Virus in HTML Email Style Sheet

Rick Cooper rcooper at DWFORD.COM
Tue Mar 29 18:34:05 IST 2005

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Tuesday, March 29, 2005 11:26 AM
> Subject: Re: Virus in HTML Email Style Sheet
> Rick Cooper wrote:
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>Behalf Of Derek Winkler
> >>Sent: Tuesday, March 29, 2005 9:24 AM
> >>Subject: Virus in HTML Email Style Sheet
> >>
> >>
> >>Here's the HTML source for a message that had a virus in it...
> >>
> >>Hey Love<br>I reserved us a place at huoston's
> tonight.<br>starting to be
> >>hungry already, for you!!<br>Bob
> >><br><br><br><br>
> >><style>* {CURSOR:
> url("")}</style>
> >>
> >>When the CURSOR is retrieved it has Trojan.Moo in it according to NAV.
> >>
> >>MailScanner did not catch this.
> >>
> >>Should there be a disarm URLs in style sheets setting in MailScanner?
> >>
> >>Does anyone know of a virus scanner that checks URLs in email as well? I
> >>thought Clam was doing this.
> >>
> >>Thanks,
> >>
> >>Derek
> >>
> >>
> >>
> >>
> >
> >Clam does, if it's configured with --with-libcurl and the MailFollowURLs
> >option is set in the config file.
> >To use this feature in the ClamAVModule the bit mask would have
> to include
> >Mail::ClamAV::CL_SCAN_MAILURL() and it currently does not. There
> are obvious
> >potential DOS problems with this, but I guess the question would be do
> >enough people want it to warrant Julian adding yet another config option?
> >One would have to use it with care because it would certainly
> increase the
> >server load significantly as it would retrieve any file pointed to by any
> >url link and then scan it.
> >
> >
> Doing this on any machine other than the final client is pretty
> pointless. It's easy to configure Apache to send one file to one
> machine, and a different file to other machines. The virus writers get a
> GET request from an IP address. Is this an MX host of the domain they
> just sent the message to? If so, send an empty file or a safe file. Not
> an MX? Then send a virus.
> This is the same reason MailScanner rejects messages with external bodies.
> How do I detect URLs inside <STYLE>.....</STYLE> tags?
> --
Off the top of my head...

<style>* {CURSOR: url("")}</style>

regex: s/(<style>.*?\{.*?)(cursor:.*?)(\}.*?</style>)/$1<!--URL CURSOR

Example becomes :

<style>* {<!--URL CURSOR REMOVED-->}</style>

so that should disarm it I would think

However I you would have to pass the entire message body to the regex
because the style could be defined as


Hence the various .*? entries for white space and line enders (with /si of

You would probably have to test it a bit more than I did obviously


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list