[Mimedefang] SoBig.E slipping through
Minica, Nelson (EDS)
Nelson.Minica at RailAmerica.com
Mon Jun 30 16:53:00 EDT 2003
Added following code to filter() but it did not stop SoBig.E as I
expected...
$lc_fname=lc($fname);
if ($lc_fname eq 'your_details.zip' || $lc_fname eq 'your_details.zi'){
action_quarantine_entire_message("Quarantined attachment $lc_fname
contains a virus: [SoBig.E]");
return action_discard();
}
Upgraded mimedefang from 2.30 to 2.34, but that did not help.
Added code above to filter_multipart, but that did not help.
I can send attachments with this name and they get blocked, so the code is
working. Somehow SoBig.E is faking out mimedefang... Here is the actual
headers of the virus:
Subject: Re: Movie
Date: Fri, 27 Jun 2003 17:24:09 --0500
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_01C9D4BE"
X-Spam-Not-Checked: Messages over 100K not checked
X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang)
This is a multipart message in MIME format
--CSmtpMsgPart123X456_000_01C9D4BE
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
--CSmtpMsgPart123X456_000_01C9D4BE
Content-Type: application/x-zip-compressed;
name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="your_details.zi"
--CSmtpMsgPart123X456_000_01C9D4BE--
Any suggestions???
More information about the MIMEDefang
mailing list