Microsoft Word and Excel documents with embedded harmfull objects

Julian Field MailScanner at ecs.soton.ac.uk
Mon Apr 3 21:13:12 IST 2006


Wonderful!
That sounds like a great idea, I hoped someone would have written 
something like that, but never found it before (though I haven't 
searched in a long time).

Any ideas what it's written in or anything? It would be most useful to 
nick the technology inside it and incorporate it. As you say the file 
command can be used to spot likely candidates unless it's easy to spot 
files which aren't relevant.

I will take a look at this next weekend, I'm away at the JANet 
Networkshop till Friday. Expect a posting about this next weekend, it's 
been one of my top hit features I want to implement for quite a long time.

Thanks to Adri for finding this, let's hope it isn't a pile of old pony 
but is actually usable.

Regards,
Jules.

Adri Koppes wrote:
> Recently some users have discovered a new trick to send blocked and
> potentially harmful file through the MailScanner gateway.
> They create an email messages with a Microsoft Word or Excel document
> attachment, which contains an embedded OLE object or package.
> The embedded object can by ANY other file, including executables etc.
> When scanned by MailScanner, the executable and other embedded objects
> are not detected and the message is passed through to the users mailbox!
> Obviously this is not what we would like to happen.
> I have found a little program 'ripOLE' on
> http://freshmeat.net/projects/ripole/, which will extract all embedded
> objects from a Word Document.
> Would it be easy to integrate 'ripOLE' or an equivalent program into
> MailScanner to be called for attachments? If the embedded objects are
> extracted into the normal temp directory, then MailScanner will subject
> them to the same file-name/type restrictions as normal attachments.
> Probably 'ripOLE' only need to be called when the /usr/bin/file command
> has determined the attachment to be some kind of 'Microsoft Office Data'
> file.
>
> Adri.
>   

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list