[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour
David F. Skoll
dfs at roaringpenguin.com
Mon Mar 1 15:49:06 EST 2004
On Mon, 1 Mar 2004, Dirk Mueller wrote:
> Well, either that, or write less strict MIME parser.
But to do it "securely", you'll have to write a MIME parser that duplicates
the behavior of dozens of different MIME parsers in dozens of different
MUAs. What's dangerous to one might be innocuous to another.
>To me it boils down to this: MIMEDefang offers certain features (like
>stripping html, modifying mime parts, removing them, "defang"ing
>them, etc), and those features don't work on a few corner cases. some
>of them are important, some of them are not. Note I do offer to
>provide patches, but if the maintainer rejects them before he has
>seen them, the only choice left for me (besides maintaining my own
>package) is to go look somewhere else for something that works.
Please submit patches; I'll look them over.
> > And keep submitting as
> > the malformed-MIME-of-the-day problem is revealed.
> I've not yet strong reason to believe that there are *that* many
> special cases to take care of. Do you?
Yes, I do, based on experience. Canonicalizing the MIME is the only
safe solution.
> No, thats not an analogy. As I explained in my previous mail, the problem is
> not the software itself, its the user that uses it.
I disagree. Even if I received a shell script or Linux excutable, my
mail reader would not permit me to execute it without my taking some
rather deliberate actions. It's a fundamental flaw in the Windows operating
system that permits encoding of metadata (the Unix "x" bit) in filenames.
This fundamental flaw is responsible for MyDoom and friends.
> And thats the main point: We need software that checks for malware
> content and when it can be reasonably sure about it, to react (like
> stripping the part, replacing it with a warning, whatever).
The answer is to canonicalize the MIME, so even if malware gets through,
it's not executable on the target system (just looks like a plain-text mess.)
Regards,
David.
More information about the MIMEDefang
mailing list