[Esd-l] FW:

Mgr Marcela Doničová donicova at muvalmez.cz
Wed Feb 25 05:53:02 PST 2004 

The document are really *.doc.  Its happenned for some message with *.doc.
 Another mail with *.doc are being send normaly.

...snip of e-mail from quarantine:

MIME-Version: 1.0
X-Security: MIME headers sanitized on fw
	See http://www.impsec.org/email-tools/sanitizer-intro.html
	for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0027_01C3F932.BCD4A780"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Content-Security: [fw] NOTIFY
X-Content-Security: [fw] QUARANTINE
X-Content-Security: [fw] REPORT: Trapped Windows executable attachment
Status:

This is a multi-part message in MIME format.

------=_NextPart_000_0027_01C3F932.BCD4A780
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0028_01C3F932.BCEB8AE0"


------=_NextPart_001_0028_01C3F932.BCEB8AE0
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable


....



------=_NextPart_001_0028_01C3F932.BCEB8AE0
Content-Type: text/html; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

....

------=_NextPart_001_0028_01C3F932.BCEB8AE0--

------=_NextPart_000_0027_01C3F932.BCD4A780
Content-Type: application/msword; name="Zetek Petr.doc"
Content-Disposition: attachment; filename="Zetek Petr.doc"
Content-Transfer-Encoding: base64

and another *.doc

-----Original Message-----
From: John D. Hardin [mailto:jhardin at impsec.org]
Sent: Tuesday, February 24, 2004 3:07 PM
To: Email Security Discussion list
Cc: [iso-8859-2] Mgr Marcela Doniov
Subject:


Marcela Doniov sez:
>
> procmail sanitizer 1.139 move e-mail with *.doc to quarantine why?

...{snip}

> procmail: Match on "^Content-Transfer-Encoding[ ]*:.*base64"
> procmail: Score: 2147483647 2147483647
"^Content-Type[ ]*:.*(application|multipart)/[^ ]*[     ]*;"
> procmail: Score:       0       0
"^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA"
> procmail: Score: 2147483647 2147483647 "LnJkYXRhAA"
> procmail: Executing " formail -A "X-Content-Security: [$HOST] NOTIFY" \
>   -A "X-Content-Security: [$HOST] QUARANTINE" \
>   -A "X-Content-Security: [$HOST] REPORT: Trapped Windows executable
attachment""

Either (1) the document isn't really a document, or (2) there is
another attachment to the message that is being trapped by the Windows
Executable Magic test.

It is very possible that the Windows Magic test is generating a false
positive. The single test that is matching looks pretty short to me...

Verify that the document is actually a document, scan it with an A/V
tool, and manually deliver it.

How frequently is this happening?

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   39 days until the Slovakian Presidential Election


---
Pxmchozm zprava neobsahuje viry.
Zkontrolovano antivirov}m systimem AVG (http://www.grisoft.cz).
Verze: 6.0.593 / Virova baze: 376 - datum vydanm: 20.2.2004

---
Odchozm zprava neobsahuje viry.
Zkontrolovano antivirov}m systimem AVG (http://www.grisoft.cz).
Verze: 6.0.593 / Virova baze: 376 - datum vydanm: 20.2.2004

---
Odchozm zprava neobsahuje viry.
Zkontrolovano antivirov}m systimem AVG (http://www.grisoft.cz).
Verze: 6.0.594 / Virova baze: 377 - datum vydanm: 24.2.2004

More information about the esd-l mailing list