Re: Checking for email attachment name for containing Javscript code that could get potentially executed when displayed on a webpage.

Sun, 24 Mar 2013 04:23:08 -0700 

Martin,

Please refer to ' http://en.wikipedia.org/wiki/MIME' section 'Encoded-Word'

>>Content-Type: text/plain; charset=UTF-8;  
>>name="=?UTF-8?B?PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PnRlcy50eHQ=?="
>>Content-Transfer-Encoding: 7bit
>>Content-Disposition: attachment;
>> filename="=?UTF-8?B?PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PnRlcy50eHQ=?="


I have encoded the harmful filename '<script>alert(1)</script>tes.txt' to 
base64 and added them into the email as it's allowed as per RFC 2047 in email 
headers and is a valid form.

This is bypassing the spam rule that you created earlier and posted.

Moreover in the following rule that you posted:

>>describe   SCRIPTED_NAME Attachment name or filename is a script
>>mimeheader __SCRIPTN1    Content-Type =~ /name.*\=.*<script>/
>>mimeheader __SCRIPTN2    Content-Disposition =~ /filename.*\=.*<script>/
>>meta       SCRIPTED_NAME (__SCRIPTN1 || __SCRIPTN2)
>>score      SCRIPTED_NAME 6.0

Does 'mimeheader' decodes header values if they are encoded as per the allowed 
email header forms?

and what all forms it can decode ? 

as I could not find relevant spamassassin documentation on 'mimeheader'.

Thanks
Ashish

-----Original Message-----
From: Martin Gregorie [mailto:mar...@gregorie.org]
Sent: Friday, March 22, 2013 7:17 PM
To: users@spamassassin.apache.org
Subject: Re: Checking for email attachment name for containing Javscript code 
that could get potentially executed when displayed on a webpage.

On Thu, 2013-03-21 at 09:40 +0000, Sharma, Ashish wrote:

> What would be the change in spam rule if the Content-Disposition field 
> is mime word encoded as per RFC 2047 ?
> 
> Please find the sample eml at:
> 
> http://pastebin.com/FLjzCsUZ
> 
What's the problem with this message? The portion you've posted contains only 
text/plain and text/html parts: neither are harmful on the face of it and, 
unlike the message my rule was meant to catch, neither the name or the filename 
of the attachment are obviously executable or otherwise harmful.

Did you obfuscate the various names and e-mail addresses in the message?
If so, you've probably removed anything that might be distinctive enough to 
write rules against.

Martin

Reply via email to