new malware bypass MailScanner filename rules !

ezwww info at ezwww.ch
Wed Mar 30 15:02:08 UTC 2016


> On 3/30/16 2:27 AM, ezwww wrote:
>>
>> It's a problem with mime header, body malformed that allowed to pass
>> MailScanner ?
>>
>
>>
>> --Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
>> Content-Disposition: inline; filename="xxxxx_document_003F11.zip"
>> Content-Type: application/x-rar-compressed; x-unix-mode=0600;
>> name="xxxxx_document_003F11.zip"
>> Content-Transfer-Encoding: base64
>
>
> As mentioned in another reply, this is a RAR compressed file, not a true
> ZIP. Do you have unrar installed and, e.g.
>
> Unrar Command = /usr/bin/unrar
>
> pointing to it in your MailScanner config?
>
>

yes unrar 4.2 installed

 > rpm -ql unrar

/usr/bin/unrar
/usr/share/doc/unrar-4.2.3
/usr/share/doc/unrar-4.2.3/acknow.txt
/usr/share/doc/unrar-4.2.3/license.txt
/usr/share/doc/unrar-4.2.3/readme.txt
/usr/share/man/man1/unrar.1.gz

and MailScanner config

Unrar Command = /usr/bin/unrar


full message

http://pastebin.com/etnfF34t

ezwww


More information about the MailScanner mailing list