gfi virus/exploits test (fwd)

Jan-Peter Koopmann Jan-Peter.Koopmann at SECEIDOS.DE
Wed Nov 26 08:33:51 GMT 2003

> Thanks for confirming this fo me.
> With issue 16 it does seem like a critical threat because 
> most of my users select to open attachments with the default 
> application.

I already reported this in-depth to Julian and I am afraid there is
nothing much he can do about it. The error lies in Outlook. Outlook
chooses to decode the single-part MIME bas64 body and due to a certain
combination of Headers it also chooses to create an attachment. And at
least Outlook 2003 then takes the subject as filename and attaches
".dat" to it. Since the subject is very long, ".dat" is cut off.

The user should not be able to open it without problems/warnings. At
least I wasn't but again --> Outlook 2003

The body itself is scanned and filetype.rules.conf is applied. This does
not help you with this test VBSkript though. I asked Julian to introduce
a possibility to strip whitespaces from subjects or something similar...
This way the worst that happens is that the attachment (which should not
be an attachment in the first place) is not checked against
filename.rules.conf (since it has no name at the time MailScanner scans
it) and is named something.hta.dat in Outlook. Not nice but a lot better
than the status quo.


More information about the MailScanner mailing list