[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200607191300.k6JD0xCu013608@turing-police.cc.vt.edu>
Date: Wed, 19 Jul 2006 09:00:59 -0400
From: Valdis.Kletnieks@...edu
To: "Josh L. Perrymon" <joshuaperrymon@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Symantec 3300 E-mail Gateway dropping spoofed
mails
On Wed, 19 Jul 2006 14:00:50 +1000, "Josh L. Perrymon" said:
> X-NAI-Spam-Report: 2 Rules triggered * 1.8 -- MIME_MISSING_BOUNDARY --
The first error message..
> RAW: MIME section missing boundary * 0.5 -- MIME_BASE64_LATIN -- RAW:
> Latin alphabet text using base64 encodi:
and the second..
> Content-type: multipart/alternative; boundary=HTMLDEMO44bc3b28b4ba5
OK so far...
> --HTMLDEMO44bc3b28b4ba5
And the *starting* boundary..
> Content-Type: text/html; charset=ISO-8859-1
I'll get back to this..
> Content-Transfer-Encoding: base64
>
> DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+DQpEdWUgdG8gcmVjZW50IHNl
> DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+Y3Vy
> (snipped)
> cm8uZ292LmF1IDxicj4NCg0KDQo=
>
> < end full >
Umm.. An *ending* boundary would be considered at least *polite*. Actually,
required by the RFCs. So the first error message is in fact correct.
I haven't actually *decoded* the text, and can't due to the "(snipped)",
but I'm willing to bet that the second complaint is that it's tagged with
charset=ISO-8859-1 when in fact all the text contained therein is actually
US-ASCII. RFC2046, section 4.1.2:
In general, composition software should always use the "lowest common
denominator" character set possible. For example, if a body contains
only US-ASCII characters, it SHOULD be marked as being in the US-
ASCII character set, not ISO-8859-1, which, like all the ISO-8859
family of character sets, is a superset of US-ASCII. More generally,
if a widely-used character set is a subset of another character set,
and a body contains only characters in the widely-used subset, it
should be labelled as being in that subset. This will increase the
chances that the recipient will be able to view the resulting entity
correctly.
So again, the message is quite likely being impolite again. And this is
the sort of impoliteness that spammers like to abuse. And I believe that
even Microsoft MUAs are able to get this one right these days, so there's
really no excuse for anybody except a spammer.. ;)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists