Still catching "Possible Microsoft security vulnerability attack"

Julian Field mailscanner at ecs.soton.ac.uk
Sat Oct 19 21:44:00 IST 2002 

At 21:22 19/10/2002, you wrote:
>I have users who subscribe to the daily Dilbert comic, and that mail
>apparently includes an iFrame. Having only recently learned about iFrames,
>I'm surprised they aren't much more widely used, but that's neither here
>nor there. Are you suggesting that Allowing iFrame Tags means that the
>entire message will go unscanned for other threats?

No.
I haven't heard any other reports of Bugbears getting through because
"Allow IFrame Tags = yes". It doesn't stop the messages being scanned for
everything else.

>I need a way to pass these messages, either a whitelist for
>unitedmedia.com or the option to ignore iFrames, but I still need to scan
>them for viruses.

You can whitelist it in version 4. Read the files in the etc/rules
directory for guidance.

>By the way, I am using 4.00.0a13-1, and I don't have a mailscanner.conf
>file except in the old 3.25 source tree. I'm including a copy of one of
>the bounce messages below.

So you're running version 4 with *all* the default values? You must be very
trusting of my definition of "sensible default" values!

>Mike Zanker wrote:
>>On 07 October 2002 10:49 -0600 John Hanks <john.hanks at USU.EDU> wrote:
>>
>> > Ok, looks like I have overcome my source of confusion. This works (at
>> > least nothing has been caught in the last 10 minutes or so)
>> >
>> > Allow IFrame Tags = yes
>> > Allow Codebase Tags = yes
>>
>>Please be warned that if you have these set to "yes" then some
>>bugbear-infected e-mails will NOT be scanned. I had this happen this
>>afternoon when a bugbear-infected e-mail with IFrame tags got through.
>>Having set IFrame to "no" it correctly scanned and quarantined it.
>>
>>Mike.
>
>
>The following is one of the bounces I get, edited only to mask the user's
>address:
>
>>
>>Date: Sat, 19 Oct 2002 00:04:40 -0700
>>From: "MailScanner"
>>To: postmaster at verbose.twistedhistory.com
>>Subject: Warning: E-mail viruses detected
>>X-MailScanner: Found to be clean
>>
>>
>>The following e-mail messages were found to have viruses in them:
>>
>>
>>     Sender:
>> dailycomic#2.27654.bf-k0fslmcqw9pz.1.b at comicsmail.unitedmedia.com
>>IP Address: 65.114.4.12
>>  Recipient: asdf at asdfasdfasdf.com
>>    Subject: Your Daily Dilbert 10/19/2002
>>  MessageID: g9J74aHQ006554
>>     Report: Found dangerous IFrame tag in HTML message
>>
>>
>>
>>--
>>MailScanner
>>Email Virus Scanner
>>www.mailscanner.info
>
>--
>----------------------------------------------------------
>Sign up now for Quotes of the Day, a handful of quotations
>on a theme delivered every morning.
>Enlightenment! Daily, for free!
><mailto:twisted at whidbey.com?subject=Subscribe_QOTD>mailto:twisted at whidbey.com?subject=Subscribe_QOTD
>
>
>For web hosting and maintenance,
>visit Van's home page:
><http://www.domainvanhorn.com/van/>http://www.domainvanhorn.com/van/
>----------------------------------------------------------
>

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list