[Mimedefang] new K-lez.E & K-lez.H variants ?
David F. Skoll
dfs at roaringpenguin.com
Wed Aug 28 09:46:01 EDT 2002
On Wed, 28 Aug 2002, Stephane Lentz wrote:
> I just noticed a message that passed throught Mimedefang and
> which was caughed as WORM_KLEZ.E by another machine running
> some antivirus (Trend Interscan through Amavis):
> The interesting MIME part was :
> --Mes4xJ4183HVS3TKny03g2Zkj8G5
> Content-Type: audio/x-wav;
> name=accueil_popup;sz=1x1;ord=1008757901370[1].exe
Any MUA which interprets that as a .exe is broken. MIMEDefang would
have caught it if you scanned all the parts with a commercial
virus scanner, but I cannot fix this "problem" without breaking
MIME parsing and causing many other problems.
> leaf: type=audio/x-wav; fname=accueil_popup; disp=inline
This is correct.
> One solution to deal with that would be to drop all audio/x-wav attachments
That's a good idea.
> In the past I found similar names blocked with another Milter solution :
> name=connexion;kw=X;sz=468x60;ord=1012051620040[1].exe
Then that Milter solution was not parsing MIME correctly.
What it boils down to is that I can't anticipate all the broken ways
of generating or parsing MIME. If MUA's interpret broken MIME incorrectly,
well, it's time to get a new MUA. :-)
Regards,
David.
More information about the MIMEDefang
mailing list