Full Disclosure mailing list archives

Re: Symantec 3300 E-mail Gateway dropping spoofed mails

From: Valdis.Kletnieks () vt edu
Date: Wed, 19 Jul 2006 09:00:59 -0400

On Wed, 19 Jul 2006 14:00:50 +1000, "Josh L. Perrymon" said:

X-NAI-Spam-Report: 2 Rules triggered *  1.8 -- MIME_MISSING_BOUNDARY --


The first error message..

RAW:  MIME section missing boundary *  0.5 -- MIME_BASE64_LATIN -- RAW:
Latin  alphabet text using base64 encodi:


and the second..

Content-type: multipart/alternative; boundary=HTMLDEMO44bc3b28b4ba5


OK so far...

--HTMLDEMO44bc3b28b4ba5


And the *starting* boundary..

Content-Type: text/html; charset=ISO-8859-1


I'll get back to this..

Content-Transfer-Encoding: base64

DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+DQpEdWUgdG8gcmVjZW50IHNl
DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+Y3Vy
(snipped)
cm8uZ292LmF1IDxicj4NCg0KDQo=

< end full >


Umm.. An *ending* boundary would be considered at least *polite*. Actually,
required by the RFCs.  So the first error message is in fact correct.

I haven't actually *decoded* the text, and can't due to the "(snipped)",
but I'm willing to bet that the second complaint is that it's tagged with
charset=ISO-8859-1 when in fact all the text contained therein is actually
US-ASCII. RFC2046, section 4.1.2:

   In general, composition software should always use the "lowest common
   denominator" character set possible.  For example, if a body contains
   only US-ASCII characters, it SHOULD be marked as being in the US-
   ASCII character set, not ISO-8859-1, which, like all the ISO-8859
   family of character sets, is a superset of US-ASCII.  More generally,
   if a widely-used character set is a subset of another character set,
   and a body contains only characters in the widely-used subset, it
   should be labelled as being in that subset.  This will increase the
   chances that the recipient will be able to view the resulting entity
   correctly.

So again, the message is quite likely being impolite again.  And this is
the sort of impoliteness that spammers like to abuse.  And I believe that
even Microsoft MUAs are able to get this one right these days, so there's
really no excuse for anybody except a spammer.. ;)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symantec 3300 E-mail Gateway dropping spoofed mails Josh L. Perrymon (Jul 18)
- Re: Symantec 3300 E-mail Gateway dropping spoofed mails mikeiscool (Jul 18)
- Re: Symantec 3300 E-mail Gateway dropping spoofed mails Valdis . Kletnieks (Jul 19)