[Esa-l] *.jpg.vbs: TEXT/PLAIN attachments not caught?

[Dan Kubilos]

Yes, I saw this very thing which led to my post about double extensions
failing.

I was baffled.  After testing with an attachment of test.jpg.vbs -- which
was delivered without a blip -- a bunch of true AnnaKourni payloads were
not delivered. 

I figured it was the text content.

On Tue, 13 Feb 2001, Mark Tiramani wrote:

> I've noticed this before but fudged over it in my head because it didn't fully make sense, but now 
> one of the networks I set up with htm-trap.procmail filtering (+ mods) claims a copy of the 
> annakournikova.jpg.vbs got through so I did some tests.
> 
> Everything is OK if a binary attachment with a *.jpg.vbs is sent. It is quarantined as a poisoned 
> executable. However, if a (fake) text-file attachment, *.jpg.vbs, is sent using Pegasus with 
> default settings the mime-type for the attachment is set as Content-Type: TEXT/PLAIN. Version 
> 1.127 of the filter then does not generate any security warnings or log messages even with 
> *.vb[se] and the globs in the poisoned executables file. However, an empty attachment is 
> passed through to the user. I've trolled through the filter and can't see how this is possible. What 
> have I missed?
> 
> Three questions arrise:
> Shouldn't the attachment be dropped even if it is TEXT/PLAIN ?
> Where is the attachment body being stripped?
> Am I doing something dumb?
> 
> Mark
> 
> Mark Tiramani
> FREDO Internet Services
> markjt at fredo.co.uk
> _______________________________________________
> E-mail Security Announce list mailing list
> E-mail Security Announce list at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esa-l
> 

-- 
Dan Kubilos     __\o_ ^
K-8 Tech Coord
http://www.oxnardsd.org