[Mimedefang] Heads up - stock pump'n'dump SPAM as ZIP (actually RAR)attachments
Tomasz Ostrowski
tometzky at batory.org.pl
Tue Jul 31 11:21:14 EDT 2007
On Tue, 31 Jul 2007, Kevin A. McGrail wrote:
> It blocks the disguised RAR files and still allows proper zips.
Inspired by this I've coded my own version, which:
- checks ZIP files for ZIP magic number, RAR files for RAR magic
number;
- file types, regular expressions for matching file names and magic
numbers are in an array, so it is very easy to add them;
- should be used in "sub filter", before "if (filter_bad_filename($entity))";
- rejects mail with a proper SMTP message.
# Check magic numbers
@magic_numbers = (
{ type => 'ZIP', regex => '\.zip$', magic => "PK\003\004" },
{ type => 'RAR', regex => '\.r(ar|[0-2][0-9])$', magic => 'Rar!' }
);
foreach $magic_number (@magic_numbers) {
if ( re_match($entity, $magic_number->{regex}) ) {
my $bh = $entity->bodyhandle();
if ( defined($bh) ) {
my $ioh = $bh->open("r");
if (
( ! defined($ioh) )
||
( ! defined($ioh->read($filemagic, length($magic_number->{magic}))) )
) {
md_syslog("warning", "Cannot read message body for magic number check");
action_bounce("Requested action aborted: local error in processing", "451", "4.3.0");
if ( defined($ioh) ) { $ioh->close(); };
return action_discard();
}
$ioh->close();
if ( ! ($filemagic eq $magic_number->{magic}) ) {
action_bounce("Access denied. Broken " . $magic_number->{type} . " file.", "554", "5.7.1");
return action_discard();
}
}
}
}
Pozdrawiam
Tometzky
--
Best of prhn - najzabawniejsze teksty polskiego UseNet-u
http://prhn.dnsalias.org/
Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany.
[ Terry Pratchett ]
More information about the MIMEDefang
mailing list