[Mimedefang] Warning: Malformed MIME virus in the wild

Kees Theunissen C.J.Theunissen at differ.nl
Tue Feb 11 16:19:01 EST 2014

On Thu, 10 Oct 2013, David F. Skoll wrote:

>We've run into a malformed MIME virus that has a structure like this:
>    To: someone at example.com
>    Subject: Payroll Received by Intuit
>    MIME-Version: 1.0
>    Content-Type: multipart/mixed; boundary="--boundary"
>    ----boundary
>    Content-Type: text/plain; charset=windows-1251; format=flowed
>    Content-Transfer-Encoding: 7bit
>    Dear, We received your payroll on October 9, 2013 at 4:55 PM .
>    ----boundary
>    Content-Type: ; name="payroll_report_429047_10092013.zip"
>    Content-Transfer-Encoding: base64
>    Content-Disposition: attachment; name="payroll_report_409401_10092013.zip"
>    Z290Y2hhCg==
>    ----boundary--
>Note carefully the Content-Type: header on the ZIP attachment:
>   Content-Type: ; name="payroll_report_429047_10092013.zip"
>MIME::tools won't parse this correctly and will not return the zip filename.

Hi David,

I found this old message when I was searching my mailboxes for malformed
"Content-Disposition" MIME headers.
Note that the "name=" field in the Content-Disposition header above is
also wrong. This should be a "filename=" field.
This can lead to incorrect parsing/handling of the zip filename in
several places.
The "action_defang" subroutine in mimedefang.pl rewrites an attachment's
name and type as follows:
    $head->replace("Content-Type", $type);
    $head->mime_attr("Content-Type.name" => $name);
    $head->mime_attr("Content-Disposition.filename" => $fname);
    $head->mime_attr("Content-Description" => $fname);

$head->mime_attr("Content-Disposition.name") is left untouched if it is

The subroutines "re_match" and "re_match_ext" in mimedefang.pl only look
for a file name in $head->mime_attr("Content-Type.name") and
$head->mime_attr("Content-Disposition.filename") and will miss a name
in $head->mime_attr("Content-Disposition.name")

Recently I'm receiving messages with malformed Content-Disposition
headers containing both a "filename" and a "name" field.
My filter tried to use "action_defang" to change the file extension
from .zip into ._zip and I got the following result:

    Content-Type: application/octet-stream; name="Order_Details._zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="Order_Details._zip"; name="Order_Details.zip"
    Content-Description: Order_Details._zip

These malformed messages can be detected and rejected in "sub filter"
with something like:

    if (defined($head->mime_attr("Content-Disposition.name"))) {
        md_graphdefang_log('rejected', 'bad_mime_header', $RelayAddr);
        return action_bounce("Suspicious attachment found.")'

I'm wonderering if mimedefang.pl and/or MIME::tools could and should
detect and handle such malformed messages.


Kees Theunissen.

Kees Theunissen,  System and network manager,   Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   C.J.Theunissen at differ.nl
postal address:   PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL

More information about the MIMEDefang mailing list