Re: [exim] Word-Virus - Filename not detected

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Cyborg
Datum:  
To: Exim-users
Betreff: Re: [exim] Word-Virus - Filename not detected
Am 09.11.2017 um 16:08 schrieb Cyborg:
> Hi,
>
> this is part of a virus email :
>
>
> --------------439767554304687794273679
> Content-Type: application/msword;
> name="ARY7411 - 08.11.2017.doc"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="ARY7411 - 08.11.2017.doc"
>
> UEsDBBQABgAIAAAAIQBw5s8ffAEAAOYFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
> oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> .....
>
> Its the only part, where a filename is given.
>
> But "$mime_filename" stays empty, so the filename can't get detected
> inside exims filter
>
>


Case closed:

The email mime-header Content-Type: in the real header, was tampered
with, so exim
did see what it was: a message without a mimepart. Therefor it never
decoded the attachment
and never stumpled over the filename to block.

Exim did not make a mistake here, and any other processing client like
outlook, who assembles the mail as having an attachment
makes an error (which the enduser will regret in this case, as it
contains a DOC Dropper virus )


best bregards,
Marius