Summary:

Tumbleweed recommends using EMF to block messages with a MIME type of message/partial. This MIME type, as described in section 5.2.2 of RFC 2046 (http://www.imc.org/rfc2046), allows "a message" to be sent where the contents of the message actually span multiple email messages.

Detailed Information:

The idea behind the partial MIME subtype is to allow large messages to be sent as multiple separate entities, and to be reassembled into a single message at the endpoint or email client. EMF does not attempt to capture each distinct message and assemble them to a single message to apply policies. EMF will apply policies to each message as a distinct, individual, message. The result is that a message as reassembled by the client may appear as though EMF should have detected, and perhaps blocked, it's delivery. For example, a policy to block messages greater then 6MB will not be triggered if the message is sent as 3 separate 2MB messages using the message/partial MIME type. However, when reassembled by the email client, the message may in fact be 6MB in size. Other examples include messages where a search phrase is split across multiple messages, keyword weighting is used but the keywords are spread across multiple messages, and perhaps even viruses where the virus signature is broken at the point where the data is divided for the multiple messages. Policy exceptions may also fail to be recognized where the criteria that triggers a policy exception is in a separate message then the criteria that caused the policy to trigger in the first place.

Some email clients in widespread use have configuration settings that allow the desktop user to set the threshold at which an email message will be split into multiple messages using multipart/partial. This means that the ability to generate such messages is well within the means of an ordinary user. Because of its potential ease of use, the security risk associated with this MIME type should not be considered trivial.

Tumbleweed highly recommends using the EMF policy engine to block any message that attempts to use the message/partial MIME type.

Resolution:

In EMF 5.0 and later. Create a policy that looks similar to the following:

First create an attachment list that contains:
"Standard MIME Type" = message/partial

Then create the following policy:

[Basic Mail Filtering policy] [Sender] [Attach policy to the ALL folder]
- Catch messages where
--- Contains attachments in the attachment list "msgPartial"
- Take the following actions...
--- Quarantine the message with the tag: partial


In EMF 4.7. Create a policy that looks similar to the following:

[Content Manager] [Sender] [Applied to ALL folder]
--- For all messages sent from this user
--- with a "message/partial" attachment
--- quarantine the message with the tag: partial

For more information on creating policies, please refer to the Administrators Guide or the online help.