Loading ...
Sorry, an error occurred while loading the content.

Detecting non 7bit headers

Expand Messages
  • Pat
    Is there a way to detect non-7bit headers such that they can be flagged for post-queue filtering? Postfix header_checks (with or without PCRE) would be ideal
    Message 1 of 4 , Oct 29, 2011
    • 0 Attachment
      Is there a way to detect non-7bit headers such that they can be flagged for
      post-queue filtering? Postfix' header_checks (with or without PCRE) would be ideal
      but I'd like to know if this is doable in Spamassassin or Amavisd-new as well.

      Before I get labeled an ASCII bigot the problem is security. Certain smart phones
      are susceptible to viruses and trojans passed via non-ASCII email headers.
      Javascript seems to be the language of choice for these exploits but it is not the
      only way to target email clients. The main problem is that no smartphones are yet
      designed with good security. A secondary problem is the sending of non-RFC
      compliant 7 bit clean headers. My preferred solution would be tagging for
      evaluation but a web search has turned up nothing straightforward.

      Pat
    • Bennett Todd
      I m an unapologetic ASCII bigot, at least in this space. It isn t just smartphones, it s been years since folks found unicode homographs (?), code points off
      Message 2 of 4 , Oct 29, 2011
      • 0 Attachment

        I'm an unapologetic ASCII bigot, at least in this space. It isn't just smartphones, it's been years since folks found unicode homographs (?), code points off in the weeds that look similar to ASCII characters, and started registering internationalized domain names (IDNs) for links to fool people into going to malicious sites.

        I have all due respect for i18n given that I'm an English-speaker and can't read any other language, but getting i18n completely correct in complex user interfaces seems to be at least a little tricky, and end user interaction with email header data seems to be a tricky place.

        If this problem has been adequately solved and I'm just an ignorant old bigot, I'm hopeful that someone here will correct me.

      • Dusan Obradovic
        ... AFAIK amavisd-new is doing bad header checks by default, which can be disabled by @bypass_header_checks_maps.
        Message 3 of 4 , Oct 29, 2011
        • 0 Attachment


          On Sat, 2011-10-29 at 18:42 +0000, Pat wrote:
          Is there a way to detect non-7bit headers such that they can be flagged for
          post-queue filtering?  Postfix' header_checks (with or without PCRE) would be ideal
          but I'd like to know if this is doable in Spamassassin or Amavisd-new as well.
          
          Before I get labeled an ASCII bigot the problem is security.  Certain smart phones
          are susceptible to viruses and trojans passed via non-ASCII email headers. 
          Javascript seems to be the language of choice for these exploits but it is not the
          only way to target email clients.  The main problem is that no smartphones are yet
          designed with good security.  A secondary problem is the sending of non-RFC
          compliant 7 bit clean headers.  My preferred solution would be tagging for
          evaluation but a web search has turned up nothing straightforward.
          
          Pat
          
          

          AFAIK amavisd-new is doing bad header checks by default, which can be disabled by @bypass_header_checks_maps.
        • Whit Blauvelt
          You can do it, but you ll run into unexpected problems. For instance, my boss accesses Exchange from OSX. The client he uses spontaneously sets the headers to
          Message 4 of 4 , Oct 29, 2011
          • 0 Attachment
            You can do it, but you'll run into unexpected problems. For instance, my
            boss accesses Exchange from OSX. The client he uses spontaneously sets the
            headers to Asian character sets at times. It was _not_ good that my Postfix
            header checks were bouncing his mail back to him then. I've also seen some
            bulletin boards, where the language is English, nonetheless send ISO headers
            in, for instance, their confirmation emails. Also not good.

            Whit

            On Sat, Oct 29, 2011 at 02:42:34PM -0400, Pat wrote:
            > Is there a way to detect non-7bit headers such that they can be flagged for
            > post-queue filtering? Postfix' header_checks (with or without PCRE) would be ideal
            > but I'd like to know if this is doable in Spamassassin or Amavisd-new as well.
            >
            > Before I get labeled an ASCII bigot the problem is security. Certain smart phones
            > are susceptible to viruses and trojans passed via non-ASCII email headers.
            > Javascript seems to be the language of choice for these exploits but it is not the
            > only way to target email clients. The main problem is that no smartphones are yet
            > designed with good security. A secondary problem is the sending of non-RFC
            > compliant 7 bit clean headers. My preferred solution would be tagging for
            > evaluation but a web search has turned up nothing straightforward.
            >
            > Pat
          Your message has been successfully submitted and would be delivered to recipients shortly.