[Mimedefang] New MIME tricks from Klez?
Nels Lindquist
nlindq at maei.ca
Tue Aug 6 12:56:01 EDT 2002
I came in this morning after the long weekend to find that MIMEDefang
had been *extremely* busy. Lots and lots of Klez being quarantined.
My mimedefang-filter is set up to scan the entire message for viruses
in filter_begin(), and then scan each attachment in filter(),
quarantining any parts which contain viruses.
In the majority of altered messages in my inbox, the original Klez-
generated mail has two attachments, one of which is detected and
quarantined. The other remains, although my Windoze mail client
doesn't see it. I'm not using a MS client, however, and I'm a bit
worried that some of my users who *are* might be affected.
Is this something new from Klez, or is this simply part of the MIME-
encoding problems which can't be overcome with MIME-tools, etc.?
Near as I can tell, the messages are multipart, with a text/html part
containing both a copy of the virus and an <iframe> reference to an
inline attachment with *another* copy of the virus. The virus within
the first part is detected and stripped, but the Content-Disposition:
inline part is not.
Any ideas?
I can forward some examples to interested parties, but unfortunately
they've already been munged by MIMEDefang, so I don't know exactly
what the originals looked like.
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the MIMEDefang
mailing list