[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP(actually RAR)attachments
Kevin A. McGrail
kmcgrail at pccc.com
Thu Aug 2 09:15:55 EDT 2007
> With the answer you got from David :
>
> $entity->head->recommended_filename()
>
> Are you replacing each $path variable, with the above instead, in the
> corrupt_zip section below ?
Yes and no. I passed in the $recommended_filename as a parameter due to
scope.
i.e.
...
return 2 if (&check_for_corrupt_zip($path,
$entity->head->recommended_filename()));
...
NOTE: Thanks again to Tomasz. I've tested his zip magic number and it would
have blocked 20 zips just today with no false positives in testing! I'm
turning it on.
sub check_for_corrupt_zip {
my ($path, $recommended_filename) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,4);
close ($filehandle);
#IS IT A RAR FILE DISGUISED AS A ZIP?
if ($header =~ /^Rar!/i) {
md_syslog('warning', "$QueueID: Discarding because of RAR file
disguised as ZIP File: $recommended_filename");
return 1;
}
#IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz
Ostrowski
if ($header !~ /^PK\003\004/i) {
md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic
Number: $recommended_filename");
#TESTING FOR RIGHT NOW - #return 1;
}
}
return 0;
}
Regards,
KAM
More information about the MIMEDefang
mailing list