MIME Encoding Content Normalizer (SMTP gateway attacks counter-measures)

victor duchovni agreed for me to post what he employs to avoid such issues as the recent bypass attack against anti virus gateway solutions.
this is in some ways similar to a limited application firewall for smtp, which is not spam specific and mime only. yes, i know, smtp application firewalls are the 4th buzzword down the road, give it a couple of years.

victor’s information:

i have a mime normalizer in front of the a/v engine. non-conformant
base64 entities are made conformant or neutered (super-encoded via qp
so that the user receives the base64 text itself as the entity payload).

——–
in:
ct: application/octet-stream
cd: attachment; filename=foo.dat
cte: base64

aa aa

out:
ct: application/octet-stream
cd: attachment; filename=foo.dat
cte: base64

aaaa
——–
in:
ct: application/octet-stream
cd: attachment; filename=foo.dat
cte: base64

aa<ctrl-a>aa

out:
ct: text/plain
cd: attachment; filename=mime-source.txt
cte: quoted-printable

=20aa=01aa
——–

solves all such problems before the vulnerability is found in the
a/v engine.

the mime normalizer does more, defending other possible
bypass scenarios, but i not able to describe the full feature-set
at this time. it was written and deployed in dec 1999.

all the above is viktor’s.

gadi evron,
ge@beyondsecurity.com.

Share
  • Softnum

    No link or information on techniques used to do this or a program to look at?