[Mailman-Users] Know of a good anti-virus filter?
Norbert Bollow
nb at thinkcoach.com
Fri Jun 1 16:44:36 CEST 2001
> I'm wondering if you could reccomend a good anti-virus filter/scanner
> thing that I can use to scan the mail going through my lists, ideally
> one that would alert me and/or the list admin before sending out mail
> that was potentially infected.
Stripping all attachments is certainly a good start. Then it
has recently been pointed out on Bugtraq that it is possible
to infect users of web-mail systems such as hotmail or yahoo
by means of malicious URLs (see below). Because I haven't
gotten around to learning how to do it in Python, I filter in
a little Perl script on the regular expression
/https?:\S*(%3a|\:)(%2f|\/)(%2f|\/)/i
(I'd certainly appreciate a patch for Mailman that makes it hold
messages which contain such suspicious URLs).
Greetings, Norbert.
--snip------------------------------------------------------------
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq at securityfocus.com>
List-Help: <mailto:bugtraq-help at securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
From: mparcens at hushmail.com
Date: Wed, 30 May 2001 19:18:08 -0500 (EDT)
To: bugtraq at securityfocus.com
Content-type: multipart/mixed; boundary="Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu"
Subject: Yahoo/Hotmail scripting vulnerability, worm propagation
--Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu
Content-type: text/plain
Title: Yahoo/Hotmail scripting vulnerability, worm propagation
Synopsis
Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate
a Melissa-type worm through those webmail services.
Description
An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the
email is a link to yahoo or hotmail's own server. The link contains escaped
javascript that is executed when the page is loaded. That javascript then
opens a window that could nagivate through the victim's inbox, sending messages
with the malicious link to every email address it finds in the inbox. Because
the malicious javascript executes inside a page from the mail service's
own server, there is no domain-bounding error when the javascript is controlling
the window with the victim's inbox.
Who is vulnerable
Users of the Yahoo Mail and Hotmail service. Although the exploit requires
a user to click on a link, two things work for this exploit. (1) The email
comes from a familiar user (sent by the worm), and (2) The link is to a
familiar, trusted server. Theoretically, more services are vulnerable, due
to the proliferation of these holes, but the worm is limited to web mail
services.
Proof-of-Concept
Sample links and the worm code can be found at: http://www.sidesport.com/webworm/
Solution
Escaping all query data that is echoed to the screen eliminates this problem.
This must be done on every page on a server that can send or read mail for
the service.
Vendor Status
Both Yahoo and Hotmail were notified on May 23 2001.
-mparcens
mparcens at hushmail.com
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
More information about the Mailman-Users
mailing list