[Mimedefang] Virus/MIME Issue
David F. Skoll
dfs at roaringpenguin.com
Mon Apr 18 09:12:15 EDT 2005
Chris Masters wrote:
> So is it true to say that virus scanning on a per
> entity basis does not maximise virus detection safety?
> Should we always use MIME::Tools (via filter) *and*
> the virus scanners own mime decoding functionality
> (via filter_begin for example) for each mail?
No. The safest way is illustrated in the example filter. Do your
scanning in filter_end, but call md_copy_orig_msg_to_work_dir_as_mbox_file()
before invoking the virus scanner.
> It looks as though the mail was a ligitimate bounce
> that possibly contained (within the body) the encoded
> original infected mail - based on the subject and the
> size in logs.
qmail is notorious for bouncing MIME messages as a big text/plain part
containing (among other things) the original raw MIME message. MIME::Tools
will *not* decode this, and neither should any mail clients, but you never
know if an MUA author is going to decide to be "clever" and decode
qmail bounces.
> Even so, the scanners should surely pick
> it up or does this render the virus harmless?
It should render the virus harmless, but the good people who bring
you M$ Outlook are well-known for snatching defeat from the jaws of
victory when it comes to security.
> I know that some virus scanners will (wrongly I think) fail to
> detect a virus if it's renamed as a txt file because it cannot be
> executed.
This is not the case with MIMEDefang and ClamAV.
Regards,
David.
More information about the MIMEDefang
mailing list