[Esd-l] got through John's badtrans filter
Michael Geier, CDM Systems Admin
mgeier at cdmsports.com
Tue Nov 27 07:02:00 PST 2001
I recently added the filter that John wrote for BadTrans into my
local-rules.procmail
---------------------------------------
:0
* > 40000
* < 50000
* ^Subject:.*Re:
* ^Content-Type:.*multipart/related;
* ^Content-Type:.*"multipart/alternative"; boundary="====_ABC
{
:0 B hfi
* ^Content-Type: audio/x-wav;
* ^Content-ID: <EA4DMGBP9p>
* ^Content-Transfer-Encoding: base64
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans
worm - see http://www.symantec.com/avcenter/venc/data/w32
.badtrans.b at mm.html"
}
---------------------------------------
However the below got through (although trapped by sanitizer for double
extension).
The only thing I can't find in the headers is the audio/x-wav portion.
Any ideas on how to modify above to catch this?
.thx
.mike
---------------------------------------
REPORT: Trapped poisoned executable "Humor.MP3.scr"
REPORT: Not a document, or already poisoned by filename. Not scanned for
macros.
STATUS: Message quarantined in /var/spool/mail/quarantine, not delivered to
recipient.
Message:
> From dwinegarden at worldnet.att.net Tue Nov 27 05:36:08 2001
> Return-Path: <dwinegarden at worldnet.att.net>
> Received: from mtiwmhc23.worldnet.att.net (mtiwmhc23.worldnet.att.net
[204.127.131.48])
> by mail.cdmsports.com (8.11.6/8.11.0) with ESMTP id fARBa8q28068
> for <sportsdesk at cdmsports.com>; Tue, 27 Nov 2001 05:36:08 -0600
> Received: from aol.com ([12.87.144.33]) by mtiwmhc23.worldnet.att.net
> (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP
> id <20011127113335.HCKO28078.mtiwmhc23.worldnet.att.net at aol.com>
> for <sportsdesk at cdmsports.com>; Tue, 27 Nov 2001 11:33:35 +0000
> From: "david winegarden" <_dwinegarden at worldnet.att.net>
> To: sportsdesk at cdmsports.com
> Subject: Re:
> MIME-Version: 1.0
> X-Security: MIME headers sanitized on hermes.cdmsports.com
> See http://www.impsec.org/email-tools/procmail-security.html
> for details. $Revision: 1.131 $Date: 2001-11-23 19:59:32-08
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="====_ABC1234567890DEF_===="
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Unsent: 1
> Message-Id: <20011127113335.HCKO28078.mtiwmhc23.worldnet.att.net at aol.com>
> Date: Tue, 27 Nov 2001 11:33:49 +0000
>
> --====_ABC1234567890DEF_====
> Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_===="
>
> --====_ABC0987654321DEF_====
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
> <DEFANGED_iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
> </iframe></BODY></HTML>
> --====_ABC0987654321DEF_====--
>
> --====_ABC1234567890DEF_====
> Content-Type: TEXT/PLAIN;
> X-Content-Security: [hermes.cdmsports.com] NOTIFY
> X-Content-Security: [hermes.cdmsports.com] REPORT: Trapped poisoned
executable "Humor.MP3.scr"
> X-Content-Security: [hermes.cdmsports.com] QUARANTINE
> Content-Description: SECURITY WARNING
More information about the esd-l
mailing list