[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails

To: "Josh L. Perrymon" <joshuaperrymon@xxxxxxxxx>
Subject: Re: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails
From: Valdis.Kletnieks@xxxxxx
Date: Wed, 19 Jul 2006 09:00:59 -0400

On Wed, 19 Jul 2006 14:00:50 +1000, "Josh L. Perrymon" said:

> X-NAI-Spam-Report: 2 Rules triggered *  1.8 -- MIME_MISSING_BOUNDARY --

The first error message..

> RAW:  MIME section missing boundary *  0.5 -- MIME_BASE64_LATIN -- RAW:
> Latin  alphabet text using base64 encodi:

and the second..

> Content-type: multipart/alternative; boundary=HTMLDEMO44bc3b28b4ba5

OK so far...

> --HTMLDEMO44bc3b28b4ba5

And the *starting* boundary..

> Content-Type: text/html; charset=ISO-8859-1

I'll get back to this..

> Content-Transfer-Encoding: base64
> 
> DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+DQpEdWUgdG8gcmVjZW50IHNl
> DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+Y3Vy
> (snipped)
> cm8uZ292LmF1IDxicj4NCg0KDQo=
> 
> < end full >

Umm.. An *ending* boundary would be considered at least *polite*. Actually,
required by the RFCs.  So the first error message is in fact correct.

I haven't actually *decoded* the text, and can't due to the "(snipped)",
but I'm willing to bet that the second complaint is that it's tagged with
charset=ISO-8859-1 when in fact all the text contained therein is actually
US-ASCII. RFC2046, section 4.1.2:

   In general, composition software should always use the "lowest common
   denominator" character set possible.  For example, if a body contains
   only US-ASCII characters, it SHOULD be marked as being in the US-
   ASCII character set, not ISO-8859-1, which, like all the ISO-8859
   family of character sets, is a superset of US-ASCII.  More generally,
   if a widely-used character set is a subset of another character set,
   and a body contains only characters in the widely-used subset, it
   should be labelled as being in that subset.  This will increase the
   chances that the recipient will be able to view the resulting entity
   correctly.

So again, the message is quite likely being impolite again.  And this is
the sort of impoliteness that spammers like to abuse.  And I believe that
even Microsoft MUAs are able to get this one right these days, so there's
really no excuse for anybody except a spammer.. ;)

Attachment: pgp8xz4xrjIM9.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails
  - From: Josh L. Perrymon

Prev by Date: [Full-disclosure] [USN-319-2] Linux kernel vulnerability
Next by Date: [Full-disclosure] DELL Hardware KeyLogger??
Previous by thread: Re: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails
Next by thread: Re: FW: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofedmails
Index(es):
- Date
- Thread