new malware bypass MailScanner filename rules !
Steve Basford
steveb_clamav at sanesecurity.com
Wed Mar 30 12:57:20 UTC 2016
On Wed, March 30, 2016 10:27 am, ezwww wrote:
> hi,
>
> since two months I block attachments successfully .js content in .zip
> (with filename rule).
>
>
> Since this night new JS/malware (subject "Bill N-xxxx" or "recent bill")
> bypass this rule !
Hi,
This isn't a zip file at all... it's actually a RAR file...
Content-Disposition: inline; filename="gaoj_pdf_8C607B.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;
Ie, note the x-rar-compressed bit and the .zip name
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity
More information about the MailScanner
mailing list