Re: Bypassing SMTP Content Protection with a Flick of a Button (fwd)

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Settembre 2002 ml@sikurezza.org
Soggetto: Re: Bypassing SMTP Content Protection with a Flick of a Button (fwd)
Mittente: Luca Berra
Data: 13 Sep 2002 11:17:35 -0000

On Thu, Sep 12, 2002 at 05:36:35PM +0200, Francesco Toscan wrote:
>
>
>---------- Forwarded message ----------
>Date: Thu, 12 Sep 2002 15:45:03 +0200
>From: Aviram Jenik <aviram@beyondsecurity.com>
>To: bugtraq@securityfocus.com
>Subject: Bypassing SMTP Content Protection with a Flick of a Button

visto che gira allego la risposta che gli ho mandato.
non so se passa su bugtraq visto che sfotto symantec :(

-- 
Luca Berra -- bluca@comedia.it
        Communication Media & Services S.r.l.
 /"\
 \ /     ASCII RIBBON CAMPAIGN
  X        AGAINST HTML MAIL
 / \

On Thu, Sep 12, 2002 at 03:45:03PM +0200, Aviram Jenik wrote:
>  Bypassing SMTP Content Protection with a Flick of a Button
.....
>Impact:
>Anyone wishing to bypass SMTP filtering engines can utilize the
>mentioned method to bypass most types of content checking, and deliver
>its payload to the end-client without any trouble, whether it is a
>Virus, Trojan or a file type that is not allowed by the corporate
>policy.
This is just another way(TM) of bypassing smtp content filtering,
encrypted messages (S/MIME, PGP) and passworded archives are another.

The correct way of dealing with these is to check at endpoints so have
an antivirus on each possibly vulnerable client system
[or start building less vulnerable client systems :)))]
and using smtp filtering only for scrubbing most of the junk.
(this means no dearchiving and such stuff)

Another way of dealing with this is blocking these kind of messages at
the filtering router, which may or may not be desirable since we risk
blocking legit content and is always vulnerable to MUAs implementing
yet another way(TM) to confuse the filter.

>A vendor solution to this vulnerability would be to include a
>reassembling agent at the server that will not allow any non-reassembled
>message to traverse through it.

if we tought that doing tcp reassembly on a firewall could become a risk
for DOS, just wait until someone implements this :)))

>Vendor response - Check Point:
this part is really ridicoulos, worth a read (not the checkpoint
respnse, the others that follow)
Is symantec really blocking all multipart/ messages when most OE are
configured for sending multipart/alternative by default?

L.

P.S. a plea, please world stop configuring your antiviruses for
notifying the sender that you received a virus, i am annoyed of
receiving notifications that you blocked a kletz i never sent you.

L.

-- 
Luca Berra -- bluca@comedia.it
        Communication Media & Services S.r.l.
 /"\
 \ /     ASCII RIBBON CAMPAIGN
  X        AGAINST HTML MAIL
 / \

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

In risposta a:
- Bypassing SMTP Content Protection with a Flick of a Button (fwd), Francesco Toscan

Data:
- precedente: Re: Modifica parametri router da parte di un Hacker, Dido
- successivo: RE: Sconfinati CAMPI di Cavoli Amari, Simo Sorce
- indice

Argomento:
- precedente: Bypassing SMTP Content Protection with a Flick of a Button (fwd), Francesco Toscan
- successivo: dispositivi di backup, walter valenti
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005