[Mimedefang] Was the patch supposed to catch this?
David F. Skoll
dfs at roaringpenguin.com
Fri Apr 26 15:41:40 EDT 2002
On Fri, 26 Apr 2002 15:21:07 -0400 "Michael D. Sofka" <sofkam at rpi.edu> wrote:
> A message was sent from an aol machine to an aliases at RPI. The
> sender was to be from another alias at rpi.edu. The message was rejected
> because it contained Klez. So far, so good. Then, the AOL mailer sent
> the rejection notice to the forged sender, and it passed
> inspection.
That's because of this little chunk:
--OAB23409.1019845640/rly-ip02.mx.aol.com
Content-Type: message/rfc822
Return-Path: <security at rpi.edu>
... etc.
Notice the blank line between the Content-Type and the remaining
headers? Thank you, AOL mailer. That screws up MIME-Tools
completely. It won't look inside because it doesn't see a
MIME-Version: header indicating that it's a nested MIME message. If I
fix this, I'll break something else, because in some cases, it is
*wrong* to treat rfc822 parts as nested MIME messages, and doing so
lets other viruses through. See:
http://lists.roaringpenguin.com/pipermail/mimedefang/2002-February/000501.html
for the thread which prompted the original rfc822 patch.
Fixing this would require a fairly major overhaul of MIME-Tools. I'm
not the author of MIME-Tools, but I'm becoming more familiar with
it every day. :-)
Alternatively, ask AOL to fix their mailer... :-)
Regards,
David.
More information about the MIMEDefang
mailing list