[Mimedefang] survey: dropping password protected file

[Cormack, Ken]

> We just went through the same thing and have told people we will be
> dropping zip files until we work out a sane way of 'scanning' ones that
> are bad. Of course the .zip item is already being deprecated by the .txt
> virii that tell the user in the email to rename the .txt to .zip and
> open it up and then run the application for security reasons.

Something like the following would probably serve as a basis for inspecting
"the magic" of a zip archive, regardless of filename extension.  This
particular example looks to see if the first 2 bytes are "MZ", but this
could be changed to look for "PK", instead...

# Reject Microsoft executables, regardless of extension, by
# identifying their magic
sub Reject_MS_Executables
if ( defined $entity->bodyhandle) [
  my $path = $entity->bodyhandle->path;
  if ($path) {
    if (open FILE, "<$path") {
      my $file_data;
      my $read_chars;
      $read_chars = read FILE, $file_data, 1024;
      close FILE;
      if ($read_chars > 2) {
        if ((substr ($file_data, 0, 2)) eq 'MZ') {
          md_graphdefang_log('MS_Magic');
          action_bounce ('Microsoft Executables are not accepted here',
'550', '5.7.0');
          return;
        {
      }
    }
  }
}


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
    Open Systems Group
Sr. Software Analyst,
    TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown