[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP(actually RAR)attachments

[Kevin A. McGrail]

> Inspired by this I've coded my own version, which:
>
> - checks ZIP files for ZIP magic number, RAR files for RAR magic
>  number;


Great idea.  I block RAR files outright because they are very rarely used 
and have a high prevalence of being used for exploits.

However, for a quick and easy hack, this idea should allow for magic number 
testing with Zip.   I'm not familiar with the magic number so this is just 
for testing below.  I did test with pkzip and gnuzip though.  Feedback 
appreciated if this is worth implementing.

BTW, David, when using the $path for the entity, I get Work/msg-31462-17.zip 
for example.  Is there a way to get the filename specified in the mime 
encoding?

Regards,
KAM


    #IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz 
Ostrowski
    if ($header !~ /^PK\003\004/i) {
      md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic 
Number $path");
      #TESTING FOR RIGHT NOW - #return 1;
    }

i.e.

sub check_for_corrupt_zip {
  my ($path) = @_;

  my ($filehandle, $header);

  #OPEN THE FILE, GRAB THE HEADER AND TEST
  $filehandle = new IO::File("< $path");
  if (defined $filehandle) {
    read($filehandle,$header,4);
    close ($filehandle);

    #IS IT A RAR FILE DISGUISED AS A ZIP?
    if ($header =~ /^Rar!/i) {
      md_syslog('warning', "$QueueID: Discarding because of RAR file 
disguised as ZIP File $path");
      return 1;
    }

    #IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz 
Ostrowski
    if ($header !~ /^PK\003\004/i) {
      md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic 
Number $path");
      #TESTING FOR RIGHT NOW - #return 1;
    }
  }

  return 0;
}