#2 Double-extension attachment checks broken

[Anonymous]

Anyway; here's the bug:

Configfile example settings:

#Forbidden extensions for attachements
forbidden_ext bat,cmd,com,exe,hta,lnk,pif,reg,scr,shs,vbs

#Block files with double extensions
block_double_ext yes

Now, if I send an email with an attachment like this:

attachment.doc.exe (or)
attachment.exe

... it is blocked (the first one due to the
"block_double_ext" option, and the second one due to
the "forbidden_ext" rule).

The latest SOBER.P and SOBER.Q viruses used an
interesting trick that sneaked right past odeiavir.
They named the attachments like this:

"attachment.doc
.exe"

See the large amount of blank space between the .doc
and .exe in the filename? I'm guessing the virus
writers actually did this so the second extension would
"scroll off" the email client screen, and the user
would only see the first extension in Outlook or
whatever. Anyway, when the attachment was named like
this, it would sneak past BOTH the block_double_ext
filter and the forbidden_ext filter, and the email
would be delivered with the attachment - even if it was
on the banned extension types list.

So, odeiavir does not handle the extra space between
the first and second extension properly, and passes the
email with the attachment through without stopping it.