[Esd-l] Hrmm. executable file in content-type audio/x-wav comes thru.

Philip Choy plchoy at income.com.sg
Sun Nov 11 19:30:01 PST 2001 

Here is one more entire mime with truncated attached file - last time unless
there is more variants.. though unlikely. This pif file of 65.7kB came thru
the poisoned list containing *.pif.

Phil.

------

Received: from interscan.cyberquote.com.sg (smtp.cyberquote.com.sg
[10.1.20.52])
 by phillip.com.sg (8.12.0.Beta16/8.12.0.Beta16) with SMTP id fAC2dLxc011564
 for <plchoy at income.com.sg>; Mon, 12 Nov 2001 10:39:21 +0800
Date: Mon, 12 Nov 2001 10:39:21 +0800
Message-Id: <200111120239.fAC2dLxc011564 at phillip.com.sg>
Received: from 10.88.94.87 by interscan.cyberquote.com.sg (InterScan E-Mail
VirusWall NT); Mon, 12 Nov 2001 10:42:10 +0800
From: och at phillip.com.sg
Subject: We want peace
MIME-Version: 1.0
X-Security: MIME headers sanitized on mail
 See http://www.impsec.org/email-tools/procmail-security.html
 for details. $Revision: 1.130 $Date: 2001-09-08 11:40:29-07
Content-Type: multipart/mixed;
 boundary="------------InterScan_NT_MIME_Boundary"
Status:

--------------InterScan_NT_MIME_Boundary
Content-Type: multipart/alternative;
boundary=D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26

--D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<DEFANGED_iframe src=3Dcid:V550s78E height=3D0 width=3D0>
</iframe>
<!--
I'm sorry to do so,but it's helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
-->
</BODY></HTML>

--D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26
Content-Type: audio/x-wav;
 name=Bakw.pif
Content-Transfer-Encoding: base64
Content-ID: <V550s78E>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAABM8DRICJFaGwiRWhsIkVobc41WGwyRWhvgjlAbM5FaG4uN

[ Trucated frm 65.7k junk file ]

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD==
--D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26--


--------------InterScan_NT_MIME_Boundary--

----- Original Message -----
From: "John D. Hardin" <jhardin at impsec.org>
To: "Philip Choy" <plchoy at income.com.sg>
Cc: <Esd-l at spconnect.com>
Sent: 11-Nov-2001 2:14 AM
Subject: Re: [Esd-l] Hrmm. executable file in content-type audio/x-wav comes
thru.


> On Fri, 9 Nov 2001, Philip Choy wrote:
>
> > Content-Type: audio/x-wav; name=Vlusg.exe
> > Content-Transfer-Encoding: base64
> > Content-ID: <R0uIhO598>
> >
> > Hello. To my surprise, this executable file manages to go thru the
> > banned list. *.exe is in the poisoned list and exe is in mangle
> > list too. And, i m using the current version 1.1.130.
> >
> > Any solution?
>
> Are those *all* of the MIME headers for that attachment?
> --
>  John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/

More information about the esd-l mailing list