new malware bypass MailScanner filename rules !

Steve Basford steveb_clamav at
Wed Mar 30 12:57:20 UTC 2016

On Wed, March 30, 2016 10:27 am, ezwww wrote:
> hi,
> since two months I block attachments successfully .js content in .zip
> (with filename rule).
> Since this night new JS/malware (subject "Bill N-xxxx" or "recent bill")
> bypass this rule !


This isn't a zip file at all... it's actually a RAR file...

Content-Disposition: inline; filename=""
Content-Type: application/x-rar-compressed; x-unix-mode=0600;

Ie, note the x-rar-compressed bit and the .zip name


Web :
Twitter: @sanesecurity

More information about the MailScanner mailing list