On 2015-04-28 15:13, Dianne Skoll wrote:
I've just received a trojan/exploit attachment with CHM extension,
which should be filtered by MIMEdefang but wasn't.
Well, it surely depends on your filter?
My filter is depending on "re_match" function provided by MIMEdefang.
Also suggested-minimum-filter-for-windows-clients is using it.
Mimedefang-filter man page says:
re_match returns true if any of the fields [Content-Disposition.filename,
Content-Type.name and Content-Description] matches the regexp without
regard to case.
In my example Content-Type should match, but it doesn't because it is
probably deliberately broken enough to avoid detection by security
products. But not enough to not work in Email clients.
Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm].
I think this resolution is unsustainable - this technique might get
popular fast if this proves to foul filters.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang