[Mimedefang] Missed executable attachments with empty Content-Type

Tue Apr 28 13:23:42 EDT 2015

There are several approaches which will help - firstly, SpamAssassin
already detects null content types - my filter has a couple of
additional checks, but the key one here is "T_CTYPE_NULL" which my
system picked up for this attachment:

------------------_=_NextPart_001_01CF5EDB.A3086B20
Content-Type: ; name="SecureMessage.chm"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="SecureMessage.chm"

My logs show this:

Apr 28 12:29:18 baldur mimedefang.pl[14717]: SA debug -
t3SBTBpv024576,17.015(6/0/0),BAYES_60,CK_HELO_DYNAMIC_SPLIT_IP,DATE_IN_P
AST_96_XX,HELO_DYNAMIC_IPADDR2,MSGID_FROM_MTA_HEADER,RDNS_DYNAMIC,TVD_RC
VD_IP,T_CTYPE_NULL,T_TVD_MIME_NO_HEADERS,BROADBAND,autolearn=unavailable

The SpamAssassin report for this message shows:

Content analysis details:   (11.0 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
(Split IP)
 0.0 TVD_RCVD_IP            Message was received from an IP address
 3.4 DATE_IN_PAST_96_XX     Date: is 96 hours or more before Received:
date
 0.0 T_TVD_MIME_NO_HEADERS  BODY: T_TVD_MIME_NO_HEADERS
 1.5 BAYES_60               BODY: Bayes spam probability is 60 to 80%
[score: 0.7020]
 1.0 RDNS_DYNAMIC           Delivered to internal network by host with
dynamic-looking rDNS
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 0.0 T_CTYPE_NULL           Malformed Content-Type header
 3.6 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP
addr 2)

So, if you are concerned about this, change the score for T_CTYPE_NULL
to something like 10 in your local Spamassassin configuration.

Secondly, your filter should be checking for .chm files and either
rejecting or quarantining them - they are compiled Windows help files,
which are not usually sent by e-mail, and which most modern Windows
systems will specifically refuse to open until you mark them as safe
from File/Properties.  I define two types of bad attachment types -
really bad types which are rejected outright, and dangerous types which
are quarantined:

    $really_bad_exts = '(bat|com|exe|hta|pif|scr|sys|wsh)';
    # Bad extensions
    $bad_exts =
'(ade|adp|app|asd|asf|asx|avi|bas|bat|bz2|chm|cmd|com|cpl|crt|dll|exe|fl
v|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|m1v|mdb|mde|mpg|mpeg|mp3|
mp4|mov|msc|msi|msp|mst|ocx|pcd|pif|pps|prg|rar|reg|scr|sct|sh|shb|shs|s
wf|sys|url|vb|vbe|vbs|vxd|wav|wma|wmd|wms|wmv|wmz|wsc|wsf|wsh|\{[^\}]+\}
)';

My filter quarantined this message, and with no content type specified,
it classified it as text/plain - I keep a "progress" file in each spool
folder which shows what happened, and I keep all spool folders for 24
hours to aid investigations - this is a very low volume mail server at
home, so I can get away with this better than someone handling millions
of messages per day.  The progress file shows:

Filter_begin:  OK
Filter:  Part /text/plain Filter OK
Filter:  QUARANTINE - bad filename SecureMessage.chm of type text/plain
Filter:  Part /text/plain Filter OK

Finally, this was sent from a system which is almost certainly a
compromised PC on a DSL connection:

        SENDER=<htmyjsmbt at bonniej.com>
        HOSTIP=105.237.107.22
        HOSTNAME=105-237-107-22.access.mtnbusiness.co.za
        HELO=105-237-107-22.access.mtnbusiness.co.za ...

Given the IP appears in the rDNS entry, my system bumps the SpamAssassin
score by 6, which you can see in the log entry above - the section which
gives  "17.015(6/0/0)" reflects the total SpamAssassin score of 11.015
from the scans, plus my local adjustments of 6 for a "broadband" system
which has its IP in its rDNS, 0 for checks against the Mailer header (I
keep stats on the "spaminess" of different mailer strings) , and 0 for
checks against the subject header (where I check for things like my
domain name or username in the subject).

Any one of these should have caused the message to be failed.  The key
is to tailor your filter and apply some local logic based on your
knowledge of what "normal" e-mail patterns are for you.  The example
filter is a good starting point, but it has its limits, and is called
"example" and "minimal" for good reasons.

Best Wishes,

Paul.