anomy-bugs

Problem removing file myphoto.zip

From: APPANAH Ravi (29068@xyz.molar.is)
Date: Tue 27 Jan 2004 - 09:35:23 GMT


Hi everybody !!!
        We use first Anomy Sanitizer (v1.66) and SpamAssassin (v2.50) and then
InterScan Viruswall for filtering mails...

        I try to delete all attachment "myphoto.zip" due to Dumaru.y@MM worm alert.
        So i put a rule in the sanitizer.cfg file :

        # Virus Mimail.A et Mimail.E et Mimail.C et DUMARU.Y
        file_list_2 = (?i)(message\.zip)|
        file_list_2 += (readnow\.zip)|
        file_list_2 += (myphoto\.zip)|
        file_list_2 += (photos\.zip)|(photos\.htm)
        file_list_2_policy = drop
        file_list_2_scanner = 0

        I was suprised that Anomy Sanitizer did not delete the "myphoto.zip" file.

        Thanks in advance for your help.

        Regards,
        Ravi APPANAH

        The copy of the original email is :

        Received: from s2.smtp.oleane.net (s2.smtp.oleane.net [195.25.12.6])
        by mail.ladocfrancaise.gouv.fr (Postfix) with ESMTP id 4A0D5440A6
        for <29207@xyz.molar.is>; Mon, 26 Jan 2004 12:55:18
+0100 (CET)
Received: from localhost (AOrleans-204-1-21-43.w81-250.abo.wanadoo.fr
[81.250.163.43])
        by s2.smtp.oleane.net with ESMTP id i0QAYh4G010006
        for <29207@xyz.molar.is>; Mon, 26 Jan 2004 11:34:44
+0100 (CET)
Date: Mon, 26 Jan 2004 11:34:43 +0100 (CET)
Message-Id: <29258@xyz.molar.is>
From: "Elene" <29324@xyz.molar.is>
To: <29369@xyz.molar.is>
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
X-Spam-Status: Yes, hits=41.0 required=8.0
        tests=BAYES_99,HTML_10_20,HTML_FONT_COLOR_RED,MIME_HTML_ONLY,
              UNDESIRED_LANGUAGE_BODY,UPPERCASE_25_50,VIRUS_DUMARU_Y
        version=2.50
X-Spam-Level: *****************************************
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
X-Spam-Report: This mail is probably spam. The original message has been
attached
  along with this report, so you can recognize or block similar unwanted
  mail in future. See http://spamassassin.org/tag/ for more details.
  Content preview: Hi ! Here is my photo, that you asked for yesterday.
  URI:domain_marker PK^C^D
^@^@^@^@^@Vvj/þ<9f>µ^ZÚC^@^@ÚC^@^@G^@^@^@myphoto.jpg
  .exeMZP^@^B^@^@^@^D^@^O^@PE^@^@L^A^B^@FSG!^@^@^@^@^@^@^@^@à^@<8e><81>
^A^@^@^@N^@^@^@(^@^@^@^@^@^@¹ð^@^@^@^P^@^@
  ^@^@^@^@^@@^@^@^P^@^@^@^B^@^@^A^@^@^@^@^@^@^@^C^@
^@^@^@^@^@^@^@^A^@^@^B^@^@^@^@^@^@^B^@^@^@^@^@^P^@^@

^@^@^@^@^P^@^@^P^@^@^@^@^@^@^P^@^@^@^@^@^@^@^@^@^@^@~ñ^@^@4^@^@^@^@°^@^@^@

^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@

^@^@^@^P^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@à^@^@À^@^@^@^@^@^@^@^@
^@P^@^@^@°^@^@²A^@^@^@^B^@^@^@^@^@^@^@^@^@^@^@^@
à^@^@ÀKERNEL32.dll^@^@^@LoadLibraryA^@^@GetProcAddress^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@tñ@^@hñ@^@jÃ8>^A@^@^
@^P@^@\¹@^@^A`@^@^A<80>@^@^A
  @^@^@^@^@^@ [...]
  Content analysis details: (41.00 points, 8 required)
  VIRUS_DUMARU_Y (30.0 points) Virus Dumaru Y
  UNDESIRED_LANGUAGE_BODY (4.0 points) BODY: Written in an undesired
language
  HTML_FONT_COLOR_RED (0.1 points) BODY: HTML font color is red
  BAYES_99 (2.8 points) BODY: Bayesian classifier says spam
probability is 99 to 100%
  [score: 0.9925]
  HTML_10_20 (1.0 points) BODY: Message is 10% to 20% HTML
  MIME_HTML_ONLY (2.5 points) Message only has text/html MIME parts
  UPPERCASE_25_50 (0.6 points) message body is 25-50% uppercase
X-Spam-Flag: YES
Subject: ***** SPAM [41.00/08.00] SPAM ***** Important information for you.
Read it immediately !
X-Sanitizer: La Documentation Francaise mail filter

--xxxx
Content-Type: text/html;
Content-Transfer-Encoding: 7bit

<FONT color=red size=15><CENTER>Hi !</CENTER></FONT><BR>
Here is my photo, that you asked for yesterday.<BR><iframe src=domain_marker
WIDTH=1 HEIGHT=1></iframe>
--xxxx

Content-Transfer-Encoding: base64
Content-Disposition: attachment;
       filename="myphoto.zip"
....

Ravi APPANAH
Security Engineer
-----------------------------------------------------
  La Documentation Française
  Sous Direction Administration
  Département des Systèmes Informatiques (DSI/ESR)
  124 Rue Henri Barbusse
  93308 Aubervilliers
  Tel : +33 1 40 15 68 47
  Gsm : +33 6 64 40 24 80

  http://www.ladocumentationfrancaise.fr
-----------------------------------------------------



hosted by molar.is