Internet Drafts being tagged by E-Mail virus scanner...

Michael H. Warfield mhw at WITTSEND.COM
Thu Oct 10 14:57:18 IST 2002


Hello all!

        This is kind of a heads up.

        I'm also Cc'ing the MailScanner list for their input and discussion.

        I just installed the lastest version of "MailScanner" (3.23-4)
on my net and suddenly started getting all the Internet Draft "I-D ACTION"
announcements from the IETF flagged as viruses.

        This is the warning message that comes through instead:

] This is a message from the MailScanner E-Mail Virus Protection Service
] ----------------------------------------------------------------------
] The original e-mail attachment "the entire message"
] was believed to be infected by a virus and has been replaced by this warning
] message.
]
] If you wish to receive a copy of the *infected* attachment, please
] e-mail helpdesk and include the whole of this message
] in your request. Alternatively, you can call them, with
] the contents of this message to hand when you call.
]
] At Thu Oct 10 09:09:09 2002 the virus scanner said:
]    Messages with external bodies cannot be scanned

        Checking the announcement for the MailScanner release is
this comment from Julian Field:

] I have just released version 3.23-4.
]
] This includes detection and removal of messages with "external bodies" as
] defined in RFC2046 and recently highlighted on the BugTraq mailing list.

        Sigh...

        Yes, there has been a problem with worms being spread through
this mechanism...

        Looking at the original quarantined message, I believe that this
is the offending text:

] Below is the data which will enable a MIME compliant mail reader
] implementation to automatically retrieve the ASCII version of the
] Internet-Draft.
]
] --NextPart
] Content-Type: Multipart/Alternative; Boundary="OtherAccess"
]
] --OtherAccess
] Content-Type: Message/External-body;
]         access-type="mail-server";
]         server="mailserv at ietf.org"
]
] Content-Type: text/plain
] Content-ID:     <2002-10-9145115.I-D at ietf.org>
]
] ENCODING mime
] FILE /internet-drafts/draft-allman-tcp-sack-13.txt
]
] --OtherAccess
] Content-Type: Message/External-body;
]         name="draft-allman-tcp-sack-13.txt";
]         site="ftp.ietf.org";
]         access-type="anon-ftp";
]         directory="internet-drafts"
]
] Content-Type: text/plain
] Content-ID:     <2002-10-9145115.I-D at ietf.org>
]
] --OtherAccess--
]
] --NextPart--

        If this, ummm, feature is a vector for worm propagation and
not of high priority, it might be worth considering to do away with
it.  If people are actually using it, it might be worth considering
to find an alternate delivery method.

        I would think that there should be no problem with the
access-type="mail-server" since that mail will get scanned
by the scanner when it arrives.  I would also think that
access-type="anon-ftp" for a file with a .txt extension should
be pretty safe as well.  So maybe MailScanner is being a little
too agressive here in nuking all messages with "Message/External-body"
attachments.  Sigh...  Maybe not...  The alternative is the same
"Red Queen's Race" of what is allowable extensions / access methods
and ones are likely to be exploited.

        ITMT...  I'm trying to figure out a way to get MailScanner
to leave these messages alone (given that worms are also forging
headers so it can't trust the E-Mail addresses in the headers either).

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!



More information about the MailScanner mailing list