new malware bypass MailScanner filename rules !

ezwww info at ezwww.ch
Wed Mar 30 09:27:05 UTC 2016 

hi,

since two months I block attachments successfully .js content in .zip 
(with filename rule).

Since this night new JS/malware (subject "Bill N-xxxx" or "recent bill") 
bypass this rule !

It's a problem with mime header, body malformed that allowed to pass 
MailScanner ?

two examples :

---------------------------------------------------------------------
Received: from 85.105.40.171.static.ttnet.com.tr 
(85.105.40.171.static.ttnet.com.tr [85.105.40.171] (may be forged))
	....
From: Rueben Fletcher <FletcherRueben9352 at ttnet.com.tr>
Content-Type: multipart/mixed; 
boundary="Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C"
X-Smtp-Server: 076E5E4B-6F12-237D-20F1-7849FBD4C6C5
Subject: recent bill
Message-Id: <6DDE5CD3-4656-843B-EAFC-9C302B4F5339....>
X-Universally-Unique-Identifier: 072FB36F-AF92-218E-6949-5E387A758EF4
Date: Wed, 30 Mar 2016 12:12:08 +0300
To: xxxxx
Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))


--Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8

Dear xxxx,

Please see attached file regarding clients recent bill. Should you need =
further assistances lease feel free to email me.

Best regards
Rueben Fletcher
Head of Maintenance

--Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
Content-Disposition: inline; filename="xxxxx_document_003F11.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;
name="xxxxx_document_003F11.zip"
Content-Transfer-Encoding: base64
.....
--Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C--
---------------------------------------------------------------------


Received: from dsl-189-244-210-183-dyn.prod-infinitum.com.mx 
(dsl-187-156-82-128-dyn.prod-infinitum.com.mx [187.156.82.128] (may be 
forged))
	...
From: Frances Camacho <CamachoFrances586 at nssoluciones.com>
Content-Type: multipart/mixed; 
boundary="Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799"
X-Smtp-Server: 616C7611-9CEC-92CA-D751-C8A44FF50C5F
Subject: Bill N-2EC51C
Message-Id: <59C028F2-B1C8-60FE-D87A-DEAF3ECAA103....>
X-Universally-Unique-Identifier: 13825021-3DDE-FCF8-6985-BF5841859B69
Date: Tue, 29 Mar 2016 19:11:48 -0500
To: xxxx
Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))


--Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8

Dear xxxx,

Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.

Best regards
Frances Camacho
Sales Director

--Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799
Content-Disposition: inline; filename="28F59_xxxxx_2EC51C.zip"
Content-Type: application/zip; x-unix-mode=0600;
name="28F59_xxxx_2EC51C.zip"
Content-Transfer-Encoding: base64

....
--Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799--
---------------------------------------------------------------------

The antivirus detect the javascript file in attachment

Sophos: >>> Virus 'Mal/JSDldr-B' found in file 
./28F59_xxxx_2EC51C.zip/scan/f385230/e5ab2a96.js


Thanks for your help.

ezwww

More information about the MailScanner mailing list