Possible Microsoft security vulnerability attack.

Mirko Bovati bovati at MONDADORI.COM
Thu Oct 3 15:31:54 IST 2002 

On Thursday 03 October 2002 10:12 am, you wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 03 October 2002 15:59, Mirko Bovati wrote:
> > On Wednesday 02 October 2002 02:53 pm, you wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On Wednesday 02 October 2002 17:32, Julian Field wrote:
> > > > You want to disable this in mailscanner.conf:
> > > >
> > > > # Do you want to put some text on the front of the subject line when
> > > > # it contained a virus which has been removed
> > > > Virus Modify Subject = yes
> > > >
> > > > At 18:53 02/10/2002, you wrote:
> > > > >Hi all,
> > > > >
> > > > >I need to disable the control that generate the message
> > > > >in subject. My I disable this feature?
> > >
> > > I think he wants to permit messages with Microsoft security
> > > vulnerabilities. So it should at least be:
> > > Allow IFrame Tags = yes
> >
> > I want permit messages with Microsoft security vulnerability,
> > I set: Allow IFrame Tags = yes
> > but a receive still message with:
> > Possible Microsoft security vulnerability attack.
> > Is there any other switch to set up?
> >
> > thanks.
>
> As far as I know, there is no other switch. You should look in the source
> code for 'Microsoft security' and figure which how to comment out the tests
> you do not want.
> The other test triggering the security message is for HTML mail containing
> an OBJECT tag with a CODEBASE attribute.
> In my environment such messages are triggered by in mailing list HTML posts
> containing a ShockWave banner, not the most orthodox content for an e-mail
> message.

I think the code who check for  Microsoft security vulnerability attack is:

      if (FindMicrosoftExploits($mime->{$id})) {
        Log::InfoLog("Detected Microsoft-specific exploits in $id");
        $infections->{$id}{""} .= "Possible Microsoft security " .
                                  "vulnerability attack\n";
        $inftypes->{$id}{""} .= "v";
        $counter++;
      }

My question now is: may I comment out that without any other problem?

thanks
-- 
Mirko Bovati

More information about the MailScanner mailing list