anomy-bugs

Space in file name stops Anomy from dropping it

From: Robin Whittle (18645@xyz.molar.is)
Date: Mon 21 Oct 2002 - 05:25:45 GMT

  • Next message: Tom Vandepoel: "Re: filename parsing issue"

    Dear Anomy people,

    Thanks very much for your program!

    I just got a virus email with the attached file having spaces in its
    name, and Anomy did not drop the file. Running the raw message through
    Anomy with a test script, I found this behaviour:

      Attached file name Anomy

      name=CODE .bat renames it.
      name=CODE .bat renames it.
      name=CODE.bat drops it.

    Below are the relevant peices of the message and the results.

    I don't feel like diving into the Perl code to sort this out - I am not
    very familiar with Perl. I hope this report helps!

    It is possible that this space in the file name also renders the payload
    unlikely to be executable on a Windows machine. Nonetheless, it would
    be nice to be able to detect such rot so I can automatically toss it
    into the virus pit, and at present I am looking for the "dropped"
    message to decide whether the message was a virus or not.

      Cheers
     
       - Robin

    ==================================

    The guts of the original message, which was 135 k bytes:

    Subject: Have a humour Allhallowmas
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
            boundary=Ki1f0lU45EhU8cYW138e70086oe
    Message-Id: <20021020174546.RYFD22897.rwcrmhc53.attbi.com@Bqbiwc>
    Date: Sun, 20 Oct 2002 17:45:50 +0000

    --Ki1f0lU45EhU8cYW138e70086oe
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <HTML><HEAD></HEAD><BODY>
    <iframe src=3Dcid:W30D8m919p98q0V05wp height=3D0 width=3D0>
    </iframe>
    <FONT></FONT></BODY></HTML>

    --Ki1f0lU45EhU8cYW138e70086oe
    Content-Type: audio/x-wav;
            name=CODE .bat
    Content-Transfer-Encoding: base64
    Content-ID: <W30D8m919p98q0V05wp>

    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
    RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn

    ==================================

         Anomy's response to the above, with the resulting message being
         about 137 k bytes:

    Subject: Have a humour Allhallowmas
    Message-Id: <20021020174546.RYFD22897.rwcrmhc53.attbi.com@Bqbiwc>
    Date: Sun, 20 Oct 2002 17:45:50 +0000
    X-Sanitizer: Spam Assassin and Anomy Sanitizer - see
    http://www.firstpr.com.au/web-mail/.
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="MIMEStream=_0+275395_5660551535682_49824306806"

    --MIMEStream=_0+275395_5660551535682_49824306806
    Content-Type: text/html; name="unnamed.html"
    Content-Transfer-Encoding: quoted-printable

    <HTML><HEAD></HEAD><BODY>
    <iframe src=3Dcid:W30D8m919p98q0V05wp height=3D0 width=3D0>
    </iframe>
    <FONT></FONT></BODY><BR><HR><TABLE BORDER=3D1
    BGCOLOR=3D"white"><TR><TD><B>This message has bee=
    n 'sanitized'. This means that potentially
    dangerous content has been rewritten or removed. The following
    log describes which actions were taken.
    </B><P>
    <pre><font color=3D"black">
    Sanitizer (start=3D"1035176581"):
      Replaced MIME boundary: &gt;&gt;Ki1f0lU45EhU8cYW138e70086oe&lt;&lt;
                        with:
    &gt;&gt;MIMEStream=3D_0+275395_5660551535682_4982=
    4306806&lt;&lt;
      Part (pos=3D"848"):
        SanitizeFile (filename=3D"unnamed.html", mimetype=3D"text/html"):
          No attachment name found, using default (unnamed.html).
          Match (rule=3D"2"):
            Enforced policy: accept

        Total modifications so far: 1

    </font></pre>
    <P>Anomy 0.0.0 : Sanitizer.pm
    $Id: Sanitizer.pm,v 1.63 2002/10/02 16:03:01 bre Exp $
    <P></TD></TR></TABLE>
    </HTML>

    --MIMEStream=_0+275395_5660551535682_49824306806
    Content-Type: application/DEFANGED-149; name="CODE.DEFANGED-149"
    Content-Transfer-Encoding: base64

