[Mimedefang] Warning: Malformed MIME virus in the wild
David F. Skoll
dfs at roaringpenguin.com
Thu Oct 10 16:46:29 EDT 2013
Hi,
We've run into a malformed MIME virus that has a structure like this:
=====================================================================
To: someone at example.com
Subject: Payroll Received by Intuit
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--boundary"
----boundary
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: 7bit
Dear, We received your payroll on October 9, 2013 at 4:55 PM .
----boundary
Content-Type: ; name="payroll_report_429047_10092013.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; name="payroll_report_409401_10092013.zip"
Z290Y2hhCg==
----boundary--
=====================================================================
Note carefully the Content-Type: header on the ZIP attachment:
Content-Type: ; name="payroll_report_429047_10092013.zip"
MIME::tools won't parse this correctly and will not return the zip filename.
I have a patch for MIME::tools to fix this (below).
In the interim, we have created the following SpamAssassin rules to catch
this:
full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i
full __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i
meta RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE
describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header
score RP_ZIP_ECTYP 15
Regards,
David.
diff --git a/lib/MIME/Field/ParamVal.pm b/lib/MIME/Field/ParamVal.pm
index 9cc5d09..52001ae 100644
--- a/lib/MIME/Field/ParamVal.pm
+++ b/lib/MIME/Field/ParamVal.pm
@@ -93,7 +93,7 @@ $VERSION = "5.504";
my $PARAMNAME = '[^\x00-\x1f\x80-\xff :=]+';
# Pattern to match the first value on the line:
-my $FIRST = '[^\s\;\x00-\x1f\x80-\xff]+';
+my $FIRST = '[^\s\;\x00-\x1f\x80-\xff]*';
# Pattern to match an RFC 2045 token:
#
More information about the MIMEDefang
mailing list