[Mimedefang] Re: Missed executable attachments with empty Content-Type

Tomasz Ostrowski tometzky at batory.org.pl
Tue Apr 28 09:44:03 EDT 2015

On 2015-04-28 15:13, Dianne Skoll wrote:
>> I've just received a trojan/exploit attachment with CHM extension,
>> which should be filtered by MIMEdefang but wasn't.
> Well, it surely depends on your filter?

My filter is depending on "re_match" function provided by MIMEdefang. 
Also suggested-minimum-filter-for-windows-clients is using it.

Mimedefang-filter man page says:
> re_match returns true if any of the fields [Content-Disposition.filename,
> Content-Type.name and Content-Description] matches the regexp without
> regard to case.

In my example Content-Type should match, but it doesn't because it is 
probably deliberately broken enough to avoid detection by security 
products. But not enough to not work in Email clients.

> Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm].

I think this resolution is unsustainable - this technique might get 
popular fast if this proves to foul filters.

...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
                                                       Winnie the Pooh

More information about the MIMEDefang mailing list