[Mimedefang] SoBig.E slipping through
Steven.Ellison at hardywines.com.au
Steven.Ellison at hardywines.com.au
Mon Jun 30 20:50:37 EDT 2003
That would be because the file was called "your_details.zip with a
leading quote. Mime
defang stripped the trailing character because it thought it was quoted I
think.
I stand to be corrected but this is what I think I observed.
Regards,
Steven Ellison
Steven Ellison,
MIS Department, Hardy Wine Company
Reynella, South Australia, 5161
For Hardy Wine and Constellation Employees Only:
The Hardy Wine Corporate Intranet Web Site
http://corporate.hardywines.com.au/
The Email and Internet usage Policy
http://corporate.hardywines.com.au/EMAIL_POLICY.pdf.
"Minica, Nelson (EDS)" <Nelson.Minica at RailAmerica.com>
Sent by: mimedefang-admin at lists.roaringpenguin.com
01/07/2003 06:45 AM
Please respond to
mimedefang at lists.roaringpenguin.com
To
"'mimedefang at lists.roaringpenguin.com'"
<mimedefang at lists.roaringpenguin.com>
cc
Subject
[Mimedefang] SoBig.E slipping through
Added following code to filter() but it did not stop SoBig.E as I
expected...
$lc_fname=lc($fname);
if ($lc_fname eq 'your_details.zip' || $lc_fname eq 'your_details.zi'){
action_quarantine_entire_message("Quarantined attachment $lc_fname
contains a virus: [SoBig.E]");
return action_discard();
}
Upgraded mimedefang from 2.30 to 2.34, but that did not help.
Added code above to filter_multipart, but that did not help.
I can send attachments with this name and they get blocked, so the code is
working. Somehow SoBig.E is faking out mimedefang... Here is the actual
headers of the virus:
Subject: Re: Movie
Date: Fri, 27 Jun 2003 17:24:09 --0500
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_01C9D4BE"
X-Spam-Not-Checked: Messages over 100K not checked
X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang)
This is a multipart message in MIME format
--CSmtpMsgPart123X456_000_01C9D4BE
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
--CSmtpMsgPart123X456_000_01C9D4BE
Content-Type: application/x-zip-compressed;
name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="your_details.zi"
--CSmtpMsgPart123X456_000_01C9D4BE--
And the syslog entries...
Jun 30 15:53:50 mta3 sendmail[25157]: h5UKrkFk025157:
from=<sstark at swscpas.com>, size=111823, class=0, nrcpts=1,
msgid=<200306302053.h5UKrkFk025157 at mta3.railamerica.com>, proto=SMTP,
daemon=MTA, relay=[12.109.73.122]
Jun 30 15:53:50 mta3 sendmail[25157]: h5UKrkFk025157: Milter add: header:
X-Spam-Not-Checked: Messages over 100K not checked
Jun 30 15:53:50 mta3 sendmail[25157]: h5UKrkFk025157: Milter add: header:
X-Scanned-By: MIMEDefang 2.34
Jun 30 15:53:50 mta3 sendmail[25160]: h5UKrkFk025157: Fixed MIME
Content-Disposition header field (possible attack)
Jun 30 15:53:50 mta3 sendmail[25160]: h5UKrkFk025157:
to=<andrew.reina at railamerica.com>, delay=00:00:03, xdelay=00:00:00,
mailer=esmtp, pri=30340, relay=mail.railamerica.com. [10.3.2.11],
dsn=2.0.0,
stat=Sent (OK)
Any suggestions???
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list