[Mimedefang] testing file magic?
James Ralston
qralston+ml.mimedefang at andrew.cmu.edu
Tue Jul 22 21:40:01 EDT 2003
Has anyone tried using File::MMagic (or similar) to identify hazardous
attachments?
For example, if someone sent a Windows executable named "evil.txt" as
a text/plain attachment, there'd be no way to catch that in
MIMEDefang. You'd have to hope that the attacker couldn't find a way
to get the victim (or the victim's computer) to treat it as an
executable.
But the file(1) program wouldn't be fooled:
$ file evil.txt
MS-DOS executable (EXE), OS/2 or MS Windows
If you could perform the equivalent of running the file(1) program on
the attachment and seeing what the file *really* is, then you could
catch such malicious attachments.
When the filter() function is running, the extracted attachment is
sitting somewhere in the "Work" subdirectory. But I'm not certain how
to fiddle with the MIME::Entity object to get to it.
Thoughts? Ideas?
Regards,
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
More information about the MIMEDefang
mailing list