[Mimedefang] MIME Virus Issue?
Chris Masters
rotis23 at yahoo.com
Thu Nov 11 09:21:16 EST 2004
Hi All,
We've just had an incident where 2 or more viruses
have got through our scanners. The virus was
W32.Mota.B at mm and was packaged with the following
Content-Type header:
Content-Type: multipart/mixed; boundary=""
We're using mimedefang-2.43 and *old*
MIME-tools-5.411a-RP-Patched-02.
Although the email contained the following zip file,
'filter' was never called.
Content-Type: application/x-zip-compressed;
name="jenifer.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="jenifer.zip"
We currently scan the whole message from
'filter_begin' and if positive each entity from
'filter' (for removal/cleaning).
So, the whole message was scanned with 3 virus
scanners but each entity was not scanned because
filter was never called.
So, a couple of questions:
Is this an issue because we're using an old
MIME::Tools?
Could this be a MIME package exploit of some kind?
We have the full intact message in a msg format, but
I'm guessing that this has been reformatted (from the
original raw format of the message as it went through
the scanner) by the outlook client.
We have other details (logs etc) if this should be
taken off-line.
Thanks for your help on this.
Chris <in a pretty concerned state>
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
More information about the MIMEDefang
mailing list