the problem:
in some occasions corrupted, non-dangerous samples of mydoom may not be blocked by
esafe but still be identified as mydoom by some anti-virus products.
the reason:
some samples of mydoom are corrupt or are emails that are bounced back (rejected for
example) from various mail servers. some of the bounced emails are reconstructed by
the mail server and the attached file is encoded in base64 and placed as a plain text
in the email body. email client software, such as outlook, outlook express and lotus
notes are unable to open this encoded text as a file and as a result, the end-user is
not at risk of accidentally running the attachment. in fact the user will either see a
garbled text in the email body or an empty attachment.
as a side note, we have seen some samples of mydoom that are so corrupt that they are
not detected by any antivirus, not even when scanned locally.
esafe solution
to eliminate most of the corrupted mydoom emails in esafe, the following is recommended:
in esafe econsole, add one of the following exact strings to spam email body keywords list:
(the first one should provide a better solution, but you may use either lines or
even both.)
content-transfer-encoding: base64
or
content-disposition: attachment;
note:
make sure the strings are exactly as they appear above, including the semicolon (;) at
the end of the second string.
-
it is suggested to select "whole word only" but it should also work if it is not
selected.
-
if esafe is already configured to use the spam keyword blocking list for
email body, the strings can just be added.
-
if esafe is not configured to use the spam keyword list it can be activated.
this procedure will also block spam email. if you are not interested in also
blocking spam by keyword, the existing list can be exported to a file for backup,
emptied from all other entries except the strings as described above.
esafe csrt strongly recommends making sure that the following file types are
blocked as long as the mydoom variants are in-the-wild: .pif, .scr, .zip, .exe,
.bat and .cmd.
important note
-
we cannot guarantee that all instances of corrupted mydoom emails will be blocked,
but so far this solution was very successful in blocking thousands malformed mydoom
emails around the world.
-
there is a slight chance that legitimate emails could also be blocked. these
occurrences are very rare and include a few reported emails that are bouncing back
from certain mail servers (for example if recipient was not found); forwarded emails
from unusual email clients could also be blocked. the more common microsoft
outlook/outlook express and lotus notes were tested to make sure the new setting
does not generate problems.
|