gfi virus/exploits test (fwd)

Robin M. robin at PRIMUS.CA
Wed Nov 26 01:02:12 GMT 2003


On Tue, 25 Nov 2003, Jan-Peter Koopmann wrote:
> > The email with the subject "hide.hta..." contains an
> > attachment called "untitled" which contains vb script, and
> > another email with the subject "Attachment with no filename
> > vulnerability test" contains an attachment called
> > untitled.hta which is also a vb script.
>
> Ok. This is what I got:
>
> 16. I received two mails containing hide.hta (MAAAANY WHITESPACES)
> Outlook blocked both attachments. I tried to deblock them but were only
> successfull with one. That one I can save. But it is not executed
> automatically.
>
> The only thing that might be troubling is point 16. I agree that those
> files should not get through. I do not get why this one is not caught by
>
> deny    \s{10,}         Filename contains lots of white space
>
> in filename.rules.conf though, since the filename itself is so long.
> Nevertheless we should have a possibility to detect virus-like subjects
> as well. Julian could you have a look at this? This is indeed
> troublesome. The subject and the filename contain a lot of whitespaces
> but it is not caught by MailScanner....
>
Thanks for confirming this fo me.
With issue 16 it does seem like a critical threat because most of my
users select to open attachments with the default application.



More information about the MailScanner mailing list