Re: [exim] Word-Virus - Filename not detected

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMCyborg at <-
Jeremy Harris at ->
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: Exim-users
Subject: Re: [exim] Word-Virus - Filename not detected
Am 09.11.2017 um 16:08 schrieb Cyborg:
> Hi,
>
> this is part of a virus email :
>
>
> --------------439767554304687794273679
> Content-Type: application/msword;
> name="ARY7411 - 08.11.2017.doc"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="ARY7411 - 08.11.2017.doc"
>
> UEsDBBQABgAIAAAAIQBw5s8ffAEAAOYFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
> oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> .....
>
> Its the only part, where a filename is given.
>
> But "$mime_filename" stays empty, so the filename can't get detected
> inside exims filter
>
>

Case closed:

The email mime-header Content-Type: in the real header, was tampered
with, so exim
did see what it was: a message without a mimepart. Therefor it never
decoded the attachment
and never stumpled over the filename to block.

Exim did not make a mistake here, and any other processing client like
outlook, who assembles the mail as having an attachment
makes an error (which the enduser will regret in this case, as it
contains a DOC Dropper virus )


best bregards,
Marius

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim and MySQL with UTF-8 encodingRe: [exim] Word-Virus - Filename not detected->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)