May 8, 2020, 3:38 AM
Post #7 of 10
(1101 views)
Permalink
Thanks so much Rick
Much appreciated.
Regards
Brent Clark
On 2020/05/07 19:41, Rick Cooper wrote:
> Brent Clark wrote:
>> Hi Rick
>>
>> Will you be willing to share your Exim and SA rules / code?
>> So that the community can benefit from your finding and work.
>>
>
> Pretty standard exim acl
> The DataWhitelisted portion is calculated from several other items so that
> would be up to you if you even wanted to whitelist anything. The
> AddSuspectHeader is a flag used in various parts of the delivery as is the
> message that is added as a header as well. If the Suspicious headers is
> added to an email the end user cannot release it from quarantine on their
> own and the portion of the message they can see has been sanitized, disarmed
> (html, scripting and links disarmed and obfuscated).
>
> warn log_message = [DATA] FOUND UTF-7 CONTENT-TYPE :
> ${sg{$h_Content-Type:}{\N\n.*\N}{}}
> condition = ${if !eq {yes}
> {${lc:$acl_m_DataWhiteListed}}}
> condition = ${if
> def:h_Content-Type:}
> condition = ${if
> match{${lc:$h_Content-Type:}}{\Ntext\/html; charset=utf-7\N}}
> set acl_c_AddSuspectHeader = yes
> set acl_c_SuspectMsg =
> ${sg{$acl_c_SuspectMsg}{\NNONE(\s{0,}:)?\N}{}}:UTF-7 BODY HIDING SOMETHING
>
>
>> Regards
>> Brent Clark
>>
>> On 2020/05/05 20:00, Rick Cooper wrote:
>>> Henrik K wrote:
>>>> On Tue, May 05, 2020 at 12:51:36PM -0400, Rick Cooper wrote:
>>>>> We received a couple emails yesterday that barely got caught and
>>>>> when I looked at them they should have hit big time. As I looked it
>>>>> would appear the body parts are encoded quoted-printable utf-7.
>>>>> Apparently SA doesn't handle utf-7?
>>>>>
>>>>> I added $self->{'decoded'} = Encode::decode("UTF-7",
>>>>> $self->{'decoded'}); just before the decoded body is returned in
>>>>> Node.pm and the body rules hit again including some quick tests I
>>>>> put together.
>>>>>
>>>>> Is ignoring utf-7 intentional or is this a new spammer tactic? The
>>>>> actual email messages are rendered perfectly through outlook and
>>>>> our webmail application.
>>>>
>>>> If I remember right, normalize_charset 1 will handle this just
>>>> fine. Atleast in trunk/4.0.
>>>>
>>>> In any case, UTF-7 mails can be blocked on sight, no one uses it
>>>> legimately..
>>>
>>> Bingo, that does it, And yes I added a check for utf-7 to exim and
>>> add a header that causes emails to be quarantined and marked so
>>> users cannot releaseor view them on their own.
>>>
>>> Thanks
>>>
>>> Rick
>