|
I brought this up to Scott several years ago - and
he said this is not a bug but a by design issue. He explained a scenario
why this was important and I understood based on the explantion but for the life
of me I can't remember the scenario.
Darrell
------------------------------------------------------------------------ Check
out http://www.invariantsystems.com for
utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message -----
Sent: Sunday, October 01, 2006 3:33
PM
Subject: [Declude.Virus] Bug in
mismatched extensions causes backscatter on spam
I just found this bug. Essentially, if the MIME headers
for an attachment are mismatched, Declude "assumes" that it is an EXE for
virus scanning purposes, and this causes EXE triggers such as bannotify.eml to
be triggered. This is especially bad since it is happening fairly
commonly on zombie spam.
For example, here are the MIME headers from
the spam sample:
Content-Type:
image/jpeg;
name="smoky.1.jpg"
Content-Transfer-Encoding:
base64
Content-ID: <[EMAIL PROTECTED]>
Content-Disposition:
inline;
filename="smoky.1.gi"
You will note the
Content-Type being image/jpeg and the file extension being "gi". Here is
what Declude Virus finds:
10/01/2006 14:03:44.656 q02f8014a00009ecc.smd Vulnerability
flags = 863
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd MIME file:
[text/html][7bit; Length=590 Checksum=51800]
10/01/2006 14:03:44.671
q02f8014a00009ecc.smd Found file with mismatched extensions
[smoky.1.jpg-smoky.1.gi]; assuming .exe
10/01/2006 14:03:44.671
q02f8014a00009ecc.smd MIME file: mismatched.exe [base64; Length=25644
Checksum=3233585]
10/01/2006 14:03:44.671 q02f8014a00009ecc.smd Banning
file with EXE extension [image/jpeg].
10/01/2006 14:03:44.890
q02f8014a00009ecc.smd Virus scanner 1 reports exit code of 0
10/01/2006
14:03:45.421 q02f8014a00009ecc.smd Virus scanner 2 reports exit code of
0
10/01/2006 14:03:45.421 q02f8014a00009ecc.smd Scanned: Banned file
extension. [Prescan OK][MIME: 2 26380]
10/01/2006 14:03:45.437
q02f8014a00009ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing
from 62.161.108.7]
10/01/2006 14:03:45.437 q02f8014a00009ecc.smd Subject:
Re: diagnostician dull
This is clearly not desirable behavior,
and I have run into a related bug previously (that was previously reported)
where a filename that spans two lines (which is RFC compliant when 'folded')
will be treated as an EXE and bounced if you are bouncing non-virus
EXE's.
It is absolutely necessary to allow for bannotify.eml bouncing
of messages with EXE extensions because they are commonly received
legitimately regardless of whether they are allowed or not, but to have EXE be
the assumed extension at the same time causes a lot of different issues.
Because of this, I would strongly suggest that Declude assume a different
extension when necessary, such as "unknown" so that we can configure Declude
Virus to handle "unknown" files in a different way. We could choose for
instance to block them, but not bounce
them.
Thanks,
Matt
---
This E-mail came from the
Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives
can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|
