[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour
Dirk Mueller
dmuell at gmx.net
Mon Mar 1 15:11:33 EST 2004
On Monday 01 March 2004 19:34, David F. Skoll wrote:
> > It seems in the long run we have to get rid of MIMEDefang. Thats a shame,
> > since it worked so great in all other aspects.
> Sorry, but comments like that make me upset. If you don't like the
> way MIMEDefang parses MIME messages, then submit patches to the
> maintainers of MIME::tools and Mail::Tools.
Well, either that, or write less strict MIME parser. To me it boils down to
this: MIMEDefang offers certain features (like stripping html, modifying mime
parts, removing them, "defang"ing them, etc), and those features don't work
on a few corner cases. some of them are important, some of them are not. Note
I do offer to provide patches, but if the maintainer rejects them before he
has seen them, the only choice left for me (besides maintaining my own
package) is to go look somewhere else for something that works.
> And keep submitting as
> the malformed-MIME-of-the-day problem is revealed.
I've not yet strong reason to believe that there are *that* many special cases
to take care of. Do you?
> Here's an analogy:
No, thats not an analogy. As I explained in my previous mail, the problem is
not the software itself, its the user that uses it. Hundreds of thousands of
users chose (!) to execute the MyDoom virus when they received the mail about
it. The mail did not contain any MUA exploit, no weird MIME boundary, no
nothing. They just got a mail from a sender address that maybe looked
familiar to them, and then they executed it to see what happens.
And thats the main point: We need software that checks for malware content and
when it can be reasonably sure about it, to react (like stripping the part,
replacing it with a warning, whatever).
Again, it is not about MUA bugs. It is about users who see an attachment and
open it.
The second concern is to get rid of spoofed-recipient bounces. Actually a big
share of "junk" mail we receive are bounces of source-spoofed SPAM and Worm
email. Automatically getting rid of that is another long term goal we have.
Worm bounces were so far easy to handle: they had the worm itself somewhere
in the mail (or at least parts of it).
Its not so easy to use bayes/SA to filter worm bounces anymore, since a great
share of those internet worms don't provide a big text payload which SA could
be trained for. The recent worms just say "test" or "your password" as body,
and you don't really want to filter on that, since then people would complain
why their test mails don't come through.
> Patching MIME::tools to "handle" malformed MIME is the first
> programmer's approach.
> Which do you suppose I advocate as the long-term solution? :-)
I don't know, tell me. Getting rid of email? :)
More information about the MIMEDefang
mailing list