Article ID: 130520319

Use iQ.Suite Wall to search for text patterns and block formatting content of a MIME email

Tags:  IBM Domino  Microsoft Exchange  Microsoft SMTP  SharePoint  Connections  Watchdog  FileSafe  Wall  Trailer  Crypt Pro  KeyManager  PDFCrypt  WebCrypt Pro  WebCrypt Live  Bridge


Due to an Apple Mail vulnerability (Original report from ZecOps., it was necessary to find a way to scan formatting contents of a MIME mail for text patterns and then block them.

How can this be accomplished with iQ.Suite?


With iQ.Suite Wall

Wall-Advanced-Job in MIME-Analysis mode

It is not necessary to select any conversion in text analysis mode. However, the MIME transport encodings are always decoded implicitly. In MIME analysis mode, the transport codes remain as they are.

The "Unicode Analyzer for Regular Expressions" allows you to search for line breaks with the syntax \ r \ n. However, it should be noted that in the Domino system the MIME parts can be somewhat reformatted and the line breaks may end up in other places.

A partial sample from the “Indicators of Compromise” table from is indeed common: “AAAAAAAA” fits six Base64-encoded zero-bytes. Such zero-byte sequences are very often found in attachments.

For regular expressions, an AND can be implemented with small restrictions: A pattern of the form "Subpattern1. * Subpatter2" is possible if Subpattern2 occurs after Subpattern1 (". *" fits a sequence of any length and characters). If the order in which the subpatterns must appear is not clear, you can enter a second regular expression with the reverse order: “subpattern2. * subpattern1”.

Further information

The Wall-Advanced-Job only offers the possibility to analyze the complete mail (with headers, body, attachments and other parts of the mail) at MIME level.

Last updated: 13 May 2020

« Previous article

Rate it

0/5 stars (0 votes)
Use iQ.Suite Wall to search for text patterns and block formatting content of a MIME email 0 5 0

Add a comment


Go back

Cookies are important to the proper functioning of this site. Click Agree to proceed and accept cookies. Learn more >>