[Esa-l] Just received this new mutation overnight.

Brett Glass brett at lariat.org
Tue Feb 20 08:24:30 PST 2001 

Ironically, Chris's message revealed a problem in the
sanitizer. The message in which he QUOTED the advisory
from the sanitizer was quarantined when it reached one of
our systems. Certainly the sanitizer should be able to tell
the difference between a "real" MIME header and one that
appears in quoted text?

--Brett

P.S. -- I'm not sure that's a new mutation. I think that's
the W95.MTX worm, which is destructive but not new.


At 06:45 AM 2/20/2001, Procmail Security daemon wrote:
  
>REPORT: Trapped poisoned executable "YOU_are_FAT!.TXT.pif"
>REPORT: Not a document, or already poisoned by filename. Not scanned for macros.
>STATUS: Message quarantined in /dev/null, not delivered to recipient.
>
>Message:
>
>> From esa-l-admin at spconnect.com  Tue Feb 20 06:45:19 2001
>> Return-Path: <esa-l-admin at spconnect.com>
>> Received: from merlin.spconnect.com (IDENT:postfix at vhost.spconnect.com [204.96.236.25])
>>       by lariat.org (8.9.3/8.9.3) with ESMTP id GAA14542
>>       for <brett at lariat.org>; Tue, 20 Feb 2001 06:45:17 -0700 (MST)
>> Received: from merlin.spconnect.com (localhost [127.0.0.1])
>>       by merlin.spconnect.com (Postfix) with ESMTP
>>       id EF992C09F; Tue, 20 Feb 2001 05:45:10 -0800 (PST)
>> Delivered-To: esa-l at spconnect.com
>> Received: from pr.uoguelph.ca (prnet.nw.uoguelph.ca [131.104.208.2])
>>       by merlin.spconnect.com (Postfix) with SMTP id 783D7C057
>>       for <esa-l at spconnect.com>; Tue, 20 Feb 2001 05:44:00 -0800 (PST)
>> Received: from localhost ([131.104.208.200])
>>       by pr.uoguelph.ca (8.9.3/8.9.3) with SMTP id JAA22140
>>       for <esa-l at spconnect.com>; Tue, 20 Feb 2001 09:27:40 -0500
>> Message-Id: <200102201427.JAA22140 at pr.uoguelph.ca>
>> From: "Chris Payne" <cpayne at pr.uoguelph.ca>
>> To: "procmail sanitizer" <esa-l at spconnect.com>
>> Reply-To: "Chris Payne" <cpayne at pr.uoguelph.ca>
>> Priority: Normal
>> X-Mailer: Chris Payne's Registered PMMail 1.9 For OS/2
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> Subject: [Esa-l] Just received this new mutation overnight.
>> Sender: esa-l-admin at spconnect.com
>> Errors-To: esa-l-admin at spconnect.com
>> X-BeenThere: esa-l at spconnect.com
>> X-Mailman-Version: 2.0.1
>> Precedence: bulk
>> List-Help: <mailto:esa-l-request at spconnect.com?subject=help>
>> List-Post: <mailto:esa-l at spconnect.com>
>> List-Subscribe: <http://www.spconnect.com/mailman/listinfo/esa-l>,
>>       <mailto:esa-l-request at spconnect.com?subject=subscribe>
>> List-Id: Email Security  <esa-l.spconnect.com>
>> List-Unsubscribe: <http://www.spconnect.com/mailman/listinfo/esa-l>,
>>       <mailto:esa-l-request at spconnect.com?subject=unsubscribe>
>> List-Archive: <http://www.spconnect.com/pipermail/esa-l/>
>> Date: Tue, 20 Feb 01 08:40:47
>> 
>> The multiple extension attachments continues.  It is no wonder that
>> our email servers are becoming more and more busy (CPU wise)
>> when we receive so much of this stuff.
>> 
>> Thanks again to John. It is hard to believe that we have been
>> so vulnerable in the past.
>> 
>> - Chris Payne
>> 
>> [ SNIP ]
>> 
>> Date: Mon, 19 Feb 2001 22:54:22 -0500
>>  
>> --==i3.9.0oisdboibsd((kncd
>> Content-Type: TEXT/PLAIN;
>> X-Content-Security: NOTIFY
>> X-Content-Security: REPORT: Trapped poisoned executable "YOU_are_FAT!.TXT.pif"
>> X-Content-Security: QUARANTINE
>> Content-Description: SECURITY WARNING
>>  
>> SECURITY WARNING!
>> The mail system has detected that the following
>> attachment may contain hazardous executable code,
>> is a suspicious file type or has a suspicious file name.
>> Contact your system administrator immediately!
>>  
>> Content-Type: application/octet-stream; name="YOU_are_FAT!.TXT.18919DEFANGED-pif"
>> Content-Transfer-Encoding: base64
>> Content-Disposition: attachment; filename="YOU_are_FAT!.TXT.18919DEFANGED-pif"
>> 
>> [ SNIP ]      
>> 
>> - - 
>> 
>> Chris Payne 
>> Network Administrator
>> Physical Resources Dept, 
>> University of Guelph
>> (519)824-4120  x2882
>> cpayne at pr.uoguelph.ca
>> 
>> 
>> 
>> _______________________________________________
>> E-mail Security Announce list mailing list
>> E-mail Security Announce list at spconnect.com
>> http://www.spconnect.com/mailman/listinfo/esa-l
>>

More information about the esd-l mailing list