[Mimedefang] default filter does not deal well with .xxx in the middle of attachments
Kayne Kruse
kayne at moranprinting.com
Wed Jun 18 11:04:00 EDT 2003
It appears after watching these reports for a while now, that the
default rules do not parse weird long filenames properly. It detected a
.jpg as a .com finding a .com in the middle of a file attachment name.
I could probably easily fix this by modifying the source. One would
want to filter unsafe files more like this: look at the end of the file
name for extra '.' and see if its something like .xxx.pif instead of
searching the name for one of the offending extensions somewhere in the
name.
While my filter is tuned more towards SA and RBL checks, I have not
modified the 'unsafe' attachment section at this time.
Has anyone else already addressed this issue?
Kayne
-----Original Message-----
From: MIMEDefang [mailto:mimedefang at somehost]
Sent: Tuesday, June 17, 2003 7:50 AM
To: Network Administrator
Subject: MIMEDefang Quarantine Report
An e-mail had 1 part quarantined in the directory
/var/spool/MIMEDefang/qdir-2003-06-17-07.50.05-001 on the mail server.
The sender was '<sender at domain.com>'.
The Sendmail queue identifier was h5HCo1HN009592.
The relay machine was somemx.lsu.edu (xx.xx.xx.xx).
Recipient: <recipient at domain.com>
Subject: FARK.com Comments Thingee (557266)
Date: Tue, 17 Jun 2003 07:50:27 -0500
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_01C334A5.1E1EA980"
----------
Here are the headers for quarantined part 1:
Content-Type: image/jpeg;
name="FARK.com Comments Thingee (557266).jpg"
Content-Disposition: attachment;
filename="FARK.com Comments Thingee (557266).jpg"
Content-Transfer-Encoding: base64
----------
Here are the warning details:
An attachment named FARK.com Comments Thingee (557266).jpg was removed
from this document as it
constituted a security hazard. If you require this document, please
contact
the sender and arrange an alternate means of receiving it.
More information about the MIMEDefang
mailing list