anomy-list

Problem dropping zip files from W32/Mydoom@MM

From: APPANAH Ravi (113095@xyz.molar.is)
Date: Thu 29 Jan 2004 - 09:57:44 GMT

Previous message: Robinson, Eric: ""Filtered" Attachment Types Are Slipping Through Anyway"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Hi Everybody !!!
I've put a rule in Sanitizer in order to delete some zip files due to
W32/Mydoom@MM...

In some messages, zip files are dropped by sanitizer but sometimes zip
files pass through the sanitizer !!!

When analyzing the message, I discovered that it was a "7-bit ASCII
encoding" message ???
Copy of message at the end of this mail...

Does sanitizer handle these kind of messages (7-bit ASCII encoding) ?
If so, how can i configure it ??

        Thanks in advance.
        Reagrds,
        Ravi APPANAH

Ravi APPANAH
Security Engineer
-----------------------------------------------------
  La Documentation Française
  Sous Direction Administration
  Département des Systèmes Informatiques (DSI/ESR)
  124 Rue Henri Barbusse
  93308 Aubervilliers
  Tel : +33 1 40 15 68 47
  Gsm : +33 6 64 40 24 80

http://www.ladocumentationfrancaise.fr
-----------------------------------------------------

Here is a copy of the message
....
Message-Id: <113186@xyz.molar.is>
X-Spam-Status: No, hits=5.8 required=8.0
tests=BAYES_60,MISSING_MIMEOLE,NO_REAL_NAME,PRIORITY_NO_NAME
version=2.50
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
X-Sanitizer: La Documentation Francaise mail filter

This is a multi-part message in MIME format.

------=_NextPart_000_0013_D5ED78BA.0E5F2AC0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

------------------ Message Alerte-Virus (La Documentation Francaise)

Found virus WORM_MIMAIL.R in file doc.exe (in doc.zip)
The uncleanable file doc.zip is moved to /etc/iscan/virus/virQcrBGv.

Bonjour, un message du 01/28/2004 21:16:05 envoye par 113260@xyz.molar.is a
ete detecte comme infecte par le virus : doc.zip. Il n'a donc pu etre
delivre dans son integralite ou a ete bloque par le systeme. Merci de
contacter par e-mail: 113297@xyz.molar.is pour plus d'informations.

---------------------------------------------------------

------=_NextPart_000_0013_D5ED78BA.0E5F2AC0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.

------=_NextPart_000_0013_D5ED78BA.0E5F2AC0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

------------------ Message Alerte-Virus (La Documentation Francaise)

doc.zip is removed from here because it contains a virus.

---------------------------------------------------------
------=_NextPart_000_0013_D5ED78BA.0E5F2AC0--

--86B74C1AE.1075317479/mail.df.gouv.fr--

Previous message: Robinson, Eric: ""Filtered" Attachment Types Are Slipping Through Anyway"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

hosted by molar.is