Telecom and Logistics Associates
Phone +41 22 328 14 88       Security news service         updated

Solutions to NAME attacks in MIME Header
through Firewall-1

Author : Christian ALT: calt@tla.ch                  go to Firewall-1 support

Date : 31.7.98                             other Security alerts can ge found at http://www.tla.ch/alert

Attaque description: Sending an unusal long file name of an attachement in a MIME Header. This goes undiscovered by Firewall-1. It is a matter of content checking. Most site will be vulnerable since they have Firewall-1 rules of type

or rules of type

Vulnerable :    Outlook 98
                        Outlook Express (v4.72.2106.4 & v4.72.3110.1)
                        Netscape Mail (v4.05 & 4.5b1)
                        Eudora Pro 3.05

As an extension Notes Server 4.5x with SMTP MTA 1.1 is also vulnerable to that form of attack.

Solutions: several solutions exists, solve it centrally or go to each client and patch each workstation

1. Apply Microsoft patch for Outlook 98  and Outlook Express MS98-008
    Netscape will release a patch in version 4.06 of Communicator

2. A quick and effectiv countermeasure was proposed that will avoid patching all clients by using Procmail
    It is a filter program running on a Unix server or workstation.

    It will centrally filter all incoming mail with the unwanted MIME Header.

    Two references were given on Bugtraq for a specific filter for that purpose

    http://www.wolfenet.com/~jhardin/procmail-kit.html
    http://www.wolfenet.com/~jhardin/html-trap.procmail

Q.1 We have Unix expertise how to proceed

A. 1 Download procmail from main Procmail site

download procmail-kit and html-trap.procmail

Follow installation information.

Q.2 Where shall I install procmail

A.2 On the mail server

Q.3 My mail server is something else than a UNIX server (Notes on NT, Exchange on NT etc.)

A.3 Your mail server might be an other OS than UNIX, then you can install it on the firewall if it is running on UNIX, or you can set a UNIX box between the firewall and the mail server, as a relay host, using Linux for example.

Q.5 What about sendmail being accessed from outside

A.5 Install the mail security server, part of firewall-1. This function si similar to smap from fwtk and will act instead of sendmail with the external world. In any case this function should be the mail server from yoyur company and relay mail to your  internal server.

Q.6 We have a firewall running on NT

A.6 Install the mail security server
       Install a linux box allowing you to relay from Firewall-1 security server to your internal mail server, with procmail installed.

Q.7 We do not have Unix expertise

A.7 May be you can ask someone to help you.

TLAalert: Is a service of Telecom and Logistics Associates to inform our customer about security improvment at their sites. If you want to receive specific security information regarding your site contact

Comments to :