Re: [exim] Word-Virus - Filename not detected

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: Exim-users
Subject: Re: [exim] Word-Virus - Filename not detected
Am 09.11.2017 um 16:08 schrieb Cyborg:
> Hi,
>
> this is part of a virus email :
>
>
> --------------439767554304687794273679
> Content-Type: application/msword;
> name="ARY7411 - 08.11.2017.doc"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="ARY7411 - 08.11.2017.doc"
>
> UEsDBBQABgAIAAAAIQBw5s8ffAEAAOYFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
> oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> .....
>
> Its the only part, where a filename is given.
>
> But "$mime_filename" stays empty, so the filename can't get detected
> inside exims filter
>
>


Case closed:

The email mime-header Content-Type: in the real header, was tampered
with, so exim
did see what it was: a message without a mimepart. Therefor it never
decoded the attachment
and never stumpled over the filename to block.

Exim did not make a mistake here, and any other processing client like
outlook, who assembles the mail as having an attachment
makes an error (which the enduser will regret in this case, as it
contains a DOC Dropper virus )


best bregards,
Marius