new malware bypass MailScanner filename rules !

Steve Basford steveb_clamav at sanesecurity.com
Wed Mar 30 12:57:20 UTC 2016


On Wed, March 30, 2016 10:27 am, ezwww wrote:
> hi,
>
> since two months I block attachments successfully .js content in .zip
> (with filename rule).
>
>
> Since this night new JS/malware (subject "Bill N-xxxx" or "recent bill")
> bypass this rule !

Hi,

This isn't a zip file at all... it's actually a RAR file...

Content-Disposition: inline; filename="gaoj_pdf_8C607B.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;

Ie, note the x-rar-compressed bit and the .zip name


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



More information about the MailScanner mailing list