[Esd-l] Odd behavior with the new outbreak

John D. Hardin jhardin at impsec.org
Sun Aug 24 09:09:03 PDT 2003 

On Sat, 23 Aug 2003, John D. Hardin wrote:

> On Fri, 22 Aug 2003, Chris Rothbauer wrote:
> 
> > For the past few days, we've been getting 'you sent a virus'
> > messages from mailserver-virus products. For some reason, some of
> > these emails contain the actual original (still infected) email as
> > an attachment. So we have 1) Bob in Timbuktu sends the virus as
> > me, then 2) I actually get the virus, as an attachment, in the
> > original receiving gateway's virus auto-reply. How screwed is
> > that?
> 
> It's vaguely possible that the MTA that's bouncing the attack is
> either breaking the MIME message format in some way the sanitizer
> cannot deal with, or is doing something like base64 encoding the
> entire original message.

Okay, I think I've gotten a sample of this behavior now.

The bounce message is not MIME at all. It just pastes the original
MIME message into the body of a plain test message, rather than
attaching it to a MIME message. There are no MIME headers in the
RFC822 message headers, so the sanitizer doesn't even try to clean it
up.

My gateway has the Windows executable magic checking enabled, so those
bounces are being caught by that.

The SoBig.F rule that Sergey Latkin just posted *should* catch and
identify these bounces, but that's not a general solution. I recommend
using both that rule and the Windows Executable Magic scanner - set
SECURITY_POISON_WINEXE to anything.

I will see if I can work up a local rule for this situation.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   69 days until Matrix Revolutions

More information about the esd-l mailing list