Establishing Digital Trust: Don't Sacrifice Security for Convenience
The technique employs a rarely used Outlook Express feature called "message fragmentation and re-assembly" that allows users to split an SMTP-based mail message into multiple parts, the SecurITeam advisory says.
The feature is intended to enable users with lower-speed Internet connections, or with message size restrictions imposed by ISPs, to send large messages in multiple fragments. The recipient's email client reassembles the message, such that the recipient never knows it was fragmented.
Similarly, security tools won't know that the fragmented SMTP message is actually multiple parts of one whole. For example, if the sender ships out a virus in multiple parts, a virus scanner will fail to detect the virus signature, according to the SecurITeam.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i The company says any email filtering, anti-virus and content filtering mechanism that can't reassemble fragmented emails is subject to the vulnerability. It also notes that no other email client other than Outlook Express, including Outlook, supports the fragmentation and reassembly feature with a few simple clicks.
The SecurITeam has assembled responses from a number of vendors detailing how or if their security products deal with the issue. The advisory can be found at: http://www.securiteam.com/securitynews/5YP0A0K8CM.html.
GFI, a UK-based vendor of email and security software, is providing a free test that administrators can run to determine whether their network is protected against the fragmentation attack. The test is available at: www.gfi.com/emailsecuritytest.