[Esa-l]Re: URGENT - sample mail with vbs which passes your sanitizer

John D. Hardin jhardin at impsec.org
Thu May 10 06:50:23 PDT 2001

On Wed, 9 May 2001, Radoslaw Stachowiak wrote:

> This is sample mail which passed through Your sanitizer. the vbs
> extension was in posioned files and mangled extension but it DID
> NOT worked.

{ headers pruned }

> Subject: Homepage
> X-Security: MIME headers sanitized on blue.alter.pl
> 	See http://www.impsec.org/email-tools/procmail-security.html
> 	for details. $Revision: 1.129 $Date: 2001-04-14 20:20:43-07 
> X-Security: The postmaster has not enabled quarantine of poisoned messages.

You might want to turn quarantine on...

> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 


Okay, folks, it looks like it is happening. This HOMEPG worm appears
to be propagating as a TNEF attachment in some cases.

The 1.0 sanitizer CANNOT sanitize this variant, as it does not peer
into TNEF attachments.

You may want to consider whether to do something like this in your
local-rules or global procmailrc rulesets:

* ^X-MS-TNEF-Correlator: 
* ^Subject:.*homepage

I dislike special-case rules like this, but the HOMEPG worm appears to
be very active.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  An entitlement beneficiary is a person or special interest group
  who didn't earn your money, but demands the right to take your
  money because they *want* it.
                                  -- John McKay, _The Welfare State:
                                     No Mercy for the Middle Class_
   1272 days until the Presidential Election

More information about the esd-l mailing list