procmail
[Top] [All Lists]

Plaintext base64 error.hta attachment

2003-05-30 22:11:48

        I just got several extremely nasty looking emails all of
which just now snuck by my otherwise 100% accurate attachment
filters. It seems, on the surface, to really trying to be
stealthy. I'm not sure these ate dangerous but it sure rattles
like a dangerous snake and I'm not taking any chances.  Below are
some of the relavent headers and part of the body of one of them
(where EXAMPLE.COM is one of my domains):

# ==================================
From MAILER-DAEMON(_at_)yahoo(_dot_)com Sat May 31 02:14:53 2003
Return-Path: <MAILER-DAEMON(_at_)yahoo(_dot_)com>
From: Mail Delivery Subsystem <MAILER-DAEMON(_at_)yahoo(_dot_)com>
Subject: Mail Delivery Error [jgKFiTkayUraLHgG]
To: Don <don(_at_)EXAMPLE(_dot_)COM>
References: <GLHLK15J2K7207EL(_at_)EXAMPLE(_dot_)COM>
In-Reply-To: <GLHLK15J2K7207EL(_at_)EXAMPLE(_dot_)COM>
Message-ID: <417DB4175D6K7801(_at_)yahoo(_dot_)com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_HHAIL36FD5BC374F927241IKH"
 
------=_NextPart_HHAIL36FD5BC374F927241IKH
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

Here were errors processing you mail. Please, read detailed
information
in the attachment

   ----- The following addresses had permanent fatal errors -----
don(_at_)EXAMPLE(_dot_)COM
    (reason: 550 don(_at_)EXAMPLE(_dot_)COM unknown user account)

   ----- Transcript of session follows -----
... while talking to mail.yahoo.com.:
RCPT To:don(_at_)EXAMPLE(_dot_)COM
<<< 550 don(_at_)EXAMPLE(_dot_)COM unknown user account
550 5.1.1 don(_at_)EXAMPLE(_dot_)COM(_dot_)(_dot_)(_dot_) User unknown

------=_NextPart_HHAIL36FD5BC374F927241IKH
Content-Type: text/plain; name="error.hta"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="error.hta"
Content-ID: <error.hta>

PHRpdGxlPkVycm9yPC90aXRsZT4NCjxzY3JpcHQgbGFuZ3VhZ2U9dmJzPg0KbWFsd2FyZT0i
NGQsNWEsOTAsMCwzLDAsMCwwLDQsMCwwLDAsZmYsZmYsMCwwLGI4LDAsMCwwLDAsMCwwLDAs
        <snip rest of body>
# ==================================


Here's my first pass at a generalized recipe for it:
# ==================================
# reviously defined:
SPACE = " "
TAB = "   "
WHITESPACE = "($SPACE|$TAB)*"
VIRUSPGM = "[- a-zA-Z0-9_]+\.\
(bat|chm|com|cpl|dll|exe|hlp|hta|jse?|key|lnk|ocx|pif|\
reg|scr|sh[bs]|vb[se]?|ws[fhe]|{[-0-9a-f]+})"

:0
* $ ^Content-Type:${WHITESPACE}\/[^;${SPACE}${TAB}]+
 { CTYPE = $MATCH }

# Plaintext base64 error.hta attachment
:0 B
* CTYPE ?? multipart/mixed
* > 15000
* $ ^Content-Type: text/plain;\>(.*\<)?name=["]?${VIRUSPGM}["]?$
* ^Content-Transfer-Encoding: base64
* ^Content-Disposition: attachment; filename=["]\/[-a-z0-9.]+
{  BLOCK_THIS = "Plain text base 64: ${MATCH}"  }
# ==================================

        BTW: message sizes were all in the mid 16k range.
        
        Suggestions? Comments?

        TIA,

        - Don

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>