new malware bypass MailScanner filename rules !

Mark Sapiro mark at
Wed Mar 30 15:23:59 UTC 2016

On 3/30/16 8:02 AM, ezwww wrote:
> yes unrar 4.2 installed
> full message

I sent the message to me and I got

Mar 30 08:07:10 sbh16 MailScanner[6415]:
Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus
Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3

but MailScanner didn't detect the .js, so I suspect it's because of the
spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to
unzip the file because of the .zip extension rather than unrar based on
the Content-Type:

You can report this issue at <>.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list