[Mimedefang] why is this email managing to slip through my mimedefang filter?

Deech Mestel deech at free-source.com
Thu Nov 7 18:13:00 EST 2002 

Oddly enough, this Klez variant slips right past my filter, which, up to
this point, has been working perfectly.

I don't know why it's not stripping the attachements, perhaps someone could
help me out?

To reproduce, I simply changed the To: field to my address which I know is a
filtered account and cat it through sendmail
(I changed the email addresses cuz I don't quite know all of you yet.. :) )
ie: Place the source below into a file called "testeml" and: #cat
testeml|sendmail -t

Note: This is actual source that I dug out of my email logs. See the
X-Scanned-By: field? MimeDefang apparently *did* scan this and found it to
be a-ok and passed it right along!

I mangled the attachements, so as not to anger anyone by sending Klez
around, but can provide them in full for whoever wishes, if you wanna test
it out on your own filter... However, you send yourself viri at your own
risk.. :)


Thanks for all your help!
-Deech

******Begin Source Of Creepy Email*****

Received: from Ugoczpl ([63.157.24.111]) by out005.verizon.net
          (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
          id <20021106213125.JKVY1471.out005.verizon.net at Ugoczpl>
          for <myfilteredaccount at mydomain.com>; Wed, 6 Nov 2002
15:31:25 -0600
From: whoever at whereever.com
To: mimefilteredaccount at mydomain.com
Subject: A  IE 6.0 patch
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=Z508Qxabmx77eBMF
Message-Id: <20021106213125.JKVY1471.out005.verizon.net at Ugoczpl>
Date: Wed, 6 Nov 2002 15:31:56 -0600
X-Scanned-By: MIMEDefang 2.6 (www dot roaringpenguin dot com slash
mimedefang)

--Z508Qxabmx77eBMF
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>This is a  IE 6.0 patch<br>
I hope you would like it.</FONT></BODY></HTML>

--Z508Qxabmx77eBMF
Content-Type: application/octet-stream;
 name=HoTMaiL[9].bat
Content-Transfer-Encoding: base64
Content-ID: <ZzY2VD03cvX1nXp752>
(Actual Attachement Mangled as I didn't think anyone would appreciate me
sending Klez around the list, even in text form..)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
--Z508Qxabmx77eBMF

Content-Type: application/octet-stream;
 name=HoTMaiL[9].htm
Content-Transfer-Encoding: base64
Content-ID: <ZzY2VD03cvX1nXp752>
(More Attachement Mangling)
ZTI5JTI2c3RhcnQlM2QxOTM1MTQxJTI2bGVuJTNkMTgwNzM3NiZQST00NDM2NCZEST03NDc0
JlBTPTgzMTUiIHdpZHRoPTEgaGVpZ2h0PTE+DQoNCjwvYm9keT4NCjwvaHRtbD4NCjwhLS0g
SDogRjMyLnBhdjAuaW50ZXJuYWwuaG90bWFpbC5jb20gLS0+DQo8IS0tIFY6IFdJTjJLIDA5
LjA1LjUwLjAwMzAgaSAtLT4NCjwhLS0gRDogU2VwIDEyIDIwMDIgMTk6NDQ6MTQtLT4NCj==
--Z508Qxabmx77eBMF--

********End Source of Creepy Email********

More information about the MIMEDefang mailing list