[Esa-l]Sircam with application/mixed

Tomaz Borstnar tomaz.borstnar at over.net
Wed Aug 1 07:33:41 PDT 2001

At 01:22 1.8.2001, John D. Hardin wrote the following message:
>On Tue, 31 Jul 2001, Lee Howard wrote:
> > Currently I'm seeing 40-50 instances of Sircam get caught daily,
> > but I am seeing some few get through.
>Get through the virus scanner to the sanitizer, or get through the
>combination to the end user?
> > The only oddity about them that I notice is this:
> >
> > X-Content-Security: [server.deanox.com] original Content-Type was
> > application/mixed;
> > Content-Type: application/octet-stream;
> > name="eurotecnica.doc.6177DEFANGED-bat"
> > Content-Disposition: 
> attachment;  filename="eurotecnica.doc.6177DEFANGED-bat"
> >

Not sure if it was Sircam or not, but yesterday a client called me about 
problem with receiving mail - it turned out to be some trojan hiding in 
attachments which were labeled as image/gif, but filename was cfgwiz32.exe. 
This caused Netscape 4.76 to crash each time they tried to get the mail.

This would probably work with m$ mail clients since they often ignore mime 
types and file extensions to process the file.

Maybe use something like file (the command) to find and filter such things?


More information about the esd-l mailing list