On Mon, Apr 29, 2002 at 05:55:38PM -0700, Marc MERLIN wrote:
> On Mon, Apr 29, 2002 at 05:21:52PM -0700, David Gardner wrote:
> > I'm running Exim 3.22 and am having trouble with the Klez worm arriving
> > in my user's mailboxes. The standard "suspicious" attachment filter does
> > not seem to be doing its job anymore.
>
> I saw this too. I *think* it might be because of the space in the filename
I first noticed this when a user sent a panicky "I've just
received a virus!" message, and I looked at my copy and saw a
.doc attachment. Couldn't figure out how he got a .exe one
through the filter. Asked him to send me a copy of the
headers, and he sent me the attachment, which bounced
off the filter. (So I don't think it's the space.)
Then, looking at my copy again, I hit "v" (I'm a mutt user) to
look at the attachments, and saw an "etc. " file, but no .doc.
Finally saved the entire message to a file and lessed it, and
found that the message starts with a bit of garbage^Whtml:
--Oo6e76bBf0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:JJ4TE66M2X1s height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
Then we get the offensive executable attachment:
--Oo6e76bBf0
Content-Type: audio/x-midi;
name=etc. .exe
Content-Transfer-Encoding: base64
Content-ID: <JJ4TE66M2X1s>
And farther down in the message we get another attachment:
--Oo6e76bBf0
--Oo6e76bBf0
Content-Type: application/octet-stream;
name=Ledoux5thFlr(Rev112299).doc
Content-Transfer-Encoding: base64
Content-ID: <JJ4TE66M2X1s>
And at the very end is a final marker:
--Oo6e76bBf0
It seems that the double MIME separator at the end of the first
attachment is confusing things. Without the extra one, mutt is
at least able to tell me there are two attachments, and what they
both are.
Might that also be confusing the filter somehow?
(Please accept my apologies for any typos. I haven't been able
to type properly since I bought the "Virtually Indestructible
Keyboard"...)
Cheers,
Kyle
--
Kyle Dippery
Engineering Computing Services Phone: (859) 257-1346
280 Anderson Hall Fax: (859) 323-3848
University of Kentucky
Lexington, KY 40506-0046