Full Disclosure mailing list archives
Re: MyDoom-M evades attachment filters
From: "Marek Isalski" <Marek.Isalski () smuht nwest nhs uk>
Date: Tue, 27 Jul 2004 11:45:10 +0100
"lsi" <stuart () cyberdelix net> 27/07/2004 11:14:20 >>>My current thoughts are something like this: U.*E.*s.*D.*B.*A.*o.*A.*A.* Still got newline prob though.
Careful -- that (corrected) regexp will overoptimistically match strings like: 'United Arab Emirates branch seeks Data Base Administrator to work in providing supporting "Follow-Up" project in Alcoholics Anonymous.' You probably want to use a regexp matcher that doesn't care about newlines -- i.e. it treats the while MIME attachment as one big string, and you just search for U[:white:]E[:white:]... Though it could be possible that other malformed MIME is accepted by mail clients' parsers but fails your regexp match. Perhaps [:white:] should really be [^A-Za-z0-9./] (i.e. a regexp matching characters which aren't valid Base64. Regards, Marek _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom-M evades attachment filters lsi (Jul 27)
- Re: MyDoom-M evades attachment filters William Warren (Jul 28)
- Re: MyDoom-M evades attachment filters lsi (Jul 29)
- <Possible follow-ups>
- Re: MyDoom-M evades attachment filters Marek Isalski (Jul 27)
- Re: MyDoom-M evades attachment filters William Warren (Jul 28)