[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP (actually RAR)attachments

[Tomasz Ostrowski]

On Tue, 31 Jul 2007, Kevin A. McGrail wrote:

> It blocks the disguised RAR files and still allows proper zips.

Inspired by this I've coded my own version, which:

- checks ZIP files for ZIP magic number, RAR files for RAR magic
  number;

- file types, regular expressions for matching file names and magic
  numbers are in an array, so it is very easy to add them;

- should be used in "sub filter", before "if (filter_bad_filename($entity))";

- rejects mail with a proper SMTP message.


	# Check magic numbers
	@magic_numbers = (
		{ type => 'ZIP', regex => '\.zip$', magic => "PK\003\004" },
		{ type => 'RAR', regex => '\.r(ar|[0-2][0-9])$', magic => 'Rar!' }
	);
	foreach $magic_number (@magic_numbers) {
		if ( re_match($entity, $magic_number->{regex}) ) {
			my $bh = $entity->bodyhandle();
			if ( defined($bh) ) {
				my $ioh = $bh->open("r");
				if (
					( ! defined($ioh) )
					||
					( ! defined($ioh->read($filemagic, length($magic_number->{magic}))) )
				) {
					md_syslog("warning", "Cannot read message body for magic number check");
					action_bounce("Requested action aborted: local error in processing", "451", "4.3.0");
					if ( defined($ioh) ) { $ioh->close(); };
					return action_discard();
				}
				$ioh->close();
				if ( ! ($filemagic eq $magic_number->{magic}) ) {
					action_bounce("Access denied. Broken " . $magic_number->{type} . " file.", "554", "5.7.1");
					return action_discard();
				}
			}
		}
	}

Pozdrawiam
Tometzky
-- 
Best of prhn - najzabawniejsze teksty polskiego UseNet-u
http://prhn.dnsalias.org/
  Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany.
                                              [ Terry Pratchett ]