[Mimedefang] Executable not caught

Wed Sep 29 15:26:08 EDT 2004

On Wed, 29 Sep 2004, Joseph Brennan wrote:

> http://www.columbia.edu/~brennan/virusmail.txt

If you feed that to mimedefang.pl -structure, you get:

$ mimedefang.pl -structure < virusmail.txt
non-leaf: type=multipart/digest; fname=; disp=inline
    leaf: type=text/plain; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12313.ezm; disp=inline
        leaf: type=text/plain; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12323.ezm; disp=inline
        leaf: type=text/plain; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12345.ezm; disp=inline
        leaf: type=text/plain; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12346.ezm; disp=inline
        leaf: type=text/plain; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12348.ezm; disp=inline
        leaf: type=text/plain; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12489.ezm; disp=inline
        non-leaf: type=multipart/alternative; fname=; disp=inline
            leaf: type=text/plain; fname=; disp=inline
            leaf: type=text/html; fname=; disp=inline
    non-leaf: type=message/rfc822; fname=vim_12507.ezm; disp=inline
        leaf: type=text/plain; fname=; disp=inline

> A few mime parts down, see an executable attachment called
> message.scr.

The "attachment" is just plain text shoved as-is into the first
text/plain part.  It isn't even seen by MIMEDefang, nor should it
be seen or decoded by a correctly-written MUA.

That's not to say a stupid MUA won't try to extract it...

Regards,

David.