[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] WMFs blocked with MIME
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] WMFs blocked with MIME
- From: "lsi" <stuart@xxxxxxxxxxxxxx>
- Date: Thu, 05 Jan 2006 13:35:36 -0000
Preliminary testing reveals that emails containing WMF files can be
blocked by filtering for the MIME-encoded WMF header. This approach
works even if the file is called WORD.DOC. The string to check for
is:
183GmgAA
These 8 bytes appear as the first 8 bytes of a MIME-encoded WMF.
Thus, blocking all emails with those bytes in will block all emails
containing WMFs.
This technique can be used with common spam filters.
Regarding web-based WMFs, of the three browsers on this system, only
IE knows what to do with WMFs. Fortunately, I don't use IE. This
is, however, one more reason I can use to convince my customers to
dump it.
Stu
---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/