Bugtraq mailing list archives

FW: Bypassing SMTP Content Protection with a Flick of a Button

From: "Menashe Eliezer" <menashe () finjan com>
Date: Thu, 12 Sep 2002 20:13:02 +0200

First, I would like to point out that there are still users which use
Outlook 2000. Outlook 2000 can be also used for sending and receiving such
messages.

Finjan Software response:
Finjan Software products are not vulnerable.
SurfinGate for E-Mail reassembles fragmented messages, and then performs
security analysis and applies content management rules.
SurfinShield is installed on end users machines. It gets the reassembled
message from the E-Mail client, and proactively monitors the behavior of
active content included or attached to the E-Mail message.

BTW,
CERT has approached Finjan Software, and we've replied.
Beyond Security Ltd. probably hasn't received yet the response from CERT.

Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc

Prevention is the best cure!




-----Original Message-----
From: Aviram Jenik [mailto:aviram () beyondsecurity com]
Sent: Thursday, September 12, 2002 3:45 PM
To: bugtraq () securityfocus com
Subject: Bypassing SMTP Content Protection with a Flick of a Button




  Bypassing SMTP Content Protection with a Flick of a Button
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/securitynews/5YP0A0K8CM.html


SUMMARY

Forget underground hacking tools. How about using Outlook Express as
your attack platform?

Beyond Security's SecurITeam has discovered a new method of bypassing
many SMTP-based content filter engines.
This discovery is alarming since it requires from the attacker nothing
more than an Outlook Express client and employs a rarely-used feature
called 'message fragmentation and re-assembly' that is available in
Outlook Express. Using this feature, an attacker can send e-mails that
will bypass most SMTP filtering engines including gateway Virus
scanners, content filters, Firewalls that do SMTP checking, etc.

Impact:
Anyone wishing to bypass SMTP filtering engines can utilize the
mentioned method to bypass most types of content checking, and deliver
its payload to the end-client without any trouble, whether it is a
Virus, Trojan or a file type that is not allowed by the corporate
policy.


The information has been provided by  <mailto:noamr () beyondsecurity com>
Noam Rathaus, Beyond Security Ltd.

--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Know that you're safe:
http://www.AutomatedScanning.com

Current thread:

FW: Bypassing SMTP Content Protection with a Flick of a Button Menashe Eliezer (Sep 13)
- <Possible follow-ups>
- Re: Bypassing SMTP Content Protection with a Flick of a Button Steven M. Bellovin (Sep 17)