[Esa-l]Re: URGENT - sample mail with vbs which passes your sanitizer

John D. Hardin jhardin at impsec.org
Thu May 10 06:50:23 PDT 2001

On Wed, 9 May 2001, Radoslaw Stachowiak wrote:

> This is sample mail which passed through Your sanitizer. the vbs
> extension was in posioned files and mangled extension but it DID
> NOT worked.

{ headers pruned }

> Subject: Homepage
> X-Security: MIME headers sanitized on blue.alter.pl
> 	See http://www.impsec.org/email-tools/procmail-security.html
> 	for details. $Revision: 1.129 $Date: 2001-04-14 20:20:43-07 
> X-Security: The postmaster has not enabled quarantine of poisoned messages.

You might want to turn quarantine on...

> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 


Okay, folks, it looks like it is happening. This HOMEPG worm appears
to be propagating as a TNEF attachment in some cases.

The 1.0 sanitizer CANNOT sanitize this variant, as it does not peer
into TNEF attachments.

You may want to consider whether to do something like this in your
local-rules or global procmailrc rulesets:

* ^X-MS-TNEF-Correlator: 
* ^Subject:.*homepage

I dislike special-case rules like this, but the HOMEPG worm appears to
be very active.

