[Mimedefang] Viruses getting in via undeliverables
David F. Skoll
dfs at roaringpenguin.com
Fri Jan 30 10:02:57 EST 2004
On Fri, 30 Jan 2004, tyler wrote:
> We are starting to see the MyDoom virus come in via email and getting
> past our MIMEDefang set up that has anti-virus watching it. After
> researching this, the viruses are coming in through undeliverable messages.
The undeliverable messages are malformed MIME, and that's confusing
MIME::Tools. I really don't know how to work around this.
Normally, MIMEDefang recurses into nested messages, unpacking their parts.
However, these headers confuse it:
> ?thread-index: AcPmmaSezSHsAorOTie11QZjrk5JJg==
> Received: from roadway.com ([141.156.107.78]) by padron.exectravel.com with
> Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Jan 2004 13:56:45 -0500
Notice the lack of leading whitespace on the last line? That's illegal!
After I edited your example a bit (see below), it parsed correctly:
$ mimedefang.pl -structure < nested.txt
non-leaf: type=multipart/report; fname=; disp=inline
leaf: type=text/plain; fname=; disp=inline
leaf: type=message/delivery-status; fname=; disp=inline
non-leaf: type=message/rfc822; fname=; disp=inline
non-leaf: type=multipart/mixed; fname=; disp=inline
leaf: type=text/plain; fname=; disp=inline
leaf: type=application/octet-stream; fname=body.zip; disp=attachment
leaf: type=application/octet-stream; fname=body.zip; disp=attachment
Regards,
David.
From: "System Administrator" <administrator at exectravel.com>
Sender: "System Administrator" <postmaster at exectravel.com>
To: <bob.kadinkin at roadway.com>
Subject: Undeliverable: HI
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=delivery-status;
boundary="----=_NextPart_000_15937E_01C3E66F.BC38C020"
Content-Class: urn:content-classes:dsn
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <PADRON5Jow4CkawxSkj0000e0bf at padron.exectravel.com>
X-OriginalArrivalTime: 29 Jan 2004 18:56:47.0354 (UTC)
FILETIME=[A54345A0:01C3E699]
Date: 29 Jan 2004 13:56:47 -0500
X-Scanned-By: MIMEDefang 2.39
This is a multi-part message in MIME format.
------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/delivery-status
Content-Transfer-Encoding: 7bit
------=_NextPart_000_15937E_01C3E66F.BC38C020
Content-Type: message/rfc822
From: <bob.kadinkin at roadway.com>
To: <vt at exectravel.com>
Subject: HI
Date: Thu, 29 Jan 2004 13:56:45 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_5934E0B6.8C76B4B9"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <tyler.hudak at roadway.com>
Message-ID: <PADRONYdOiQ4rYnevYJ0000e0bd at padron.exectravel.com>
X-OriginalArrivalTime: 29 Jan 2004 18:56:45.0541 (UTC)
FILETIME=[A42EA150:01C3E699]
This is a multi-part message in MIME format.
------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by
taomap.ago.roadway.com id i0TIvkqt011899
------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
name="body.zip"
Content-Disposition: attachment;
filename="body.zip"
Content-Transfer-Encoding: base64
------=_NextPart_000_0006_5934E0B6.8C76B4B9
Content-Type: application/octet-stream;
name="body.zip"
Content-Disposition: attachment;
filename="body.zip"
Content-Transfer-Encoding: base64
------=_NextPart_000_0006_5934E0B6.8C76B4B9--
------=_NextPart_000_15937E_01C3E66F.BC38C020--
More information about the MIMEDefang
mailing list