[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP (actually RAR)attachments
Kevin A. McGrail
kmcgrail at pccc.com
Tue Jul 31 07:59:00 EDT 2007
> I've seen 30+ messages overnight which my filter has rejected as being a
> corrupt ZIP file, since it tries to list the contents of all ZIP archives
> to see whether any banned file extensions are included.
>
> On inspection, the ZIP file is actually a RAR archive, which contains a
> single text file with varying name (see list below). The contents are all
> pushing stock from SZSN, which has been a favourite of the plain text and
> PDF spam over the last month or so, with random text at the end.
Yes, I am definitely seeing it and they are incorrectly named RAR files as
you said for us as well.
This is a draft of the solution I'm thinking of. It ties in where we use
look inside Zip Files in filter_bad_filename. WARNING: I have not tested
this code yet. I've been working on this and the bad PDFs all morning.
First, I use IO::File. So I use IO::File in my filter_initialize
Second, I use a return of 2 on my bad_filename check for really bad
filenames.
So in the ZIP routine, I add an extra check_for_corrupt_zip:
# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
#CORRUPTED ZIPS ARE DANGEROUS - RETURN A REALLY BAD FILENAME
return 2 if (check_for_corrupt_zip($path));
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}
Then, this is my draft routine for checking the zip
sub check_for_corrupt_zip {
my ($path) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,4);
close ($filehandle);
#IS IT A RAR FILE DISGUISED AS A ZIP?
if ($header =~ /^Rar!/) {
md_syslog('warning', "Discarding because of RAR file disguised as ZIP
File $path");
return 1;
}
}
return 0;
}
sub check_for_corrupt_zip {
my ($path) = @_;
my $filehandle, $firstline;
#OPEN THE FILE, GRAB THE FIRST LINE... I WONDER IF WE CAN JUST READ THE
FIRST 4 BYTES INSTEAD...
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
$firstline = <$filehandle>;
close ($filehandle);
if ($firstline =~ /^Rar!/) {
md_syslog('warning', "Discarding because of RAR file disguised as ZIP
File $path");
return 1;
}
}
return 0;
}
Regards,
KAM
More information about the MIMEDefang
mailing list