new malware bypass MailScanner filename rules !

PSI Mailbag mailbag at
Thu Mar 31 11:22:38 UTC 2016

The problem is due to the Content-Type header being on two lines. This chokes mailscanner and it skips the attachment detection. I wrote about this last year in September, but no one really noticed.. (

If you copy/paste the message you sent as-is, mailscanner skips the attachment detection. If you fix the Content-Type line to the following (no CR before name=), then mailscanner properly detects it and rejects the .JS:

Content-Type: application/x-rar-compressed; x-unix-mode=0600; name=""


Content-Type: application/x-rar-compressed; x-unix-mode=0600;


-----Original Message-----
From: MailScanner [ at] On Behalf Of Mark Sapiro
Sent: March 30, 2016 11:24 AM
To: mailscanner at
Subject: Re: new malware bypass MailScanner filename rules !

On 3/30/16 8:02 AM, ezwww wrote:
> yes unrar 4.2 installed
> full message

I sent the message to me and I got

Mar 30 08:07:10 sbh16 MailScanner[6415]:
Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3

but MailScanner didn't detect the .js, so I suspect it's because of the spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to unzip the file because of the .zip extension rather than unrar based on the Content-Type:

You can report this issue at <>.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

MailScanner mailing list
mailscanner at

More information about the MailScanner mailing list