[Mimedefang] exe in defective zip attachments getting through mimedefang
Hello, We're getting the standard UPS attachment scam. An exe is inside a zip file. Mimedefang catches most of these but it misses a few. I decided to track one of the few through mimedefang and found out why in mimedefang.pl if Archive::Zip doesn't return an AZ_OK then mimedefang lets the attachment through. From what I could find out, if Archive::Zip doesn't return AZ_OK then there is a problem with the zip file. I'd rather block defective zip files then let them through. In the code below, I substituted return 0; with else { return 1; } and that solved my problem. Now good zips still go through, zips with exe's get replaced with warning, and defective (hacked I'm assuming) get replaced with warnings too. I'm surprised that standard procedure is to let defective zips through. Or am I understanding this wrong? Thanks, Cliff sub re_match_in_zip_directory ($$) { my($zipname, $regexp) = @_; unless ($Features{Archive::Zip}) { md_syslog('err', $MsgID: Attempted to use re_match_in_zip_directory, but Perl module Archive::Zip is not installed.); return 0; } my $zip = Archive::Zip-new(); # Prevent carping about errors Archive::Zip::setErrorHandler(\dummy_zip_error_handler); if ($zip-read($zipname) == AZ_OK()) { foreach my $member ($zip-members()) { my $file = $member-fileName(); return 1 if ($file =~ /$regexp/i); } } else { return 1; } } ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] exe in defective zip attachments getting through mimedefang
On Thu, Jan 14, 2010 at 10:54:14AM -0600, Cliff Hayes wrote: if Archive::Zip doesn't return an AZ_OK then mimedefang lets the attachment through. From what I could find out, if Archive::Zip doesn't return AZ_OK then there is a problem with the zip file. I'd rather block defective zip files then let them through. In the code below, I substituted return 0; with else { return 1; } and that solved my problem. Now good zips still go through, zips with exe's get replaced with warning, and defective (hacked I'm assuming) get replaced with warnings too. I'm surprised that standard procedure is to let defective zips through. Or am I understanding this wrong? What value is -read() returning? It might be nice to check the status value and determine if it's failing due to a corrupt zip file, or simply due to a zip format that Archive::Zip doesn't recognize. If you can grab a sample of the zip in question and send it to me offlist, I'll take a look. Cheers, Dave -- Dave O'Neill d...@roaringpenguin.comRoaring Penguin Software Inc. +1 (613) 231-6599http://www.roaringpenguin.com/ For CanIt technical support, please mail: supp...@roaringpenguin.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang