#125 reformime splitting problem

closed-fixed
None
5
2001-11-23
2001-11-22
No

hi

the mail did not get splitted by reformime

with reformime -r i can reformat mail and after this i can split it with reformime -x

but there is no extract-logarithm in amavis which extracts the exe file

?!

Discussion

  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    i use amavis 0.21

     
  • Lars Hecking

    Lars Hecking - 2001-11-22
    • assigned_to: nobody --> reniar
     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    The file you uploaded is not useful at all. We need a
    complete email message.

    (This is an interesting coincidence. Ths particular virus
    has been known since June, but it appears to have started
    spreading only recently. This is the second report about
    amavis 0.2.x not catching this virus, and to track this
    down, we need a complete mail message.)

     
  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    hi

    sorry for sending the virus .. i clicked the wrong file. here is the raw message.

    i solved the problem while starting reformime and metamail one after the other. this is some overkil - double
    files. but as soon the one fails (metamail for kak-worm & reformime for aviz-virus) the other should work it
    at least.

     
  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    hi, me again

    this raw mail contains the actually mail as an attachment again .. so just delete the lines for the mail which
    wrapes the virus mail.

    the virus came from another address than @njl.ee

    ciao

     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    Ok.

    The good news is: amavis-perl finds the virus, no problem.
    So, this might really be a bug in reformime.

    One funny thing I noticed, which may or may not be related:
    in the virus email, all the X-Priority, X-MSMail-Priority,
    X-Mailer, X-MimeOLE headers are indented by 8 spaces, which
    to any RFC822 parser makes it look like these headers are
    part of the preceding MIME Content-Type header. Maybe this
    is what's causing the problem with reformime?

     
  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    hi

    yeah - refomime is the problem -- thats why i use also metmail beside.

    i noticed also the spaces before some lines in the header.
    but it does not help to delete the spaces. it is the multiline "Content-Type:" line.

    if i rewrite the two content-type lines to one line : Content-Type: multipart/mixed;boundary="bound";
    reformime splits it correctly.

    ciao

     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    Which version of reformime is this? Could you try a newer
    one if available?

    The multi-line Content-Type is completely legal; this is
    called header folding (see RFC 2822 section 2.2.3), and
    reformime SHOULD handle it correctly.

     
  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    hi

    one more test .. i removed the spaces in front of the X-flags and even with multiline content-type header
    (as you told) reformime splits it correctly.

    so the virus writer knew maybe about that bug ?!

    ciao

    do you know how we can inform the reformime programmers ?1

    ciao

     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    It's too early to tell, as I only have your sample. There is
    another bug report open about the same issue, and I'm still
    waiting for feedback there.

    I have also received email stating that amavis 0.2.1 did
    catch this worm, and I'm waiting for copies here, too.

    Are you absolutely certain that the additional header
    indentation is in the original virus message, and wasn't
    added in the process of forwarding?

     
  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    hi

    ok here the original message .. without beeing forwarded to me. just as it arrived in the users mailbox,
    with same spaces in front of X-flags in header

     
  • enrico binder

    enrico binder - 2001-11-22

    raw mail without beeing forwarded ... received from virus sender

     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    Ok, thanks for the confirmation.
    Which version of reformime are you using?

     
  • enrico binder

    enrico binder - 2001-11-22

    Logged In: YES
    user_id=382679

    hi

    # reformime -v
    $Id: reformime.c,v 1.37 2001/05/27 01:43:22 mrsam Exp $

    from maildrop-1.3.5 package

    ciao

     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    Ok, thanks for the confirmation.
    Which version of reformime are you using?

     
  • Lars Hecking

    Lars Hecking - 2001-11-22

    Logged In: YES
    user_id=28904

    Ok, thanks for the confirmation.
    Which version of reformime are you using?

     
  • Rainer Link

    Rainer Link - 2001-11-22

    Logged In: YES
    user_id=34819

    Ok, I can reproduce this bug with
    $Id: reformime.c,v 1.37 2001/05/27 01:43:22 mrsam Exp $

    but _only_ if
    Content-Type: multipart/mixed;
    boundary="bound"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 5.50.4522.1300
    X-MimeOLE: Produced By Microsoft MimeOLE
    V5.50.4522.1300

    in the header.

     
  • Paul L Daniels

    Paul L Daniels - 2001-11-22

    Logged In: YES
    user_id=383100

    As requested by Reniar, I tested the raw file with ripMIME
    and am happy to report success in extraction [and
    consequently virus detection].

    ripMIME is available at http://www.pldaniels.org/ripmime

    Regards.

     
  • Lars Hecking

    Lars Hecking - 2001-11-23
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks