new malware bypass MailScanner filename rules !

[ezwww]

Thanks for this information,

exactly you have right, it's a problem with MailScanner and malformed 
Content-Type header

I open a new issue in https://github.com/MailScanner/v4/issues/58

ezwww

> The problem is due to the Content-Type header being on two lines. This chokes mailscanner and it skips the attachment detection. I wrote about this last year in September, but no one really noticed.. (http://lists.mailscanner.info/pipermail/mailscanner/2015-September/102575.html).
>
> If you copy/paste the message you sent as-is, mailscanner skips the attachment detection. If you fix the Content-Type line to the following (no CR before name=), then mailscanner properly detects it and rejects the .JS:
>
> Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="04EBD_xxxx.xxxx_A546BB.zip"
>
> Versus:
>
> Content-Type: application/x-rar-compressed; x-unix-mode=0600;
> name="04EBD_xxxx.xxxx_A546BB.zip"
>
>
> -Joshua
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+mailbag=partnersolutions.ca at lists.mailscanner.info] On Behalf Of Mark Sapiro
> Sent: March 30, 2016 11:24 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: new malware bypass MailScanner filename rules !
>
> On 3/30/16 8:02 AM, ezwww wrote:
>>
>> yes unrar 4.2 installed
> ...
>> full message
>>
>> http://pastebin.com/etnfF34t
>
>
> I sent the message to me and I got
>
> Mar 30 08:07:10 sbh16 MailScanner[6415]:
> Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
> ./03D4F11E19C1.ACBD3/
> Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3
>
>
> but MailScanner didn't detect the .js, so I suspect it's because of the spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to unzip the file because of the .zip extension rather than unrar based on the Content-Type:
>
> You can report this issue at <https://github.com/MailScanner/v4/issues>.
>