[Mimedefang] Missed executable attachments with empty Content-Type
Kevin A. McGrail
KMcGrail at PCCC.com
Tue Apr 28 10:06:27 EDT 2015
On 4/28/2015 9:44 AM, Tomasz Ostrowski wrote:
> My filter is depending on "re_match" function provided by MIMEdefang.
> Also suggested-minimum-filter-for-windows-clients is using it.
>
> Mimedefang-filter man page says:
>> re_match returns true if any of the fields
>> [Content-Disposition.filename,
>> Content-Type.name and Content-Description] matches the regexp without
>> regard to case.
>
> In my example Content-Type should match, but it doesn't because it is
> probably deliberately broken enough to avoid detection by security
> products. But not enough to not work in Email clients.
>
>> Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm].
>
> I think this resolution is unsustainable - this technique might get
> popular fast if this proves to foul filters.
I took a little umbrage about your statement and wanted to rant for a
moment about why.
1st, DFS in good faith gave a triage idea for your concern.
You however, didn't even thank her and pointed out the obvious. Namely,
these bastards are always evolving their techniques.
2md MD is open-source and the enemy is the bastard spammers/malware
authors. Don't attack people trying to help, donating their time and
giving you possible solutions. Instead you might consider thanking
them, providing feedback or even taking a swipe at the code and post a
patch.
</rant>
KAM
More information about the MIMEDefang
mailing list