[Mimedefang] odd filename

Joseph Brennan brennan at columbia.edu
Tue Jul 1 14:38:01 EDT 2003

The results of my message were unexpected to me.  It was
one part text/plain, quite deliberately, so that it would pass
as not executable.  I included only the first two lines of the
encoded virus for obvious reasons.

Something called GroupShield for Exchange says "Infected? Yes."
and named a virus.  I doubt that the first two lines of the
encoded virus would be definitive.  And it was text/plain!

Something else called clamscan said "Exploit.IFrame FOUND".
I agree I had a less-than sign < followed by the letters
i,f,r,a,m,e, but it was not in an html part, so who cares,
unless the very subject of if... is forbidden!

Anyway, if you didn't see it and want to, go to
Once again I have removed all but a few lines of the virus.

I wondered whether the strange name= value is the problem, but
I don't really see why it did not match a test like this--

    if (filter_bad_filename($entity)) {
        if ($type =~ /audio/) {
            md_log('bad_filename_rejected', $fname, $type);
            return action_bounce("Bad audio attachment");

Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group

More information about the MIMEDefang mailing list