[Mimedefang] Viruses getting in via undeliverables

David F. Skoll dfs at roaringpenguin.com
Fri Jan 30 10:02:57 EST 2004


On Fri, 30 Jan 2004, tyler wrote:

> We are starting to see the MyDoom virus come in via email and getting
> past our MIMEDefang set up that has anti-virus watching it.  After
> researching this, the viruses are coming in through undeliverable messages.

The undeliverable messages are malformed MIME, and that's confusing
MIME::Tools.  I really don't know how to work around this.

Normally, MIMEDefang recurses into nested messages, unpacking their parts.

However, these headers confuse it:

> ?thread-index: AcPmmaSezSHsAorOTie11QZjrk5JJg==
> Received: from roadway.com ([141.156.107.78]) by padron.exectravel.com with
> Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Jan 2004 13:56:45 -0500

Notice the lack of leading whitespace on the last line?  That's illegal!

After I edited your example a bit (see below), it parsed correctly:

$ mimedefang.pl -structure < nested.txt
non-leaf: type=multipart/report; fname=; disp=inline
    leaf: type=text/plain; fname=; disp=inline
    leaf: type=message/delivery-status; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=; disp=inline
        non-leaf: type=multipart/mixed; fname=; disp=inline
            leaf: type=text/plain; fname=; disp=inline
            leaf: type=application/octet-stream; fname=body.zip; disp=attachment
            leaf: type=application/octet-stream; fname=body.zip; disp=attachment

Regards,

David.

From: "System Administrator" <administrator at exectravel.com>
Sender: "System Administrator" <postmaster at exectravel.com>
To: <bob.kadinkin at roadway.com>
Subject: Undeliverable: HI
MIME-Version: 1.0
Content-Type: multipart/report;
    report-type=delivery-status;
    boundary="----=_NextPart_000_15937E_01C3E66F.BC38C020"
Content-Class: urn:content-classes:dsn
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <PADRON5Jow4CkawxSkj0000e0bf at padron.exectravel.com>
X-OriginalArrivalTime: 29 Jan 2004 18:56:47.0354 (UTC)
FILETIME=[A54345A0:01C3E699]
Date: 29 Jan 2004 13:56:47 -0500
X-Scanned-By: MIMEDefang 2.39

This is a multi-part message in MIME format.

------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit

------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/rfc822

From: <bob.kadinkin at roadway.com>
To: <vt at exectravel.com>
Subject: HI
Date: Thu, 29 Jan 2004 13:56:45 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_5934E0B6.8C76B4B9"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <tyler.hudak at roadway.com>
Message-ID: <PADRONYdOiQ4rYnevYJ0000e0bd at padron.exectravel.com>
X-OriginalArrivalTime: 29 Jan 2004 18:56:45.0541 (UTC)
FILETIME=[A42EA150:01C3E699]

This is a multi-part message in MIME format.

------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: text/plain;
    charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by
taomap.ago.roadway.com id i0TIvkqt011899

------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
    name="body.zip"
Content-Disposition: attachment;
    filename="body.zip"
Content-Transfer-Encoding: base64

------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
    name="body.zip"
Content-Disposition: attachment;
    filename="body.zip"
Content-Transfer-Encoding: base64

------=_NextPart_000_0006_5934E0B6.8C76B4B9--

------=_NextPart_000_15937E_01C3E66F.BC38C020--



More information about the MIMEDefang mailing list