Full Disclosure mailing list archives
Re: WMFs blocked with MIME
From: Joachim Schipper <j.schipper () math uu nl>
Date: Fri, 6 Jan 2006 20:43:41 +0100
On Thu, Jan 05, 2006 at 01:35:36PM -0000, lsi wrote:
Preliminary testing reveals that emails containing WMF files can be blocked by filtering for the MIME-encoded WMF header. This approach works even if the file is called WORD.DOC. The string to check for is: 183GmgAA These 8 bytes appear as the first 8 bytes of a MIME-encoded WMF. Thus, blocking all emails with those bytes in will block all emails containing WMFs. This technique can be used with common spam filters. Regarding web-based WMFs, of the three browsers on this system, only IE knows what to do with WMFs. Fortunately, I don't use IE. This is, however, one more reason I can use to convince my customers to dump it.
That depends entirely on what 'MIME encoding' is. Base64? UUencode? BinHex? Quoted-printable? This is not to say that it is a bad point, and it can be useful as a simplistic filter. But it is not more than that - even if you manage to find patterns for all the above, there are numerous compression methods that can be used. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WMFs blocked with MIME lsi (Jan 05)
- Re: WMFs blocked with MIME Joachim Schipper (Jan 06)