MIMEDefang (http://www.roaringpenguin.com/mimedefang/) is an SMTP filtering tool which in its default configuration is susceptible to this attack. MIMEDefang relies on the MIME::tools Perl parsing module. This module correctly descends into "message/rfc822" entities and parses parts inside them, but it does not descend into "message/partial" entities. Therefore, even the default filename checks will not work with "message/partial" types. I hope to have a patched version of MIME::tools soon. For the next MIMEDefang release, the default filter will be modified to drop message/partial parts. Current users of MIMEDefang should add the following code to their filter and filter_multipart routines: # Block message/partial parts if (lc($type) eq "message/partial") { action_quarantine_entire_message(); action_notify_administrator("Message quarantined because of message/partial type"); return action_discard(); } -- David.
