[Mimedefang] New virus out, how do I confirm no errors?

Young, Gil Gil_Young at CRC.com
Wed Dec 5 13:20:49 EST 2001

Something to think about with mail viruses as well, we had an instance a
person got the "gone" virus into our company in one of two roundabout ways,
one possibility was through a web to mail gateway and the other through a
VPN connection into our network. We are still trying to track the users
connection and where the mail originated.  Luckily our exchange server saved
the day as their virii signatures were up to date when it hit, but if it was
24 hours earlier, it could have been worse.  This could also lead people to
think that the mimedefang may have failed when it was actually bypassed.
Sorry if this has been posted as a possibility before, I just thought i'd
share it while it was fresh on my mind and havent read all the letters (yet)
leading up to this one :).


-----Original Message-----
From: Fox, Randy [mailto:Randy_Fox at csgsystems.com]
Sent: Wednesday, December 05, 2001 11:25 AM
To: 'mimedefang at lists.roaringpenguin.com'
Subject: RE: [Mimedefang] New virus out, how do I confirm no errors?

>Look at the extension... it's ".txt", which your filter will allow
>through.  Will such an attachment actually execute in Windows?  I
>believe most Windows mail clients ignore the Content-Type: header and
>only go by the extension.  However, a more careful filter would check
>the content type as well:

I forgot to clarify, the header I sent was after the Virus Scanner on the
Exchange server had 'touched' it.

># ...
>	if ($type eq "application/octet-stream") {
>		# Discard or warn or whatever...
>	}
># ...

>There are a lot of possible content types, though, so this can get hairy.
>A very paranoid site would allow only text/html or text/plain (and even
>text/html is iffy...)

This is a good suggestion and probably what happened.  After some
investigation of MIME types, I'll fine tune the filter to be look for these
as well.

MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com

More information about the MIMEDefang mailing list