On Wed, 13 Mar 2002, Hugh Sasse Staff Elec Eng wrote:
| Using the Exim system_filter (Windows executable content filter) Version
| 0.17, the "Content: Disposition...\S+\.exe" rule for multipart mime does
| not seem to be firing. As far as I can see it ought to. I am using
| Exim 3.32, solaris.
|
| The message which did get delivered to me is now at:
| http://www.eng.cse.dmu.ac.uk/~hgs/e-mail/test_multipart_exe
This is the gibe worm:
http://www.sarc.com/avcenter/venc/data/w32.gibe@mm.html
The social engineering text body part contains some NULL charaters. In
current versions of exim, the $message_body variable stops at the first
NULL, causing the exe filter to miss the attachment.
Philip has posted a patch for this - please see thread "NULL / filter"
earlier this week.
Chris