[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour
Steffen Kaiser
skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Mon Mar 1 09:15:00 EST 2004
Hello,
lately I found and reported that message_contains_virus() runs the virus
scanner on an empty directory. I collected some mails, in which cases this
occurs:
mimedefang.pl -structure <ENTIRE_MESSAGE
non-leaf: type=multipart/alternative; fname=; disp=inline
The actual contents looks like so ENTIRE_MESSAGE:
===START
Recieved: [snip]
From: " Arroyo" <kckwdemik at msn.com>
To: <<some real reciepients>>
Subject: Boost Your Car's Gas Mileage 27%+, livingston magnesium disposal yeats
Mime-Version: 1.0
X-Mailer: adjacent illegitimacy
Date: Wed, 18 Feb 2004 00:26:21 -0500
Reply-To: " Arroyo" <kckwdemik at msn.com>
Content-Type: multipart/alternative;
boundary=""
Message-Id: <YIBJZAV-000 at incomputable>
--
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
[snip: gibberish]
--
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
[snip: contents]
----
==END
The same applies to this [snipped non-MIME stuff]:
===START
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--ALT--SJFV45206236694260
Message-Id: <BPBCIUV-0005131922168 at attainder>
----ALT--SJFV45206236694260
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
[snip: gibberish]
----ALT--SJFV45206236694260
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
[snip: contents]
----ALT--SJFV45206236694260
--
===END
The second message was resent/forwarded by some FreeMail hoster, maybe
this one destroyed the MIME stuff.
The problem is the "unusal" MIME boundary, e.g. if I add the missing
closing quote of the second message, mimedefang.pl -structure correctly
returns:
non-leaf: type=multipart/alternative; fname=; disp=inline
leaf: type=text/plain; fname=; disp=inline
leaf: type=text/plain; fname=; disp=inline
leaf: type=text/plain; fname=; disp=inline
However: my concernings are as following:
a) The first message containing an empty MIME boundary is splitted apart
by Pine v4.58 (and I guess other MUAs, too). That means that no attachment
is scanned for viruses by MIMEDefang, but is happily accessable by the
MUA.
b) The second message may not contain such a thread, because the MIME
type is to default to text/plain (because of the preceeding empty line),
but what about stupid MUAs? At least many MUAs do attempt HTML display on
text/plain.
===
The behaviour is equal regardless of using the patched MIME::Tools or the
development version:
MIME::Tools : Version 6.110
MIME::Words : Version 6.107
patched MIME::Tools:
MIME::Tools : Version 5.411
MIME::Words : Version 5.404
This makes three weaknesses in the MIME::Tools so far.
Bye,
--
Steffen Kaiser
More information about the MIMEDefang
mailing list