AMaViS 0.2.1 update for Klez worm attachments.

[Brian Erickson]

For anyone still using the AMaViS 0.2.1 product - I recently found that
certain types of attachments were getting through our AMaViS 0.2.1 scanner.
We are using the latest ripMIME (v1.2.16.16 - 31/05/2002) for our "metamail"
program variable. Still, the Klez worms were coming through every now and
then. I found that ripMIME was saving an attachment of the same name and
overwriting an earlier attachment inside an email. The options that were
published back in November 2001 for the security fix on the amavis.org site
did not have this, but I have added the --unique_names flag to ripMIME, this
found a Klez infection on one of my sample emails that got through - so far,
the problem is fixed!

Brian Erickson
CocoNet Corporation

[Rainer Link]

Hum, first of all, the development of the AMaViS 0.2.x series has been
discontinued for over
a year now.

Second, and more important: why didn't you report this to our
amavis-user ML or at least
contacted us via security at amavis dot org or amavis at amavis dot org?

Well, I will contact Paul, since when the unique_names flag is needed
and why it isn't the default.

best regards,
Rainer Link
(former AMaViS 0.2.x series maintainer)

--
Rainer Link | Member of Virus Help Munich (www.vhm.haitec.de)
li...@suse.de | Member of AMaViS Development Team (amavis.org)
rainer.w3.to | OpenAntiVirus Project (www.openantivirus.org)