[Mimedefang] action_defang circumvented by x-mac-type

Kelson Vibber kelson at speed.net
Fri Nov 15 20:08:01 EST 2002 

I discovered something interesting today while testing code using 
File::MMagic.  It turns out that Eudora for Windows will use Mac creator and 
type information, both for sending and receiving.

I took a Word document and a Zip file, renamed them both to files with the 
pattern "test.com blah.doc" and sent them to myself.  The idea was that 
MMagic would determine if the file was really a Word document and I could 
skip defanging it (although it turns out not to recognize Word 2000 files, so 
it got defanged anyway).

The surprise was that the defanged files showed up in Eudora as Word 
documents, despite the fact that I had not changed the call to action_defang.  
They showed up in Eudora as defang-1.binary.doc and defang-2.binary.doc.  At 
first I thought it wasn't defanging properly, and had left the MIME-type 
unaltered.  Once I looked at the actual mailbox, I saw the following MIME 
part header:

Content-Type: application/octet-stream; name="defang-2.binary"; 
x-mac-creator="4D535744"; x-mac-type="42494E41"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="defang-2.binary"
Content-Description: defang-2.binary

What I think happened is that when sending, Eudora added the x-mac-creator and 
x-mac-type data to help with Macintosh recipients, and that when receiving, 
it figured it was receiving from a Macintosh and added the file extension to 
make the file readable.

Essentially, this is another way of specifying a file type - one which 
action_defang currently does not disable.

Outlook Express seems to have disabled access to the attachments entirely, but 
it does affect Eudora for Windows, and I would guess affects at least some 
Macintosh clients as well.  Eudora may be more secure than OE, and there may 
be fewer viruses for Mac, but it's at least something to consider.

-- 
Kelson Vibber
SpeedGate Communications, Technical Staff
kelson at speed.net          Phone: (949) 341-0800
http://www.speed.net/     FAX:   (949) 341-0900

More information about the MIMEDefang mailing list