There will be code to address this in revision 1.49, to be released
either today or tomorrow depending on my workload.
My approach is to simply defang all bare <CR> characters in the message
header, so Outlook will interpret the header like it should. If anyone
has a better idea, I'd be happy to hear it.
On 2002-02-13, 17:18:07 (-0500), Jim Rosenberg wrote:
> Bjarni, I don't know if you've seen this or not; I'm way behind on
> all my Internet mailing lists so I'm not sure if this has already
> come up on Anomy-list (this is a backchannel message.)
Actually, I subscribe to bugtraq and picked it up there. It hadn't
been mentioned on this list yet.
> Since Anomy is in perl I'd be *REALLY* surprised if it isn't
> vulnerable to these attacks; sounds like this is a way for an .exe to
> sneak right through anomy -- ouch.
Has little to do with being written in perl. :-)
> Take a look -- I haven't tested anything to see if this mechanism can
> sneak through Anomy -- I may try it from home tonight.
> -Thanks, Jim
> ------- Forwarded message follows -------
> This report is, in slightly modified form, also available on
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 firstname.lastname@example.org -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send plenty of email to: email@example.com