anomy-list

Problem removing file myphoto.zip

From: APPANAH Ravi (110850@xyz.molar.is)
Date: Tue 27 Jan 2004 - 09:35:23 GMT

  • Next message: Thomas von Hassel: "zip files from W32/Mydoom@MM"

    Hi everybody !!!
            We use first Anomy Sanitizer (v1.66) and SpamAssassin (v2.50) and then
    InterScan Viruswall for filtering mails...

            I try to delete all attachment "myphoto.zip" due to Dumaru.y@MM worm alert.
            So i put a rule in the sanitizer.cfg file :

            # Virus Mimail.A et Mimail.E et Mimail.C et DUMARU.Y
            file_list_2 = (?i)(message\.zip)|
            file_list_2 += (readnow\.zip)|
            file_list_2 += (myphoto\.zip)|
            file_list_2 += (photos\.zip)|(photos\.htm)
            file_list_2_policy = drop
            file_list_2_scanner = 0

            I was suprised that Anomy Sanitizer did not delete the "myphoto.zip" file.

            Thanks in advance for your help.

            Regards,
            Ravi APPANAH

            The copy of the original email is :

            Received: from s2.smtp.oleane.net (s2.smtp.oleane.net [195.25.12.6])
            by mail.ladocfrancaise.gouv.fr (Postfix) with ESMTP id 4A0D5440A6
            for <110992@xyz.molar.is>; Mon, 26 Jan 2004 12:55:18
    +0100 (CET)
    Received: from localhost (AOrleans-204-1-21-43.w81-250.abo.wanadoo.fr
    [81.250.163.43])
            by s2.smtp.oleane.net with ESMTP id i0QAYh4G010006
            for <110992@xyz.molar.is>; Mon, 26 Jan 2004 11:34:44
    +0100 (CET)
    Date: Mon, 26 Jan 2004 11:34:43 +0100 (CET)
    Message-Id: <111044@xyz.molar.is>
    From: "Elene" <111111@xyz.molar.is>
    To: <111157@xyz.molar.is>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;boundary="xxxx"
    X-Spam-Status: Yes, hits=41.0 required=8.0
            tests=BAYES_99,HTML_10_20,HTML_FONT_COLOR_RED,MIME_HTML_ONLY,
                  UNDESIRED_LANGUAGE_BODY,UPPERCASE_25_50,VIRUS_DUMARU_Y
            version=2.50
    X-Spam-Level: *****************************************
    X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
    X-Spam-Report: This mail is probably spam. The original message has been
    attached
      along with this report, so you can recognize or block similar unwanted
      mail in future. See http://spamassassin.org/tag/ for more details.
      Content preview: Hi ! Here is my photo, that you asked for yesterday.
      URI:domain_marker PK^C^D
    ^@^@^@^@^@Vvj/þ<9f>µ^ZÚC^@^@ÚC^@^@G^@^@^@myphoto.jpg
      .exeMZP^@^B^@^@^@^D^@^O^@PE^@^@L^A^B^@FSG!^@^@^@^@^@^@^@^@à^@<8e><81>
    ^A^@^@^@N^@^@^@(^@^@^@^@^@^@¹ð^@^@^@^P^@^@
      ^@^@^@^@^@@^@^@^P^@^@^@^B^@^@^A^@^@^@^@^@^@^@^C^@
    ^@^@^@^@^@^@^@^A^@^@^B^@^@^@^@^@^@^B^@^@^@^@^@^P^@^@

    ^@^@^@^@^P^@^@^P^@^@^@^@^@^@^P^@^@^@^@^@^@^@^@^@^@^@~ñ^@^@4^@^@^@^@°^@^@^@

    ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
    ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
    ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
    ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@

    ^@^@^@^P^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@à^@^@À^@^@^@^@^@^@^@^@
    ^@P^@^@^@°^@^@²A^@^@^@^B^@^@^@^@^@^@^@^@^@^@^@^@
    à^@^@ÀKERNEL32.dll^@^@^@LoadLibraryA^@^@GetProcAddress^@^@^@^@^@^@^@^@^@^@
    ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@tñ@^@hñ@^@jÃ8>^A@^@^
    @^P@^@\¹@^@^A`@^@^A<80>@^@^A
      @^@^@^@^@^@ [...]
      Content analysis details: (41.00 points, 8 required)
      VIRUS_DUMARU_Y (30.0 points) Virus Dumaru Y
      UNDESIRED_LANGUAGE_BODY (4.0 points) BODY: Written in an undesired
    language
      HTML_FONT_COLOR_RED (0.1 points) BODY: HTML font color is red
      BAYES_99 (2.8 points) BODY: Bayesian classifier says spam
    probability is 99 to 100%
      [score: 0.9925]
      HTML_10_20 (1.0 points) BODY: Message is 10% to 20% HTML
      MIME_HTML_ONLY (2.5 points) Message only has text/html MIME parts
      UPPERCASE_25_50 (0.6 points) message body is 25-50% uppercase
    X-Spam-Flag: YES
    Subject: ***** SPAM [41.00/08.00] SPAM ***** Important information for you.
    Read it immediately !
    X-Sanitizer: La Documentation Francaise mail filter

    --xxxx
    Content-Type: text/html;
    Content-Transfer-Encoding: 7bit

    <FONT color=red size=15><CENTER>Hi !</CENTER></FONT><BR>
    Here is my photo, that you asked for yesterday.<BR><iframe src=domain_marker
    WIDTH=1 HEIGHT=1></iframe>
    --xxxx

    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
           filename="myphoto.zip"
    ....

    Ravi APPANAH
    Security Engineer
    -----------------------------------------------------
      La Documentation Française
      Sous Direction Administration
      Département des Systèmes Informatiques (DSI/ESR)
      124 Rue Henri Barbusse
      93308 Aubervilliers
      Tel : +33 1 40 15 68 47
      Gsm : +33 6 64 40 24 80

      http://www.ladocumentationfrancaise.fr
    -----------------------------------------------------



    hosted by molar.is