[Mimedefang] odd filename
Kelson Vibber
kelson at speed.net
Tue Jul 1 18:00:00 EDT 2003
Joseph Brennan wrote:
>Something else called clamscan said "Exploit.IFrame FOUND".
>I agree I had a less-than sign < followed by the letters
>i,f,r,a,m,e, but it was not in an html part, so who cares,
>unless the very subject of if... is forbidden!
Well, let's see: (A) an iframe used this way can be used to trigger all
kinds of viruses. (B) Certain widely-used mail programs have an annoying
tendency to disregard the declared mime type of an attachment and go by
what it *thinks* it is - so if you attach an HTML file as text, there is a
distinct possibility that some versions of Outlook Express will actually
display it as HTML, much in the same way that sending an EXE file as
audio/midi will cause OE to "play" the "sound clip" by running the executable.
However, I agree that if it's clearly in a text/plain part and there's no
way the part is going to get interpreted as HTML, there's no point in
looking for an iframe or anything else.
File::MMagic might be useful here. You could test attachments that claim
to be plain text and avoid scanning them if MMagic agrees. I'm doing
something similar to override filter_bad_filename in cases where someone's
sent something like "Whatever.com Website Proposal.doc" or "CNN.com News
Article.html" while still guarding against things like "virus.html.com"
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list