Detecting Spam: Types of Mail Vulnerability Errors

E-Mail: General Topics

E-Mail first passes through our perimeter routers, where it passes through it's first layer of virus protection.  It then reaches our perimeter gateway, where we apply selective greylisting and tarpitting and recipient validation.  It is then passed to the server farm, where it is examined by two more anti-virus applications, a Zero Hour antivirus database is consulted, tests that review the sending server, tests that review the mail route taken, tests that review how the message was assembled, and tests for common mail vulnerabilities.  After that the message is examined for a round of internal tests, a number of public and private RBL lists are consulted, and then the message content is examined.  The syntax is compared to a number of filters, and then links within the message are compared to URIBL lists.  

Then the mail is delivered to your inbox.  We work pretty hard to deliver your mail, don't we?

This list enumerates some of the common vulnerabilities we look for.


Vulnerability Name

Vulnerability Type

Description

CLSID Vulnerability:

Mail Client

This vulnerability occurs when an E-mail uses a 'CLSID' as an extension. A CLSID is a long string that identifies a certain program (such as Notepad), and using the CLSID instead of a standard file extension will cause Windows to use the program identified by the CLSID to open the file. Windows will not display the CLSID extension, so a file with an innocent name such as "cutedog.jpg" could cause another program to run.

Conflicting Encoding Vulnerability:

Mail Server

This vulnerability occurs when the headers of an E-mail claim that two or more different encoding types are used. A MIME segment can only be encoded in one way, so if there are more than one encoding types listed, it is possible that the mailserver virus scanner and the mail client will use different decoding methods on the E-mail. If this happens, a virus could bypass virus scanning on the mailserver.

Outlook 'Blank Folding' Vulnerability:

Mail Server

This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC2822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers).

Outlook 'Boundary Space Gap' Vulnerability:

Mail Server

This vulnerability occurs when there is a space or tab in the MIME boundary. This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an E-mail to be formed like this.

Outlook 'CR' Vulnerability:

Mail Server

This vulnerability occurs when an E-mail contains a single 'CR' character within the E-mail headers (as opposed to a 'CR' followed by an 'LF', which is used to end a line in SMTP). Outlook can treat this as the end of the headers, which would allow Outlook to see a virus that was embedded in the headers. RFC2822 2.2 says that CR and LF characters cannot appear alone in the headers. Also, there is no legitimate reason for an E-mail to contain a lone 'CR' in the headers.

Outlook 'Long Boundary' Vulnerability:

Mail Server

This vulnerability occurs when an E-mail has a MIME boundary that is longer than allowed by the RFCs. Outlook may see a virus when a virus scanner will not. There is no legitimate reason for an E-mail to be sent like this.

Outlook 'Long Filename' Vulnerability:

Mail Client

This vulnerability occurs when an E-mail has an attachment with a name longer than 256 characters long. When this occurs, it is possible for Outlook not to see the correct file extension, causing Outlook to think that a dangerous E-mail is actually safe.

Outlook 'MIME header' Vulnerability:

Mail Client

This vulnerability occurs when certain safe MIME types are used, but a potentially dangerous file type is attached. Outlook may execute the attachment automatically, without looking at its file extension. There is no legitimate reason for an E-mail to be sent like this, and a number of viruses use this vulnerability.

Outlook 'MIME segment in MIME postamble' Vulnerability:

Mail Server

This vulnerability occurs when it appears as though a MIME segment is occurring after the end of the MIME body (specifically, a MIME segment with a boundary other than the one specified appears in the MIME postamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an E-mail to be sent like this.

Outlook 'MIME segment in MIME preamble' Vulnerability:

Mail Server

This vulnerability occurs when it appears as though a MIME segment is occurring before it should (specifically, a MIME segment with a boundary other than the one specified appears in the MIME preamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an E-mail to be sent like this.

Outlook 'Space Gap' Vulnerability:

Mail Server

This vulnerability occurs when there is a space in one of the MIME headers where there is not normally a space (such as "Content-Type :" instead of "Content-Type:"). This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an E-mail to be formed like this.

Partial (Fragmented) Vulnerability:

Mail Server

This vulnerability occurs when one E-mail is split into separate parts, each in a separate E-mail. Although this is legal, it will bypass virus scanners, and therefore will likely soon be deprecated.


Add Feedback