    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
    RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn

    ==================================

         Anomy's response to a message altered to have "name=CODE .bat" -
         now only 11 k bytes. This includes my custom message for when
         files are dropped:

    Subject: Have a humour Allhallowmas
    Message-Id: <20021020174546.RYFD22897.rwcrmhc53.attbi.com@Bqbiwc>
    Date: Sun, 20 Oct 2002 17:45:50 +0000
    X-Sanitizer: Spam Assassin and Anomy Sanitizer - see
    http://www.firstpr.com.au/web-mail/.
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="MIMEStream=_0+162146_7042554452296_71978351316"

    --MIMEStream=_0+162146_7042554452296_71978351316
    Content-Type: text/html; name="unnamed.html"
    Content-Transfer-Encoding: quoted-printable

    <HTML><HEAD></HEAD><BODY>
    <iframe src=3Dcid:W30D8m919p98q0V05wp height=3D0 width=3D0>
    </iframe>
    <FONT></FONT></BODY><BR><HR><TABLE BORDER=3D1
    BGCOLOR=3D"white"><TR><TD><B>This message has bee=
    n 'sanitized'. This means that potentially
    dangerous content has been rewritten or removed. The following
    log describes which actions were taken.
    </B><P>
    <pre><font color=3D"black">
    Sanitizer (start=3D"1035176526"):
      Replaced MIME boundary: &gt;&gt;Ki1f0lU45EhU8cYW138e70086oe&lt;&lt;
                        with:
    &gt;&gt;MIMEStream=3D_0+162146_7042554452296_7197=
    8351316&lt;&lt;
      Part (pos=3D"848"):
        SanitizeFile (filename=3D"unnamed.html", mimetype=3D"text/html"):
          No attachment name found, using default (unnamed.html).
          Match (rule=3D"2"):
            Enforced policy: accept

        Total modifications so far: 1

    </font></pre>
    <P>Anomy 0.0.0 : Sanitizer.pm
    $Id: Sanitizer.pm,v 1.63 2002/10/02 16:03:01 bre Exp $
    <P></TD></TR></TABLE>
    </HTML>

    --MIMEStream=_0+162146_7042554452296_71978351316
    Content-Type: text/plain; charset="iso-8859-1"; name="DEFANGED-15.txt"
    Content-Transfer-Encoding: 8bit

    *****
    Attached file dropped
    NOTE: An attachment named CODE.bat was deleted from
    this message because it contained a Windows executable
    or other potentially dangerous file type.
    Contact the system administrator for more information.
    --MIMEStream=_0+162146_7042554452296_71978351316

    -- 
    This message has been 'sanitized'.  This means that potentially
    dangerous content has been rewritten or removed.  The following
    log describes which actions were taken.
    

    Sanitizer (start="1035176526"): Replaced MIME boundary: >>Ki1f0lU45EhU8cYW138e70086oe<< with: >>MIMEStream=_0+162146_7042554452296_71978351316<< Part (pos="848"): SanitizeFile (filename="unnamed.html", mimetype="text/html"): No attachment name found, using default (unnamed.html). Match (rule="2"): Enforced policy: accept

    Total modifications so far: 1

    Part (pos="1073"): SanitizeFile (filename="CODE.bat", mimetype="audio/x-wav"): Match (rule="1"): Enforced policy: drop

    Replaced mime type with: text/plain Replaced file name with: DEFANGED-15.txt

    Part (pos="127440"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (rule="2"): Enforced policy: accept

    Total modifications so far: 2

    Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.63 2002/10/02 16:03:01 bre Exp $

    --MIMEStream=_0+162146_7042554452296_71978351316 Content-Type: application/octet-stream; name="=?iso-8859-1?Q?lauren01[1].jpg?=" Content-Transfer-Encoding: base64

    /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAHgAA/+4ADkFkb2JlAGTAAAAA Af/bAIQAEAsLCwwLEAwMEBcPDQ8XGxQQEBQbHxcXFxcXHx4XGhoaGhceHiMlJyUjHi8vMzMv L0BAQEBAQEBAQEBAQEBAQAERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzAr



    hosted by molar.is