[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP (actually RAR)attachments
Kevin A. McGrail
kmcgrail at pccc.com
Tue Jul 31 08:12:03 EDT 2007
Follow-up to my own message:
The code below has been tested and seems to work 100% as intended. I
stupidly included an old version of the check_for_corrupt_zip though...
It blocks the disguised RAR files and still allows proper zips. Only change
is that I made it case-insensitive for the search. I haven't seen any need
for this but it seems prudent for future-proofing the code.
i.e. if ($header =~ /^Rar!/i) {
Regards,
KAM
Recap:
First, I use IO::File. So I use IO::File in my filter_initialize
Second, I use a return of 2 on my bad_filename check for really bad
filenames.
So in the ZIP routine, I add an extra check_for_corrupt_zip:
# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
#CORRUPTED ZIPS ARE DANGEROUS - RETURN A REALLY BAD FILENAME
return 2 if (check_for_corrupt_zip($path));
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}
sub check_for_corrupt_zip {
my ($path) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,4);
close ($filehandle);
#IS IT A RAR FILE DISGUISED AS A ZIP?
if ($header =~ /^Rar!/i) {
md_syslog('warning', "Discarding because of RAR file disguised as ZIP
File $path");
return 1;
}
}
return 0;
}
More information about the MIMEDefang
mailing list