[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour

Mon Mar 1 15:11:33 EST 2004

On Monday 01 March 2004 19:34, David F. Skoll wrote:

> > It seems in the long run we have to get rid of MIMEDefang. Thats a shame,
> > since it worked so great in all other aspects.
> Sorry, but comments like that make me upset.  If you don't like the
> way MIMEDefang parses MIME messages, then submit patches to the
> maintainers of MIME::tools and Mail::Tools.

Well, either that, or write less strict MIME parser. To me it boils down to 
this: MIMEDefang offers certain features (like stripping html, modifying mime 
parts, removing them, "defang"ing them, etc), and those features don't work 
on a few corner cases. some of them are important, some of them are not. Note 
I do offer to provide patches, but if the maintainer rejects them before he 
has seen them, the only choice left for me (besides maintaining my own 
package) is to go look somewhere else for something that works. 

> And keep submitting as 
> the malformed-MIME-of-the-day problem is revealed.

I've not yet strong reason to believe that there are *that* many special cases 
to take care of. Do you? 

> Here's an analogy:

No, thats not an analogy. As I explained in my previous mail, the problem is 
not the software itself, its the user that uses it. Hundreds of thousands of 
users chose (!) to execute the MyDoom virus when they received the mail about 
it. The mail did not contain any MUA exploit, no weird MIME boundary, no 
nothing. They just got a mail from a sender address that maybe looked 
familiar to them, and then they executed it to see what happens. 

And thats the main point: We need software that checks for malware content and 
when it can be reasonably sure about it, to react (like stripping the part, 
replacing it with a warning, whatever). 

Again, it is not about MUA bugs. It is about users who see an attachment and 
open it. 

The second concern is to get rid of spoofed-recipient bounces. Actually a big 
share of "junk" mail we receive are bounces of source-spoofed SPAM and Worm 
email. Automatically getting rid of that is another long term goal we have. 
Worm bounces were so far easy to handle: they had the worm itself somewhere 
in the mail (or at least parts of it). 

Its not so easy to use bayes/SA to filter worm bounces anymore, since a great 
share of those internet worms don't provide a big text payload which SA could 
be trained for. The recent worms just say "test" or "your password" as body, 
and you don't really want to filter on that, since then people would complain 
why their test mails don't come through. 

> Patching MIME::tools to "handle" malformed MIME is the first
> programmer's approach.

> Which do you suppose I advocate as the long-term solution? :-)

I don't know, tell me. Getting rid of email? :)