[Esa-l]Sircam with application/mixed
Tomaz Borstnar
tomaz.borstnar at over.net
Wed Aug 1 07:33:41 PDT 2001
At 01:22 1.8.2001, John D. Hardin wrote the following message:
>On Tue, 31 Jul 2001, Lee Howard wrote:
>
> > Currently I'm seeing 40-50 instances of Sircam get caught daily,
> > but I am seeing some few get through.
>
>Get through the virus scanner to the sanitizer, or get through the
>combination to the end user?
>
> > The only oddity about them that I notice is this:
> >
> > X-Content-Security: [server.deanox.com] original Content-Type was
> > application/mixed;
> > Content-Type: application/octet-stream;
> > name="eurotecnica.doc.6177DEFANGED-bat"
> > Content-Disposition:
> attachment; filename="eurotecnica.doc.6177DEFANGED-bat"
> >
Not sure if it was Sircam or not, but yesterday a client called me about
problem with receiving mail - it turned out to be some trojan hiding in
attachments which were labeled as image/gif, but filename was cfgwiz32.exe.
This caused Netscape 4.76 to crash each time they tried to get the mail.
This would probably work with m$ mail clients since they often ignore mime
types and file extensions to process the file.
Maybe use something like file (the command) to find and filter such things?
Tomay
More information about the esd-l
mailing list