[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP(actually RAR)attachments
Kevin A. McGrail
kmcgrail at pccc.com
Tue Jul 31 13:23:24 EDT 2007
> Inspired by this I've coded my own version, which:
>
> - checks ZIP files for ZIP magic number, RAR files for RAR magic
> number;
Great idea. I block RAR files outright because they are very rarely used
and have a high prevalence of being used for exploits.
However, for a quick and easy hack, this idea should allow for magic number
testing with Zip. I'm not familiar with the magic number so this is just
for testing below. I did test with pkzip and gnuzip though. Feedback
appreciated if this is worth implementing.
BTW, David, when using the $path for the entity, I get Work/msg-31462-17.zip
for example. Is there a way to get the filename specified in the mime
encoding?
Regards,
KAM
#IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz
Ostrowski
if ($header !~ /^PK\003\004/i) {
md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic
Number $path");
#TESTING FOR RIGHT NOW - #return 1;
}
i.e.
sub check_for_corrupt_zip {
my ($path) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,4);
close ($filehandle);
#IS IT A RAR FILE DISGUISED AS A ZIP?
if ($header =~ /^Rar!/i) {
md_syslog('warning', "$QueueID: Discarding because of RAR file
disguised as ZIP File $path");
return 1;
}
#IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz
Ostrowski
if ($header !~ /^PK\003\004/i) {
md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic
Number $path");
#TESTING FOR RIGHT NOW - #return 1;
}
}
return 0;
}
More information about the MIMEDefang
mailing list