[Mimedefang] exe in defective zip attachments getting through mimedefang
Cliff Hayes
chayes at afo.net
Thu Jan 14 11:54:14 EST 2010
Hello,
We're getting the standard UPS attachment scam. An exe is inside a zip
file.
Mimedefang catches most of these but it misses a few. I decided to track
one of the few through mimedefang and found out why in mimedefang.pl
if Archive::Zip doesn't return an AZ_OK then mimedefang lets the attachment
through. From what I could find out, if Archive::Zip doesn't return AZ_OK
then there is a problem with the zip file. I'd rather block defective zip
files then let them through. In the code below, I substituted "return 0;"
with "else { return 1; }" and that solved my problem. Now good zips still
go through, zips with exe's get replaced with warning, and defective (hacked
I'm assuming) get replaced with warnings too. I'm surprised that standard
procedure is to let defective zips through. Or am I understanding this
wrong?
Thanks, Cliff
sub re_match_in_zip_directory ($$) {
my($zipname, $regexp) = @_;
unless ($Features{"Archive::Zip"}) {
md_syslog('err', "$MsgID: Attempted to use
re_match_in_zip_directory, but Perl module Archive::Zip is not installed.");
return 0;
}
my $zip = Archive::Zip->new();
# Prevent carping about errors
Archive::Zip::setErrorHandler(\&dummy_zip_error_handler);
if ($zip->read($zipname) == AZ_OK()) {
foreach my $member ($zip->members()) {
my $file = $member->fileName();
return 1 if ($file =~ /$regexp/i);
}
}
else { return 1; }
}
More information about the MIMEDefang
mailing list