On Wed, 18 Mar 2009, Michael Scheidell wrote:
both files still exist on the hosts, and neither was identified by
clamav, and neither triggered any ET (snort) rules, SA didn't trigger
any rules except these:
HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957,
Isn't there a rule for html mail with no <html> or <body> start tags? That
should have fired, too.
email that tries to get you to load these here:
http://pastebin.com/m2fcbe7b5
Thanks for posting the sample.
<plug type="shameless">
My email sanitizer successfuly defends against this attack.
</plug>
:)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
1327 days until the Presidential Election
