Am 09.11.2017 um 16:08 schrieb Cyborg: > Hi, > > this is part of a virus email : > > > --------------439767554304687794273679 > Content-Type: application/msword; > name="ARY7411 - 08.11.2017.doc" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="ARY7411 - 08.11.2017.doc" > > UEsDBBQABgAIAAAAIQBw5s8ffAEAAOYFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo > oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > ..... > > Its the only part, where a filename is given. > > But "$mime_filename" stays empty, so the filename can't get detected > inside exims filter > >
Case closed: The email mime-header Content-Type: in the real header, was tampered with, so exim did see what it was: a message without a mimepart. Therefor it never decoded the attachment and never stumpled over the filename to block. Exim did not make a mistake here, and any other processing client like outlook, who assembles the mail as having an attachment makes an error (which the enduser will regret in this case, as it contains a DOC Dropper virus ) best bregards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/