[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour

[Dirk Mueller]

On Monday 01 March 2004 17:46, Richard Laager wrote:

> Is there any harm in doing this? Does it take a lot of CPU? 

Probably.

> Will it break digital signatures? 

Yes. Some digital signatures expect unmodified mime headers. 

> It sounds like a good idea, but I'm afraid 
> of potential downsides.

The most important downside is that malware content will still slip through to 
the user. The user might then still be able to decode the viral content and 
run it. 

Our problem is not so much that some malformed MIME exploits the MUA, but more 
protecting the user from their own stupidity by running an attachment. See 
MyDoom: it was one of the worst virus floods in the last few months, and it 
worked all by itself because people who received the worm email thought that 
there is something worth executing in the attachment. And it only stopped 
because the worm author was nice enough to built in an expire date. 

I'm afraid the unconditional rebuilding of the MIME parts will break a lot of 
legitimate mail. I've tried doing that for about a day, and then got so many 
complains about totally garbled legitimate mail (like newsletters) that I had 
to stop doing it again. 

It seems in the long run we have to get rid of MIMEDefang. Thats a shame, 
since it worked so great in all other aspects. 


Dirk