[Esa-l] *.jpg.vbs: TEXT/PLAIN attachments not caught?

Mark Tiramani markjt at fredo.co.uk
Tue Feb 13 10:44:34 PST 2001


I've noticed this before but fudged over it in my head because it didn't fully make sense, but now 
one of the networks I set up with htm-trap.procmail filtering (+ mods) claims a copy of the 
annakournikova.jpg.vbs got through so I did some tests.

Everything is OK if a binary attachment with a *.jpg.vbs is sent. It is quarantined as a poisoned 
executable. However, if a (fake) text-file attachment, *.jpg.vbs, is sent using Pegasus with 
default settings the mime-type for the attachment is set as Content-Type: TEXT/PLAIN. Version 
1.127 of the filter then does not generate any security warnings or log messages even with 
*.vb[se] and the globs in the poisoned executables file. However, an empty attachment is 
passed through to the user. I've trolled through the filter and can't see how this is possible. What 
have I missed?

Three questions arrise:
Shouldn't the attachment be dropped even if it is TEXT/PLAIN ?
Where is the attachment body being stripped?
Am I doing something dumb?

Mark

Mark Tiramani
FREDO Internet Services
markjt at fredo.co.uk



More information about the esd-l mailing list