[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP (actually RAR)attachments

Kevin A. McGrail kmcgrail at pccc.com
Tue Jul 31 07:59:00 EDT 2007 

> I've seen 30+ messages overnight which my filter has rejected as being a 
> corrupt ZIP file, since it tries to list the contents of all ZIP archives 
> to see whether any banned file extensions are included.
>
> On inspection, the ZIP file is actually a RAR archive, which contains a 
> single text file with varying name (see list below).  The contents are all 
> pushing stock from SZSN, which has been a favourite of the plain text and 
> PDF spam over the last month or so, with random text at the end.


Yes, I am definitely seeing it and they are incorrectly named RAR files as 
you said for us as well.

This is a draft of the solution I'm thinking of.  It ties in where we use 
look inside Zip Files in filter_bad_filename.  WARNING: I have not tested 
this code yet.  I've been working on this and the bad PDFs all morning.

First, I use IO::File.  So I use IO::File in my filter_initialize

Second, I use a return of 2 on my bad_filename check for really bad 
filenames.

So in the ZIP routine, I add an extra check_for_corrupt_zip:

# Look inside ZIP files
    if (re_match($entity, '\.zip$') and
        $Features{"Archive::Zip"}) {
        my $bh = $entity->bodyhandle();
        if (defined($bh)) {
            my $path = $bh->path();
            if (defined($path)) {
                #CORRUPTED ZIPS ARE DANGEROUS - RETURN A REALLY BAD FILENAME
                return 2 if (check_for_corrupt_zip($path));
                return re_match_in_zip_directory($path, $re);
            }
        }
    }
    return 0;
}

Then, this is my draft routine for checking the zip

sub check_for_corrupt_zip {
  my ($path) = @_;

  my ($filehandle, $header);

  #OPEN THE FILE, GRAB THE HEADER AND TEST
  $filehandle = new IO::File("< $path");
  if (defined $filehandle) {
    read($filehandle,$header,4);
    close ($filehandle);

    #IS IT A RAR FILE DISGUISED AS A ZIP?
    if ($header =~ /^Rar!/) {
      md_syslog('warning', "Discarding because of RAR file disguised as ZIP 
File $path");
      return 1;
    }
  }

  return 0;
}

sub check_for_corrupt_zip {
  my ($path) = @_;

  my $filehandle, $firstline;

  #OPEN THE FILE, GRAB THE FIRST LINE... I WONDER IF WE CAN JUST READ THE 
FIRST 4 BYTES INSTEAD...
  $filehandle = new IO::File("< $path");
  if (defined $filehandle) {
    $firstline = <$filehandle>;
    close ($filehandle);

    if ($firstline =~ /^Rar!/) {
      md_syslog('warning', "Discarding because of RAR file disguised as ZIP 
File $path");
      return 1;
    }
  }

  return 0;
}



Regards,
KAM

More information about the MIMEDefang mailing list