[Mimedefang] Re: Problem on attachment name

Kees Theunissen theuniss at rijnh.nl
Sun Jan 14 02:35:28 EST 2007 

On Sat, 13 Jan 2007, Ing. Andrea Vettori wrote:

> The problem is that when the antivirus is run, the temporary file that
> mimedefang creates has the unquoted file name trucated. The antivirus is
> rejecting the message since it founds two different names to identify
> the same attachment. I think it does this to prevent that one .exe file,
> for example, is scanned as a .jpg file if the two file names are set
> accordingly.

Let me first quote a few lines from a message on this list from about
five weeks ago. This explains how messages are scanned by antivirus
programs.


    Date: Thu, 07 Dec 2006 19:05:37 -0500
    From: David F. Skoll <dfs at roaringpenguin.com>
    Reply-To: mimedefang at lists.roaringpenguin.com
    To: mimedefang at lists.roaringpenguin.com
    Subject: Re: [Mimedefang] [Bug 5225] New: non-standard base64
        encoding evades some scanners (fwd)

    [...]
    MIMEDefang passes virus scanners both the raw MIME message and
    all the parts as decoded by MIME::tools.  This design decision was
    made so that MIME::tools could work around any bugs in an AV tools'
    MIME decoder and vice-versa.

If your virus scanner detects two different names in the MIME headers,
it can only do that when scanning the raw MIME message.
The virus scanner is only passed the decoded data when scanning
the separate MIME parts, so the scanner has no knowledge of the
mime headers at that time.

[...]
> It happens with many sender that use Apple Mail. From your analysis
> it seems that it's Apple Mail that compose the message without respect
> of the rfc 2045.
> The strange thing is that with an old installation of mimedefang
> (version 2.39) with the same antivirus version the problem doesn't
> happen. Maybe MIME code inside mimedefang has changed ?

Version 2.39 is very old. A lot of things have changed after that,
probably including changes in MIME::tools.
A quick look at het Changelog shows:

2004-03-03  David F. Skoll  <dfs at roaringpenguin.com>

        * MIMEDefang 2.40-BETA-3

        * mimedefang.pl.in (do_scan): Make a replica of INPUTMSG under
        Work/ so that virus-scanners with built-in MIME decoders can
        have a crack at the original input message.  Also added --mbox
        option for clamscan.

Looks like 2.39 doesn't scan the original raw message. And that makes
a lot of a difference.

Did you do an upgrade from MimeDefang 2.39 to 2.58 when this error
occured?

And you should keep in mind that antivirus programs are a special
kind of program. They can, and often will, react different after
an update of the virus signatures. Running the same program version
is only part of the story.

Did you try to scan such a bad apple-message -and its parts- with
your antivirus from the commandline (outside of MimeDefang)?
That will probably show what is causing this trouble: the
antivirus program (while scanning the raw message) or MimeDefang
(while decoding the mime parts). But the _real_ cause is ofcourse
a malformed mime header in the message.

Regards,

Kees.

-- 
Kees Theunissen
F.O.M.-Institute for Plasma Physics Rijnhuizen, Nieuwegein, Netherlands
E-mail: theuniss at rijnh.nl,  Tel: (+31|0)306096724,  Fax: (+31|0)306031204

More information about the MIMEDefang mailing list