Sendmail filter rule to stop Outlook exploit from Koos van den Hout <koos@KZDOOS.XS4ALL.NL>

Also on http://www.cetis.hvu.nl/~koos/outlookoverflow.txt
with tabs in the right places :)

#
# this is a filter to make sendmail reject messages with Date: headers
# that are too long. This is used in the latest Outlook exploit.
#
# You NEED:
# - a sendmail that understands regex maps. I had to specially compile this
#   into 8.11 ! Add to sendmail-8.11.0/devtools/Site/site.config.m4
#   define(`confMAPDEF',`-DMAP_REGEX') and rebuild from scratch
#
# The filter simply rejects messages with a date header longer (total!)
# then 60 chars
#
# Then add this part to your .mc file in the different areas and regenerate
# your .cf file
#
# 2000-07-21 Originally written
#
# if you cut and paste this:
# tabs are in use in the '^R' lines
#
# Koos van den Hout
# http://www.cetis.hvu.nl/~koos/
# http://www.virtualbookcase.com/
#

LOCAL_CONFIG
Klinetoolong regex -a@MATCH ^.{60,}$

LOCAL_RULESETS
HDate: $>+CheckDate

SCheckDate
R$*				$: $(linetoolong $1 $)
R@MATCHi		$#error $: 553 Date Header too long error
R$*i			$@ OK

--
Koos van den Hout,           PGP keyid RSA/1024 0xCA845CB5 via keyservers
koos@kzdoos.xs4all.nl        or DSS/1024 0xF0D7C263                        -?)
Fax +31-30-2817051               Visit my site about books with reviews    /\\
http://www.cetis.hvu.nl/~koos/   http://www.virtualbookcase.com/          _\_V


quick Postfix check for Outlook date exploit from Mark Lastdrager <mark@security.nl>

Hi,

With a little help from Koos van den Hout I made a small header_check
for Postfix to prevent people from exploiting the latest Outlook
bug. A quick test shows it works but don't come complaining when it
doesn't ;-)

In your main.cf put this line:

	header_checks = regexp:/etc/postfix/header_checks

(path depends on where your postfix config lives)

In header_checks put:

	/^Date:.{60,}$/ REJECT

This will reject messages with a date line longer than 60 chars.

Don't forget postfix reload ;-)


Mark Lastdrager
Pine Internet

--
email: mark@lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010
http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011
PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl
Today's excuse: because of network lag due to too many people playing
deathmatch