[Mimedefang] odd filename

Joseph Brennan brennan at columbia.edu
Tue Jul 1 12:43:00 EDT 2003


Interesting example below.  This familiar virusmail gets past
Mimedefang's usual $bad_exts check as in the suggested minimum
filter.  In fact I have a specific test to toss these things out
quickly without further analysis, that should have caught this
as it does hundreds of others a day:

    if (filter_bad_filename($entity)) {
        if ($type =~ /audio/) {
            md_log('bad_filename', $fname, $type);
            return action_bounce("Bad audio attachment");
        }
    }

The name= value in the second part looks odd to me.

There is also a third part with the same name= value, which has
a .htm extension.  My client (Mulberry) does not render it into
text so I don't know what it says if anything.

Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group





From: TDOCwebmaster <TDOCwebmaster at mail.state.tn.us>
To: brennan at columbia.edu
Subject: A very  new website
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=M8Wq579211
Message-Id: <E19VfId-0001zw-00 at falcon.mail.pas.earthlink.net>
Date: Thu, 26 Jun 2003 15:33:04 -0700
X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang)

--M8Wq579211
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Xk3I2085ut096866 height=3D0 width=3D0>
</iframe>
<FONT>Hello,This is a  new website<br>
I wish you would like it.</FONT></BODY></HTML>

--M8Wq579211
Content-Type: audio/x-wav;
	name=search_spanel;kw=;sz=120x60;tile=1;ord=10477246[1].exe
Content-Transfer-Encoding: base64
Content-ID: <Xk3I2085ut096866>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
... much stuff deleted ...

--M8Wq579211

Content-Type: application/octet-stream;
	name=search_spanel;kw=;sz=120x60;tile=1;ord=10477246[1].htm
Content-Transfer-Encoding: base64
Content-ID: <Xk3I2085ut096866>

PGh0bWw+PGhlYWQ+PHRpdGxlPkNsaWNrIGhlcmUgdG8gZmluZCBvdXQgbW9yZSE8L3RpdGxl
PjwvaGVhZD48Ym9keSBiZ2NvbG9yPSNmZmZmZmYgbWFyZ2lud2lkdGg9MCBtYXJnaW5oZWln
aHQ9MCBsZWZ0bWFyZ2luPTAgdG9wbWFyZ2luPTA+PGEgdGFyZ2V0PSJfdG9wIiBocmVmPSJo
dHRwOi8vYWQuZG91YmxlY2xpY2submV0L2NsaWNrO2g9djJ8MmY2MXwwfDB8JTJhfGs7NTIx
MjU4MTswLTA7MDs2NzA0NTAwOzYtMTIwfDYwOzIzNDU4NjN8MjM0NDExOHwxOzslM2ZodHRw
Oi8vY2xpY2suYXRkbXQuY29tL0VTVS9nby9ydGhsY3BydDAwMTAwMDI5ZXN1L2RpcmVjdC8w
MS8iPjxpbWcgc3JjPSJodHRwOi8vbS5kb3VibGVjbGljay5uZXQvdmlld2FkLzYzOTk0Ny81
LTEyMHg2MHN1bmdsYXNzZXMuZ2lmIiBib3JkZXI9MCBhbHQ9IkNsaWNrIGhlcmUgdG8gZmlu
ZCBvdXQgbW9yZSEiPjwvYT48L2JvZHk+PC9odG1sPj==
--M8Wq579211--








More information about the MIMEDefang mailing list