[Mimedefang] Amusing coincidence

Fred Bacon bacon at aerodyne.com
Thu Apr 13 11:21:10 EDT 2006 

I need some advice on how to avoid a problem in the future.  One
employee received a message with the Subject

Person's Name sent you and email from www.marriot.com

She forwarded the message using Thunderbird to another employee.
Thunderbird attached the forwarded message as an attachment using the
Subject line as the name for the attachment.

MIMEDefang stripped the attachment out of the message and sent me the
notice:
 
> A MULTIPART attachment of type message/rfc822, named Person's Name
> sent you an email from www.marriott.com was dropped.

It took me some time to recognize what happened.  The file name
manufactured by Thunderbird from the subject line happens to end with
what looks like a .com extension.

My filter_multipart is subroutine is pretty basic (see relevant section
below), but I need two bits of advice.  The action_notify_administrator
succeeded.  The action_quarantine message was put into the email when
the attachment was stripped out.  However, the attachment did not
actually end up in the quarantine directory!

===================================================
sub filter_multipart ($$$$) {
    my($entity, $fname, $ext, $type) = @_;

    return if message_rejected(); # Avoid unnecessary work

    if (filter_bad_filename($entity)) {
        md_graphdefang_log('bad_filename', $fname, $type);
        action_notify_administrator("A MULTIPART attachment of type
$type, named $fname was dropped.\n");
        return action_quarantine($entity,"An attachment of type $type,
named $fname was removed from this document as it\nconstituted a network
security hazard.  If you require this document, \nplease contact the
sender and arrange an alternate means of receiving it.\n");
    }
...

    return action_accept();
}
===================================================

So I have two questions:

1) What happened to the quarantined attachment?

2) Will changing the conditional

     if (filter_bad_filename($entity)) 

   to

     if (filter_bad_filename($entity) and ($type ne "message/rfc822"))  

   prevent a similar event from recurring?

I'm running MIMEDefang 2.52. 

Fred Bacon
Senior Scientist
Aerodyne Research, Inc.

More information about the MIMEDefang mailing list