[Esa-l]Re: URGENT - sample mail with vbs which passes your sanitizer
John D. Hardin
jhardin at impsec.org
Thu May 10 06:50:23 PDT 2001
On Wed, 9 May 2001, Radoslaw Stachowiak wrote:
> This is sample mail which passed through Your sanitizer. the vbs
> extension was in posioned files and mangled extension but it DID
> NOT worked.
{ headers pruned }
> Subject: Homepage
> X-Security: MIME headers sanitized on blue.alter.pl
> See http://www.impsec.org/email-tools/procmail-security.html
> for details. $Revision: 1.129 $Date: 2001-04-14 20:20:43-07
> X-Security: The postmaster has not enabled quarantine of poisoned messages.
You might want to turn quarantine on...
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
Ouch.
Okay, folks, it looks like it is happening. This HOMEPG worm appears
to be propagating as a TNEF attachment in some cases.
The 1.0 sanitizer CANNOT sanitize this variant, as it does not peer
into TNEF attachments.
You may want to consider whether to do something like this in your
local-rules or global procmailrc rulesets:
:0
* ^X-MS-TNEF-Correlator:
* ^Subject:.*homepage
{
SECURITY_STRIP_MSTNEF=YES
}
I dislike special-case rules like this, but the HOMEPG worm appears to
be very active.
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An entitlement beneficiary is a person or special interest group
who didn't earn your money, but demands the right to take your
money because they *want* it.
-- John McKay, _The Welfare State:
No Mercy for the Middle Class_
-----------------------------------------------------------------------
1272 days until the Presidential Election
More information about the esd-l
mailing list