Next message: Tom Vandepoel: "Re: filename parsing issue"
Dear Anomy people,
Thanks very much for your program!
I just got a virus email with the attached file having spaces in its
name, and Anomy did not drop the file. Running the raw message through
Anomy with a test script, I found this behaviour:
Attached file name Anomy
name=CODE .bat renames it.
name=CODE .bat renames it.
name=CODE.bat drops it.
Below are the relevant peices of the message and the results.
I don't feel like diving into the Perl code to sort this out - I am not
very familiar with Perl. I hope this report helps!
It is possible that this space in the file name also renders the payload
unlikely to be executable on a Windows machine. Nonetheless, it would
be nice to be able to detect such rot so I can automatically toss it
into the virus pit, and at present I am looking for the "dropped"
message to decide whether the message was a virus or not.
Cheers
- Robin
==================================
The guts of the original message, which was 135 k bytes:
Subject: Have a humour Allhallowmas
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Ki1f0lU45EhU8cYW138e70086oe
Message-Id: <20021020174546.RYFD22897.rwcrmhc53.attbi.com@Bqbiwc>
Date: Sun, 20 Oct 2002 17:45:50 +0000
--Ki1f0lU45EhU8cYW138e70086oe
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:W30D8m919p98q0V05wp height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--Ki1f0lU45EhU8cYW138e70086oe
Content-Type: audio/x-wav;
name=CODE .bat
Content-Transfer-Encoding: base64
Content-ID: <W30D8m919p98q0V05wp>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
==================================
Anomy's response to the above, with the resulting message being
about 137 k bytes:
Subject: Have a humour Allhallowmas
Message-Id: <20021020174546.RYFD22897.rwcrmhc53.attbi.com@Bqbiwc>
Date: Sun, 20 Oct 2002 17:45:50 +0000
X-Sanitizer: Spam Assassin and Anomy Sanitizer - see
http://www.firstpr.com.au/web-mail/.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="MIMEStream=_0+275395_5660551535682_49824306806"
--MIMEStream=_0+275395_5660551535682_49824306806
Content-Type: text/html; name="unnamed.html"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:W30D8m919p98q0V05wp height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY><BR><HR><TABLE BORDER=3D1
BGCOLOR=3D"white"><TR><TD><B>This message has bee=
n 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
</B><P>
<pre><font color=3D"black">
Sanitizer (start=3D"1035176581"):
Replaced MIME boundary: >>Ki1f0lU45EhU8cYW138e70086oe<<
with:
>>MIMEStream=3D_0+275395_5660551535682_4982=
4306806<<
Part (pos=3D"848"):
SanitizeFile (filename=3D"unnamed.html", mimetype=3D"text/html"):
No attachment name found, using default (unnamed.html).
Match (rule=3D"2"):
Enforced policy: accept
Total modifications so far: 1
</font></pre>
<P>Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.63 2002/10/02 16:03:01 bre Exp $
<P></TD></TR></TABLE>
</HTML>
--MIMEStream=_0+275395_5660551535682_49824306806
Content-Type: application/DEFANGED-149; name="CODE.DEFANGED-149"
Content-Transfer-Encoding: base64
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
==================================
Anomy's response to a message altered to have "name=CODE .bat" -
now only 11 k bytes. This includes my custom message for when
files are dropped:
Subject: Have a humour Allhallowmas
Message-Id: <20021020174546.RYFD22897.rwcrmhc53.attbi.com@Bqbiwc>
Date: Sun, 20 Oct 2002 17:45:50 +0000
X-Sanitizer: Spam Assassin and Anomy Sanitizer - see
http://www.firstpr.com.au/web-mail/.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="MIMEStream=_0+162146_7042554452296_71978351316"
--MIMEStream=_0+162146_7042554452296_71978351316
Content-Type: text/html; name="unnamed.html"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:W30D8m919p98q0V05wp height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY><BR><HR><TABLE BORDER=3D1
BGCOLOR=3D"white"><TR><TD><B>This message has bee=
n 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
</B><P>
<pre><font color=3D"black">
Sanitizer (start=3D"1035176526"):
Replaced MIME boundary: >>Ki1f0lU45EhU8cYW138e70086oe<<
with:
>>MIMEStream=3D_0+162146_7042554452296_7197=
8351316<<
Part (pos=3D"848"):
SanitizeFile (filename=3D"unnamed.html", mimetype=3D"text/html"):
No attachment name found, using default (unnamed.html).
Match (rule=3D"2"):
Enforced policy: accept
Total modifications so far: 1
</font></pre>
<P>Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.63 2002/10/02 16:03:01 bre Exp $
<P></TD></TR></TABLE>
</HTML>
--MIMEStream=_0+162146_7042554452296_71978351316
Content-Type: text/plain; charset="iso-8859-1"; name="DEFANGED-15.txt"
Content-Transfer-Encoding: 8bit
*****
Attached file dropped
NOTE: An attachment named CODE.bat was deleted from
this message because it contained a Windows executable
or other potentially dangerous file type.
Contact the system administrator for more information.
--MIMEStream=_0+162146_7042554452296_71978351316
--
This message has been 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
Sanitizer (start="1035176526"):
Replaced MIME boundary: >>Ki1f0lU45EhU8cYW138e70086oe<<
with:
>>MIMEStream=_0+162146_7042554452296_71978351316<<
Part (pos="848"):
SanitizeFile (filename="unnamed.html", mimetype="text/html"):
No attachment name found, using default (unnamed.html).
Match (rule="2"):
Enforced policy: accept
Total modifications so far: 1
Part (pos="1073"):
SanitizeFile (filename="CODE.bat", mimetype="audio/x-wav"):
Match (rule="1"):
Enforced policy: drop
Replaced mime type with: text/plain
Replaced file name with: DEFANGED-15.txt
Part (pos="127440"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (rule="2"):
Enforced policy: accept
Total modifications so far: 2
Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.63 2002/10/02 16:03:01 bre Exp $
--MIMEStream=_0+162146_7042554452296_71978351316
Content-Type: application/octet-stream;
name="=?iso-8859-1?Q?lauren01[1].jpg?="
Content-Transfer-Encoding: base64
/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAHgAA/+4ADkFkb2JlAGTAAAAA
Af/bAIQAEAsLCwwLEAwMEBcPDQ8XGxQQEBQbHxcXFxcXHx4XGhoaGhceHiMlJyUjHi8vMzMv
L0BAQEBAQEBAQEBAQEBAQAERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzAr
