A couple of days ago, someone suggested using the "^MIME-Version:"
fields, like "^Content-Type: multipart/related;", for detecting
potentially malicious Microsoft Outlook attachments, (which would be
significantly faster than searching the body of messages for a "name="
string.)
Unfortunately, there is a problem with the way Microsoft Outlook
parses e-mail headers. For example, in BadTrans.B:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
which is a violation of RFC822, paragraph 3.1.1, (there is no linear
whitespace preceding the "type" and "boundary" records.) Microsoft
Outlook, incorrectly, parses the body of such a message as a MIME
message, (metamail(1), correctly, does not.)
John
BTW, NAI WebShield SMTP for NT parses the BadTrans.B headers,
correctly, and determines that the message is not a MIME message,
allowing it, incorrectly, to pass.
--
John Conover, conover(_at_)rahul(_dot_)net, http://www.johncon.com/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail