Back to Security Pattern Catalog
Content Dependent Processing
: Core Security, Elevation of Privilege
In an MTA, the body of a message should not be used for any other purposes. If messages can be sent to files and programs, and the files are overwritten by message content or the programs execute with message content as parameter, then an abuser can send messages with malicious content to utilize this feature for his benefit.
How can a mail program be made secure so that the message content cannot be used maliciously?
Treat the received contents as mail message only and do not perform any processing on them. Even when treating programs and files as addresses, minimize the impact by using less-privileged user to execute.
In qmail, a mail cannot be sent to a program or a file, it only contains message content.
Hafiz et. al.
Mail Address, Mail Message Content
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz