[Top] [All Lists]

Re: MyDoom, Sorbig - Actions taken?

2004-02-05 06:24:21

Hector Santos writes:
Can you elaborate what exactly they are not "adhering" to?

If I send you a body-part with content-type image/jpeg, that's what it is. Some MUAs do this:

 1. Tell the user there's a JPEG attachment and offer to show it.
 2. When the user issues the "show attachment" command:
 3a. Notice that the first six bytes (after base64 decoding) are "GIF87a"
 3b. Choose to treat the body-part as image/gif instead of image/jpeg
 3c. Show the attachment as a GIF file.

Sounds harmless to you? But if you do it you're deceiving your user. Deception leads to misunderstandings and sometimes worse. What if the body-part started with "MZ" or "%!" instead of "GIF87a"?

Another evil problem is to misparse boundary lines. If a MUA gets it wrong, then a message can pass through the firewall, pass through the virus checker, and by exploiting the MUA bug still cause much damage.

In the future, PLEASE try a google search rather than asking such questions on mail-ng.