[Mimedefang] Virus/MIME Issue

David F. Skoll dfs at roaringpenguin.com
Mon Apr 18 09:12:15 EDT 2005


Chris Masters wrote:

> So is it true to say that virus scanning on a per
> entity basis does not maximise virus detection safety?
> Should we always use MIME::Tools (via filter) *and*
> the virus scanners own mime decoding functionality
> (via filter_begin for example) for each mail?

No.  The safest way is illustrated in the example filter.  Do your
scanning in filter_end, but call md_copy_orig_msg_to_work_dir_as_mbox_file()
before invoking the virus scanner.

> It looks as though the mail was a ligitimate bounce
> that possibly contained (within the body) the encoded
> original infected mail - based on the subject and the
> size in logs.

qmail is notorious for bouncing MIME messages as a big text/plain part
containing (among other things) the original raw MIME message.  MIME::Tools
will *not* decode this, and neither should any mail clients, but you never
know if an MUA author is going to decide to be "clever" and decode
qmail bounces.

> Even so, the scanners should surely pick
> it up or does this render the virus harmless?

It should render the virus harmless, but the good people who bring
you M$ Outlook are well-known for snatching defeat from the jaws of
victory when it comes to security.

> I know that some virus scanners will (wrongly I think) fail to
> detect a virus if it's renamed as a txt file because it cannot be
> executed.

This is not the case with MIMEDefang and ClamAV.

Regards,

David.



More information about the MIMEDefang mailing list