There are several approaches which will help - firstly, SpamAssassin
already detects null content types - my filter has a couple of
additional checks, but the key one here is "T_CTYPE_NULL" which my
system picked up for this attachment:

------------------_=_NextPart_001_01CF5EDB.A3086B20
Content-Type: ; name="SecureMessage.chm"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="SecureMessage.chm"

My logs show this:

Apr 28 12:29:18 baldur mimedefang.pl[14717]: SA debug -
t3SBTBpv024576,17.015(6/0/0),BAYES_60,CK_HELO_DYNAMIC_SPLIT_IP,DATE_IN_P
AST_96_XX,HELO_DYNAMIC_IPADDR2,MSGID_FROM_MTA_HEADER,RDNS_DYNAMIC,TVD_RC
VD_IP,T_CTYPE_NULL,T_TVD_MIME_NO_HEADERS,BROADBAND,autolearn=unavailable

The SpamAssassin report for this message shows:

Content analysis details: (11.0 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
(Split IP)
0.0 TVD_RCVD_IP Message was received from an IP address
3.4 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received:
date
0.0 T_TVD_MIME_NO_HEADERS BODY: T_TVD_MIME_NO_HEADERS
1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80%
[score: 0.7020]
1.0 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
0.0 T_CTYPE_NULL Malformed Content-Type header
3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP
addr 2)

So, if you are concerned about this, change the score for T_CTYPE_NULL
to something like 10 in your local Spamassassin configuration.

Secondly, your filter should be checking for .chm files and either
rejecting or quarantining them - they are compiled Windows help files,
which are not usually sent by e-mail, and which most modern Windows
systems will specifically refuse to open until you mark them as safe
from File/Properties. I define two types of bad attachment types -
really bad types which are rejected outright, and dangerous types which
are quarantined:

$really_bad_exts = '(bat|com|exe|hta|pif|scr|sys|wsh)';
# Bad extensions
$bad_exts =
'(ade|adp|app|asd|asf|asx|avi|bas|bat|bz2|chm|cmd|com|cpl|crt|dll|exe|fl
v|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|m1v|mdb|mde|mpg|mpeg|mp3|
mp4|mov|msc|msi|msp|mst|ocx|pcd|pif|pps|prg|rar|reg|scr|sct|sh|shb|shs|s
wf|sys|url|vb|vbe|vbs|vxd|wav|wma|wmd|wms|wmv|wmz|wsc|wsf|wsh|\{[^\}]+\}
)';

My filter quarantined this message, and with no content type specified,
it classified it as text/plain - I keep a "progress" file in each spool
folder which shows what happened, and I keep all spool folders for 24
hours to aid investigations - this is a very low volume mail server at
home, so I can get away with this better than someone handling millions
of messages per day. The progress file shows:

Filter_begin: OK
Filter: Part /text/plain Filter OK
Filter: QUARANTINE - bad filename SecureMessage.chm of type text/plain
Filter: Part /text/plain Filter OK

Finally, this was sent from a system which is almost certainly a
compromised PC on a DSL connection:

SENDER=<***@bonniej.com>
HOSTIP=105.237.107.22
HOSTNAME=105-237-107-22.access.mtnbusiness.co.za
HELO=105-237-107-22.access.mtnbusiness.co.za ...

Given the IP appears in the rDNS entry, my system bumps the SpamAssassin
score by 6, which you can see in the log entry above - the section which
gives "17.015(6/0/0)" reflects the total SpamAssassin score of 11.015
from the scans, plus my local adjustments of 6 for a "broadband" system
which has its IP in its rDNS, 0 for checks against the Mailer header (I
keep stats on the "spaminess" of different mailer strings) , and 0 for
checks against the subject header (where I check for things like my
domain name or username in the subject).

Any one of these should have caused the message to be failed. The key
is to tailor your filter and apply some local logic based on your
knowledge of what "normal" e-mail patterns are for you. The example
filter is a good starting point, but it has its limits, and is called
"example" and "minimal" for good reasons.

Best Wishes,

Paul.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

I've found the cause - I have outdated MIME-tools. Distributions I use,
CentOS 6 and CentOS 5 (clones of RHEL 6 and 5), provide very outdated
I've managed to work around this without conflicting with system's
package management like this:

# Downloaded latest version of MIME-tools
# from http://search.cpan.org/~dskoll/MIME-tools/ to /tmp/

# Extracted it:
cd /tmp; tar xf MIME-tools-*.tar.gz; cd MIME-tools-*

# Created a directory for updated MIME-tools module:
mkdir /etc/mail/mimedefang-lib

# Installed the module:
perl Makefile.PL INSTALL_BASE=/etc/mail/mimedefang-lib/
make install

# Added module path to search path in mimedefang run script
echo export PERL5LIB=/etc/mail/mimedefang-lib/lib/perl5/ >> \
/etc/sysconfig/mimedefang

# Restarted mimedefang:
service mimedefang restart


This might be useful for other RHEL/CentOS/Scientific/Oracle Linux
users. Thank you, Dianne, for your help.

Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

On Wed, 29 Apr 2015 12:14:52 +0200
I didn't think you were rude at all; I think KAM might have overreacted
slightly. Please let's all calm down. :)
Great, glad you resolved it!

Regards,

Dianne.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Sorry too. I was grumpy yesterday but appreciate you apologizing about
it. I commented the same off-list yesterday but should have posted it
to the list. You very professionally posted the spample and provided
swift feedback which is better than 99% of the problem reports ;-)

regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang