[Mimedefang] SoBig.E slipping through

Mon Jun 30 20:50:37 EDT 2003

That would be because the file was called "your_details.zip   with a 
leading quote.  Mime 
defang stripped the trailing character because it thought it was quoted I 
think.

I stand to be corrected but this is what I think I observed.

        Regards,
                Steven Ellison

Steven Ellison,
MIS Department, Hardy Wine Company
Reynella, South Australia, 5161

For Hardy Wine and Constellation Employees Only:
The Hardy Wine Corporate Intranet Web Site 
http://corporate.hardywines.com.au/
The Email and Internet usage Policy 
http://corporate.hardywines.com.au/EMAIL_POLICY.pdf. 

"Minica, Nelson (EDS)" <Nelson.Minica at RailAmerica.com> 
Sent by: mimedefang-admin at lists.roaringpenguin.com
01/07/2003 06:45 AM
Please respond to
mimedefang at lists.roaringpenguin.com

To
"'mimedefang at lists.roaringpenguin.com'" 
<mimedefang at lists.roaringpenguin.com>
cc

Subject
[Mimedefang] SoBig.E slipping through

Added following code to filter() but it did not stop SoBig.E as I
expected...

$lc_fname=lc($fname);
if ($lc_fname eq 'your_details.zip' || $lc_fname eq 'your_details.zi'){
   action_quarantine_entire_message("Quarantined attachment $lc_fname
contains a virus: [SoBig.E]");
   return action_discard();
   }

Upgraded mimedefang from 2.30 to 2.34, but that did not help.
Added code above to filter_multipart, but that did not help.
I can send attachments with this name and they get blocked, so the code is
working.  Somehow SoBig.E is faking out mimedefang...  Here is the actual
headers of the virus:

Subject: Re: Movie
Date: Fri, 27 Jun 2003 17:24:09 --0500
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
                 boundary="CSmtpMsgPart123X456_000_01C9D4BE"
X-Spam-Not-Checked: Messages over 100K not checked
X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang)

This is a multipart message in MIME format

--CSmtpMsgPart123X456_000_01C9D4BE
Content-Type: text/plain;
                 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

--CSmtpMsgPart123X456_000_01C9D4BE
Content-Type: application/x-zip-compressed;
                 name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
                 filename="your_details.zi"

--CSmtpMsgPart123X456_000_01C9D4BE--

And the syslog entries...

Jun 30 15:53:50 mta3 sendmail[25157]: h5UKrkFk025157:
from=<sstark at swscpas.com>, size=111823, class=0, nrcpts=1,
msgid=<200306302053.h5UKrkFk025157 at mta3.railamerica.com>, proto=SMTP,
daemon=MTA, relay=[12.109.73.122]
Jun 30 15:53:50 mta3 sendmail[25157]: h5UKrkFk025157: Milter add: header:
X-Spam-Not-Checked: Messages over 100K not checked
Jun 30 15:53:50 mta3 sendmail[25157]: h5UKrkFk025157: Milter add: header:
X-Scanned-By: MIMEDefang 2.34
Jun 30 15:53:50 mta3 sendmail[25160]: h5UKrkFk025157: Fixed MIME
Content-Disposition header field (possible attack)
Jun 30 15:53:50 mta3 sendmail[25160]: h5UKrkFk025157:
to=<andrew.reina at railamerica.com>, delay=00:00:03, xdelay=00:00:00,
mailer=esmtp, pri=30340, relay=mail.railamerica.com. [10.3.2.11], 
dsn=2.0.0,
stat=Sent (OK)

Any suggestions???
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang