[Mimedefang] odd filename

Kelson Vibber kelson at speed.net
Tue Jul 1 18:00:00 EDT 2003

Joseph Brennan wrote:
>Something else called clamscan said "Exploit.IFrame FOUND".
>I agree I had a less-than sign < followed by the letters
>i,f,r,a,m,e, but it was not in an html part, so who cares,
>unless the very subject of if... is forbidden!

Well, let's see: (A) an iframe used this way can be used to trigger all 
kinds of viruses.  (B) Certain widely-used mail programs have an annoying 
tendency to disregard the declared mime type of an attachment and go by 
what it *thinks* it is - so if you attach an HTML file as text, there is a 
distinct possibility that some versions of Outlook Express will actually 
display it as HTML, much in the same way that sending an EXE file as 
audio/midi will cause OE to "play" the "sound clip" by running the executable.

However, I agree that if it's clearly in a text/plain part and there's no 
way the part is going to get interpreted as HTML, there's no point in 
looking for an iframe or anything else.

File::MMagic might be useful here.  You could test attachments that claim 
to be plain text and avoid scanning them if MMagic agrees.  I'm doing 
something similar to override filter_bad_filename in cases where someone's 
sent something like "Whatever.com Website Proposal.doc" or "CNN.com News 
Article.html" while still guarding against things like "virus.html.com"

Kelson Vibber
SpeedGate Communications <www.speed.net> 

More information about the MIMEDefang mailing list