[Mimedefang] SoBig.E slipping through
Jeffrey Goldberg
jeffrey at goldmark.org
Mon Jun 30 19:20:00 EDT 2003
On Mon, 30 Jun 2003, Minica, Nelson (EDS) wrote:
> [...] If this one virus can slip attachments past mimedefang then others
> can too.
You can configure MIMEDefang to block all attachments if you wish.
The default filter file is only configured to block attachments with
dangerous names. And that is really only relavant for a certain class of
Outhouse worm. Since Outhouse (and a few other MS products) violate the
spirit of the MIME standards and ignore the mime-type and use the file
name instead it is possible to fool an Outhouse user with mail with a part
like
Content-Type: AUDIO/WAVE; filename="playme.wav.exe"
A MIME respecting mailer will treat that as a WAVE file (and so no harm is
done), but Outhouse pays more attention to the extention and so will run
it as an executable while presenting information to the user that it is an
audio file.
So MIMEDefang is able to stop a whole class of virusus simply by blockign
things with dangerous extentions. But there are plenty of viruses that
don't come with dangerous extensions.
As I said, you can ask MIMEDefang to stop all attachments, but that is not
the default set-up.
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
Relativism is the triumph of authority over truth, convention over justice
Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/
More information about the MIMEDefang
mailing list