We are also seeing a lot of stuff lately where the blachkhatzes have played games with the encoding and the mime segments in order to break detection... some sections of messages and even attachments are not being correctly decoded as such and are often not seen by scanners etc... so sometimes software doesn't see and decode the attachment because it is tacked on in such a way as to appear to be text and you get the base64 text of the attachment but not the actual attachment... and then some (enough) email clients work their way through that to infect the target even though the attachment never really made it --or only sort-of made it.
I know that if you are using Message Sniffer they have started coding rules both ways -- decoded and still abstracted as content (mis-encoded segments). A lot of other systems are simply not seeing stuff though -- because they can't figure out how to decode the attachments... looks like it’s a new vector. David Barker Mail’s Best Friend Email : [email protected] Web : www.mailsbestfriend.com Office : 866.919.2075 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Tolmachoff Sent: Monday, August 10, 2015 12:52 PM To: [email protected] Subject: [MBF] Re: HTML attachment got through, why? PING I am still seeing these HTML attachments getting through. -----Original Message----- From: "John Tolmachoff" <[email protected]> Sent: Friday, July 17, 2015 10:14am To: [email protected] Subject: [MBF] Re: HTML attachment got through, why? Andy, good question. The body of the email was indeed text/html formatted. And the email was base-64 encoded. The virus was indeed really in the attachment, not in the body. -----Original Message----- From: "Andy Schmidt" <[email protected]> Sent: Friday, July 17, 2015 9:20am To: [email protected] Subject: [MBF] Re: HTML attachment got through, why? I wonder whether these two lines indicate that there were actually two DIFFERENT MIME segments? One was a base-64 encoded attachment of "Invoice.html" - which might have matched your BANEXT and been banned. But the first segment (maybe the body of the email?) was also "[text/html]" formatted. During virus scanning, it was temporarily referred to as "0.html", possibly containing the malicious code. But, since it was the email BODY not actually an attached FILE, it would not have been subject to the BANEXT rule? I guess the question is, was the virus really in the Invoice.html or was it in the "0.html"? ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]>
