[Mimedefang] Zip --> Zip --> PIF

Arthur Corliss corliss at digitalmages.com
Fri Feb 18 19:11:06 EST 2005

On Fri, 18 Feb 2005, David Eisner wrote:

> I'm not suggesting the behavior of Mimedefang is wrong, I just want to
> make sure I understand what it's doing.
> The problem is that in general there is a delay between the time a virus
> outbreak occurs, and the time that virus scanners have updated DATs that
> detect it.  That's one of the great things about Mimedefang -- it
> removes the potentially harmful attachment during this window.
> In our case, we're using McAfee Virusscan.  Oddly, it still doesn't
> detect this worm.

Gotcha, you're worried less about the scanning bit then you are about the
dangerous/banned attachment bit.  In that case, you have a valid concern.

Personally, I'll still leave that in the hands of the user.  My greatest
concern with executable types is those exploits that can auto-execute due to
unsafe scripting in HTMLified clients.  A zip file shouldn't be able to be
used as such a payload, so if people are opening files *within* archives from
strangers, they shouldn't be using computers.  ;-)

If a recursive unarchiving happens within mimedefang in the future (and I
don't think this should be the default action) there should be a configurable
recursion limit to prevent DoS attacks.

	--Arthur Corliss
	  Bolverk's Lair -- http://arthur.corlissfamily.org/
	  Digital Mages -- http://www.digitalmages.com/
	  "Live Free or Die, the Only Way to Live" -- NH State Motto

More information about the MIMEDefang mailing list