new malware bypass MailScanner filename rules !
mailbag at partnersolutions.ca
Thu Mar 31 11:22:38 UTC 2016
The problem is due to the Content-Type header being on two lines. This chokes mailscanner and it skips the attachment detection. I wrote about this last year in September, but no one really noticed.. (http://lists.mailscanner.info/pipermail/mailscanner/2015-September/102575.html).
If you copy/paste the message you sent as-is, mailscanner skips the attachment detection. If you fix the Content-Type line to the following (no CR before name=), then mailscanner properly detects it and rejects the .JS:
Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="04EBD_xxxx.xxxx_A546BB.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;
From: MailScanner [mailto:mailscanner-bounces+mailbag=partnersolutions.ca at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: March 30, 2016 11:24 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: new malware bypass MailScanner filename rules !
On 3/30/16 8:02 AM, ezwww wrote:
> yes unrar 4.2 installed
> full message
I sent the message to me and I got
Mar 30 08:07:10 sbh16 MailScanner:
Mar 30 08:07:10 sbh16 MailScanner: Found spam based virus Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3
but MailScanner didn't detect the .js, so I suspect it's because of the spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to unzip the file because of the .zip extension rather than unrar based on the Content-Type:
You can report this issue at <https://github.com/MailScanner/v4/issues>.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
MailScanner mailing list
mailscanner at lists.mailscanner.info
More information about the MailScanner