolutely catch this type of problem before
it hits clients. All that has to be done is to look for valid date/time
ranges. It would probably also be smart to check that a piece of e-mail
doesn't claim to be too old or too new. For example, you might not want to
let in mail that claims to be more than a month or a year old or some
such. You probably don't want to let in e-mail that claims to be more than
two days in the future.

The same goes for most of the standard fields... mail admins should
typically not expect a to: or from: field more than, say 200 characters or
some other relatively low number.

So, I expect this line of thought (fooling with date fields and such) will
come up with something more interesting than the annoyance I've posted.
Clueful admins have an opportunity here to be proactive.

If folks know of MTAs that can deal with the above, or if procmail users
want to post rules that catch these, please post them.

                                                        BB

This archive was generated by hypermail 2.0b3 on Sat Nov 20 1999 - 00:26:42 CST