[Mimedefang] clamav
Kelson
kelson at speed.net
Fri Jun 10 18:34:12 EDT 2005
-ray wrote:
> Notice lots and lots of spaces in the filename to fool users into
> thinking it's a .txt file. Has anyone coded a MD rule to check for more
> than say 10 consequtive spaces in a filename in a zip file? Should be
> pretty simple, just haven't had time to look at it yet...
I had a couple slip through the other day. They pretended to be JPEGs
instead of text files, and by the time I checked them ClamAV recognized
it as Trojan.Goldun.something.
In our case, MD caught it with bad_filename and Archive::ZIP because it
spotted the .exe at the end of the filename.
If you have Archive::ZIP and a current version of MIMEDefang, the
example filter should pick these up. The relevant section is in
filter_bad_filename. Adding the space check is probably a matter of
editing $re in that same function, or doing a second call to re_match
and/or re_match_in_zip_directory.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list