[Mimedefang] Warning: Malformed MIME virus in the wild
Kees Theunissen
C.J.Theunissen at differ.nl
Tue Feb 11 16:19:01 EST 2014
On Thu, 10 Oct 2013, David F. Skoll wrote:
>Hi,
>
>We've run into a malformed MIME virus that has a structure like this:
>
>=====================================================================
> To: someone at example.com
> Subject: Payroll Received by Intuit
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="--boundary"
>
> ----boundary
> Content-Type: text/plain; charset=windows-1251; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Dear, We received your payroll on October 9, 2013 at 4:55 PM .
>
> ----boundary
> Content-Type: ; name="payroll_report_429047_10092013.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; name="payroll_report_409401_10092013.zip"
>
> Z290Y2hhCg==
>
> ----boundary--
>=====================================================================
>
>Note carefully the Content-Type: header on the ZIP attachment:
>
> Content-Type: ; name="payroll_report_429047_10092013.zip"
>
>MIME::tools won't parse this correctly and will not return the zip filename.
Hi David,
I found this old message when I was searching my mailboxes for malformed
"Content-Disposition" MIME headers.
Note that the "name=" field in the Content-Disposition header above is
also wrong. This should be a "filename=" field.
This can lead to incorrect parsing/handling of the zip filename in
several places.
The "action_defang" subroutine in mimedefang.pl rewrites an attachment's
name and type as follows:
$entity->effective_type($type);
$head->replace("Content-Type", $type);
$head->mime_attr("Content-Type.name" => $name);
$head->mime_attr("Content-Disposition.filename" => $fname);
$head->mime_attr("Content-Description" => $fname);
$head->mime_attr("Content-Disposition.name") is left untouched if it is
present.
The subroutines "re_match" and "re_match_ext" in mimedefang.pl only look
for a file name in $head->mime_attr("Content-Type.name") and
$head->mime_attr("Content-Disposition.filename") and will miss a name
in $head->mime_attr("Content-Disposition.name")
Recently I'm receiving messages with malformed Content-Disposition
headers containing both a "filename" and a "name" field.
My filter tried to use "action_defang" to change the file extension
from .zip into ._zip and I got the following result:
------=_Part_50952_1748260434.1834726427465
Content-Type: application/octet-stream; name="Order_Details._zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Order_Details._zip"; name="Order_Details.zip"
Content-Description: Order_Details._zip
These malformed messages can be detected and rejected in "sub filter"
with something like:
if (defined($head->mime_attr("Content-Disposition.name"))) {
md_graphdefang_log('rejected', 'bad_mime_header', $RelayAddr);
return action_bounce("Suspicious attachment found.")'
}
I'm wonderering if mimedefang.pl and/or MIME::tools could and should
detect and handle such malformed messages.
Regards,
Kees Theunissen.
--
Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address: C.J.Theunissen at differ.nl
postal address: PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL
More information about the MIMEDefang
mailing list