[Mimedefang] MIME type message/partial

[Jan Pieter Cornet]

On Tue, Nov 09, 2004 at 09:33:08AM -0500, David F. Skoll wrote:
> >  I need something because mgmt is likely to tell me just not to block
> > and I would like to have some valid reasons as to why they are being
> > blocked.
> 
> Tell mgmt that if they permit message/partial, they might as well throw
> away server-side scanning and turn off their anti-virus software.

Also, there's a call from US-CERT (http://www.kb.cert.org/vuls/id/836088)
to block message/partial specifically because it can circumvent virus
scanning.

And while that's true in theory, there is currently no known virus
(afaik) that exploits a MIME message/partial to evade virus scanners.
(Lots of viruses have fake texts that say "partial message is available"
or something similar, but that's not the same, obviously).

Also, I believe you are reasonably safe as long as you force the first
part of the message/partial to be "big enough". Say, 1MB or larger.

This does provide a few theoretical openings for a virus to slip
through (eg, sending a large enough zip file, so with the end of the
zipfile missing, it cannot be easily extracted).

However, if you know that internally you are also running virus scanners
on the desktop (and you should do that anyway!), then the virusscanner
might not be 99.99% reliable anymore, but at least it stops the bulk
of the useless email garbage consisting of unwanted executables.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet