There is an error in qmail-scanner which I consider critical. I have QS
configured to block emails which have executable content attached, e.g.
*.exe, *.bat and so on. Unfortunately it is possible for an attacker to
bypass this. This happens when the name of the attachment itself is
encoded. This happened to me last week when I got several mails with a
virus which was not recognised by my virus scannes at that time.
I attached an email showing the error. The critical lines are:
Content-Type: application/octet-stream;
name="=?koi8-r?B?NC5wZGYuZXhl?="
Content-Disposition: attachment;
filename="=?koi8-r?B?NC5wZGYuZXhl?="
Content-Transfer-Encoding: base64
Regards,
Werner
Message-ID: <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
From: <[EMAIL PROTECTED]>
To: <my email address>
Subject: =?koi8-r?B?UG9zdGJhbms=?=
Date: Sun, 30 Jan 2005 12:07:39 -0800
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-GMX-Antispam: -2 (not scanned, spam filter disabled)
X-Resent-By: Forwarder <[EMAIL PROTECTED]>
X-Resent-For: my email address
X-Resent-To: my email address
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on gneiss.isc4u.de
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=FORGED_RCVD_HELO,
MSGID_OUTLOOK_INVALID,NO_REAL_NAME,SPF_HELO_PASS,SPF_PASS
autolearn=no version=3.0.2
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_01C45F70.C992BF3E"
------=_NextPart_000_0011_01C45F70.C992BF3E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset="koi8-r"
Sehr geehrter Postbankkunde,
In letzter Zeit versenden Betrueger vermehrt eMails, die die Kunden aufford=
ern, Kontonummer, PIN (Persoenliche IdentifikationsNummer) und TAN (Transak=
tionsnummer) preiszugeben. Dabei sind die Absenderadressen der Banken gefae=
lscht.
Der Link in der eMail fuehrt jedoch nicht auf die sichtbare Adresse, sonder=
n auf eine gefaelschte Bankseite. Auf dieser gefaelschten Bankseite bitten =
die Betr=D8ger um Eingabe von Kontonummer, PIN und TAN. Dieser Bankseite fe=
hlen jedoch alle "Echtheitsmerkmale" von Banking-Seiten
Bitte ueberpr=D8fen Sie umgehend mit dem anhangenden Dokument ob Ihr Konto =
gefaehrdet ist!
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Deutsche Postbank AG
Friedrich-Ebert-Allee 114 - 126
53113 Bonn
Internet: www.postbank.de
Sitz der Gesellschaft: Bonn
HRB 6793, Amtsgericht Bonn
Umsatzsteuer-Identifikationsnummer: DE 169824467
=A9 2004 Deutsche Postbank AG
------=_NextPart_000_0011_01C45F70.C992BF3E
Content-Type: application/octet-stream;
name="=?koi8-r?B?NC5wZGYuZXhl?="
Content-Disposition: attachment;
filename="=?koi8-r?B?NC5wZGYuZXhl?="
Content-Transfer-Encoding: base64
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Attachment deleted -- was detected as
ALERT: [TR/Dldr.Vidlo.i virus] Postbank-Virus.txt -->
=?koi8-r?B?NC5wZGYuZXhl?= <<< Is the Trojan horse TR/Dldr.Vidlo.i
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
------=_NextPart_000_0011_01C45F70.C992BF3E--
