Hello,
We're getting the standard UPS attachment scam. An exe is inside a zip
file.
Mimedefang catches most of these but it misses a few. I decided to track
one of the few through mimedefang and found out why in mimedefang.pl
if Archive::Zip doesn't return an AZ_OK then mimedefang lets the attachment
through. From what I could find out, if Archive::Zip doesn't return AZ_OK
then there is a problem with the zip file. I'd rather block defective zip
files then let them through. In the code below, I substituted "return 0;"
with "else { return 1; }" and that solved my problem. Now good zips still
go through, zips with exe's get replaced with warning, and defective (hacked
I'm assuming) get replaced with warnings too. I'm surprised that standard
procedure is to let defective zips through. Or am I understanding this
wrong?
Thanks, Cliff
sub re_match_in_zip_directory ($$) {
my($zipname, $regexp) = @_;
unless ($Features{"Archive::Zip"}) {
md_syslog('err', "$MsgID: Attempted to use
re_match_in_zip_directory, but Perl module Archive::Zip is not installed.");
return 0;
}
my $zip = Archive::Zip->new();
# Prevent carping about errors
Archive::Zip::setErrorHandler(\&dummy_zip_error_handler);
if ($zip->read($zipname) == AZ_OK()) {
foreach my $member ($zip->members()) {
my $file = $member->fileName();
return 1 if ($file =~ /$regexp/i);
}
}
else { return 1; }
}
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
