[Mimedefang] Re: Missed executable attachments with empty Content-Type
Tomasz Ostrowski
tometzky at batory.org.pl
Tue Apr 28 09:44:03 EDT 2015
On 2015-04-28 15:13, Dianne Skoll wrote:
>> I've just received a trojan/exploit attachment with CHM extension,
>> which should be filtered by MIMEdefang but wasn't.
>
> Well, it surely depends on your filter?
My filter is depending on "re_match" function provided by MIMEdefang.
Also suggested-minimum-filter-for-windows-clients is using it.
Mimedefang-filter man page says:
> re_match returns true if any of the fields [Content-Disposition.filename,
> Content-Type.name and Content-Description] matches the regexp without
> regard to case.
In my example Content-Type should match, but it doesn't because it is
probably deliberately broken enough to avoid detection by security
products. But not enough to not work in Email clients.
> Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm].
I think this resolution is unsustainable - this technique might get
popular fast if this proves to foul filters.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
More information about the MIMEDefang
mailing list