[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Mon Mar 1 09:15:00 EST 2004 

Hello,

lately I found and reported that message_contains_virus() runs the virus
scanner on an empty directory. I collected some mails, in which cases this
occurs:

mimedefang.pl -structure <ENTIRE_MESSAGE
non-leaf: type=multipart/alternative; fname=; disp=inline


The actual contents looks like so ENTIRE_MESSAGE:
===START
Recieved: [snip]
From: " Arroyo" <kckwdemik at msn.com>
To: <<some real reciepients>>
Subject: Boost Your  Car's Gas Mileage 27%+, livingston magnesium disposal yeats
Mime-Version: 1.0
X-Mailer: adjacent illegitimacy
Date: Wed, 18 Feb 2004 00:26:21 -0500
Reply-To: " Arroyo" <kckwdemik at msn.com>
Content-Type: multipart/alternative;
        boundary=""
Message-Id: <YIBJZAV-000 at incomputable>

--
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

[snip: gibberish]

--
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit

[snip: contents]

----

==END


The same applies to this [snipped non-MIME stuff]:

===START
Mime-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--ALT--SJFV45206236694260
Message-Id: <BPBCIUV-0005131922168 at attainder>

----ALT--SJFV45206236694260

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

[snip: gibberish]

----ALT--SJFV45206236694260

Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit

[snip: contents]

----ALT--SJFV45206236694260
--

===END

The second message was resent/forwarded by some FreeMail hoster, maybe
this one destroyed the MIME stuff.

The problem is the "unusal" MIME boundary, e.g. if I add the missing
closing quote of the second message, mimedefang.pl -structure correctly
returns:

non-leaf: type=multipart/alternative; fname=; disp=inline
    leaf: type=text/plain; fname=; disp=inline
    leaf: type=text/plain; fname=; disp=inline
    leaf: type=text/plain; fname=; disp=inline

However: my concernings are as following:

a) The first message containing an empty MIME boundary is splitted apart
by Pine v4.58 (and I guess other MUAs, too). That means that no attachment
is scanned for viruses by MIMEDefang, but is happily accessable by the
MUA.

b) The second message may not contain such a thread, because the MIME
type is to default to text/plain (because of the preceeding empty line),
but what about stupid MUAs? At least many MUAs do attempt HTML display on
text/plain.

===
The behaviour is equal regardless of using the patched MIME::Tools or the
development version:

MIME::Tools                   : Version 6.110
MIME::Words                   : Version 6.107

patched MIME::Tools:
MIME::Tools                   : Version 5.411
MIME::Words                   : Version 5.404

This makes three weaknesses in the MIME::Tools so far.

Bye,

-- 
Steffen Kaiser

More information about the MIMEDefang mailing list