new malware bypass MailScanner filename rules !
Mark Sapiro
mark at msapiro.net
Wed Mar 30 15:23:59 UTC 2016
On 3/30/16 8:02 AM, ezwww wrote:
>
> yes unrar 4.2 installed
...
> full message
>
> http://pastebin.com/etnfF34t
I sent the message to me and I got
Mar 30 08:07:10 sbh16 MailScanner[6415]:
Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
./03D4F11E19C1.ACBD3/
Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus
Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3
but MailScanner didn't detect the .js, so I suspect it's because of the
spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to
unzip the file because of the .zip extension rather than unrar based on
the Content-Type:
You can report this issue at <https://github.com/MailScanner/v4/issues>.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list