Virus in HTML Email Style Sheet

Julian Field MailScanner at
Tue Mar 29 17:26:09 IST 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Rick Cooper wrote:

>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Derek Winkler
>>Sent: Tuesday, March 29, 2005 9:24 AM
>>Subject: Virus in HTML Email Style Sheet
>>Here's the HTML source for a message that had a virus in it...
>>Hey Love<br>I reserved us a place at huoston's tonight.<br>starting to be
>>hungry already, for you!!<br>Bob
>><style>* {CURSOR: url("")}</style>
>>When the CURSOR is retrieved it has Trojan.Moo in it according to NAV.
>>MailScanner did not catch this.
>>Should there be a disarm URLs in style sheets setting in MailScanner?
>>Does anyone know of a virus scanner that checks URLs in email as well? I
>>thought Clam was doing this.
>Clam does, if it's configured with --with-libcurl and the MailFollowURLs
>option is set in the config file.
>To use this feature in the ClamAVModule the bit mask would have to include
>Mail::ClamAV::CL_SCAN_MAILURL() and it currently does not. There are obvious
>potential DOS problems with this, but I guess the question would be do
>enough people want it to warrant Julian adding yet another config option?
>One would have to use it with care because it would certainly increase the
>server load significantly as it would retrieve any file pointed to by any
>url link and then scan it.
Doing this on any machine other than the final client is pretty
pointless. It's easy to configure Apache to send one file to one
machine, and a different file to other machines. The virus writers get a
GET request from an IP address. Is this an MX host of the domain they
just sent the message to? If so, send an empty file or a safe file. Not
an MX? Then send a virus.

This is the same reason MailScanner rejects messages with external bodies.

How do I detect URLs inside <STYLE>.....</STYLE> tags?

Julian Field
Buy the MailScanner book at
Professional Support Services at
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list