[Mimedefang] Warning: Malformed MIME virus in the wild

[David F. Skoll]

Hi,

We've run into a malformed MIME virus that has a structure like this:

=====================================================================
    To: someone at example.com
    Subject: Payroll Received by Intuit
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="--boundary"

    ----boundary
    Content-Type: text/plain; charset=windows-1251; format=flowed
    Content-Transfer-Encoding: 7bit

    Dear, We received your payroll on October 9, 2013 at 4:55 PM .

    ----boundary
    Content-Type: ; name="payroll_report_429047_10092013.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; name="payroll_report_409401_10092013.zip"

    Z290Y2hhCg==

    ----boundary--
=====================================================================

Note carefully the Content-Type: header on the ZIP attachment:

   Content-Type: ; name="payroll_report_429047_10092013.zip"

MIME::tools won't parse this correctly and will not return the zip filename.
I have a patch for MIME::tools to fix this (below).

In the interim, we have created the following SpamAssassin rules to catch
this:

full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i
full     __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i
meta	 RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE
describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header
score	 RP_ZIP_ECTYP 15

Regards,

David.

diff --git a/lib/MIME/Field/ParamVal.pm b/lib/MIME/Field/ParamVal.pm
index 9cc5d09..52001ae 100644
--- a/lib/MIME/Field/ParamVal.pm
+++ b/lib/MIME/Field/ParamVal.pm
@@ -93,7 +93,7 @@ $VERSION = "5.504";
 my $PARAMNAME = '[^\x00-\x1f\x80-\xff :=]+';
 
 # Pattern to match the first value on the line:
-my $FIRST    = '[^\s\;\x00-\x1f\x80-\xff]+';
+my $FIRST    = '[^\s\;\x00-\x1f\x80-\xff]*';
 
 # Pattern to match an RFC 2045 token:
 #