[Mimedefang] Missed executable attachments with empty Content-Type

Tomasz Ostrowski tometzky at batory.org.pl
Tue Apr 28 08:34:59 EDT 2015

I've just received a trojan/exploit attachment with CHM extension, which 
should be filtered by MIMEdefang but wasn't.

This attachment was send in a MIME part with broken header:
Content-Type: ;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

Please notice empty "Content-Type" in above header. Because of empty 
content type my mail client (Thunderbird) displayed it as garbage, but 
also defaulted to to save it as a file with original name 
"SecureMessage.chm". Opening it would compromise a system, as it isn't 
recognized as a virus by most antivirus programs yet:

I've retested it changing extension to EXE and it was also allowed.

I'm attaching the whole message (beware, contains virus) in 7z archive 
with password "infected".

...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
                                                       Winnie the Pooh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NatWest Secure Message.7z
Type: application/x-7z-compressed
Size: 5833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20150428/05a969ba/attachment-0002.bin>

More information about the MIMEDefang mailing list