MIMAIL with a twist

M

Mel

Here is the rundown of our incoming MIMAIL infected messages:

1. Hits external server as coming from (e-mail address removed),
(e-mail address removed), (e-mail address removed) or
usersupports##@paypal.com.
2. Routes to internal Exchange 5.5 mail system with Sybari Antigen.
Now shows sender as (e-mail address removed) instead of above.
3. Messages have no attachments.
4. Subject line is empty.
5. Message body contains garbage text beginning with this, but
including 20-30K more garbage.
6. Messages appear to be harmless, however, raising concern as more
Help Desk calls come in and now Paypal scam involved.

------------46734746001E1EB
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dear PayPal member,
We regret to inform you that your account is about to be expired in
next five business days. To avoid suspension of your account you have
to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you
have to run the attached application to this email. Just run it and
follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in
next five business days and you will not be able to use PayPal
anymore.
Thank you for using PayPal.

kkcksiis
------------46734746001E1EB
Content-Type: application/octet-stream; name="www.paypal.com.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="www.paypal.com.pif"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAABQRQAATAEDAA/puD8AAAAAAAAAAOAADwELAQI3AEAAAAAQAAAAUAcAcI8H

Problems:
1. Sender filters don't work as the message sender is changing before
it hits our internal system.
2. Subject filters don't work as the subjects are removed.
3. Attachment filters don't work as the attachment is no longer there.
4. We do not yet have content filtering capability, so can not filter
on file names appearing in body.
5. We do not have any filtering on our external server.

Is anyone else seeing these messages this way?
What are you doing to block?

Thanks,
Melanie
 
N

Nick FitzGerald

Mel said:
Here is the rundown of our incoming MIMAIL infected messages:
Click to expand...
3. Messages have no attachments.
Click to expand...

Hmmmmm -- an interesting claim...
------------46734746001E1EB
Content-Type: application/octet-stream; name="www.paypal.com.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="www.paypal.com.pif"
Click to expand...

Looks like a proper MIME-described attachment to me.

Even quite braindead MUAs such as Outlook and OE should show such a message
as having an attachment (assuming there aren't some further levels of MIME
encoding and/or layering from the message headers _and_ that the expected
MIME headers are in the message headers).
Problems:
Click to expand...
4. We do not yet have content filtering capability, so can not filter
on file names appearing in body.
Click to expand...

Really? Does AntiGen not have some more advanced filtering options than
simply throwing message components at one or more virus scanners???
5. We do not have any filtering on our external server.
Click to expand...

What Email client(s) are in use?? Do you not have one that allows client-
side attachment filtering by file extension, MIME type, etc? Outlook and
OE both have this to some degree (at least in later versions), as do some
third-party Email clients...
 
M

Mel

Nick FitzGerald said:
Hmmmmm -- an interesting claim...


Looks like a proper MIME-described attachment to me.

Even quite braindead MUAs such as Outlook and OE should show such a message
as having an attachment (assuming there aren't some further levels of MIME
encoding and/or layering from the message headers _and_ that the expected
MIME headers are in the message headers).



Really? Does AntiGen not have some more advanced filtering options than
simply throwing message components at one or more virus scanners???
Click to expand...
Yes, Antigen does have subject, sender and file filtering, but as for
body content, you need the Spam Manager add-in... We are currently
filtering all .exe, .scr (and many other) file types and aside from
these MIMAIL messages, we are successfully filtering them.
What Email client(s) are in use?? Do you not have one that allows client-
side attachment filtering by file extension, MIME type, etc? Outlook and
OE both have this to some degree (at least in later versions), as do some
third-party Email clients...
Click to expand...
We are using Outlook 98 and XP. We are seeing this on both versions.
No attachment, just endless pages of junk text as if the .exe has been
incorporated into the body of the message.
 
F

Fowl

Here is the rundown of our incoming MIMAIL infected messages:

1. Hits external server as coming from (e-mail address removed),
(e-mail address removed), (e-mail address removed) or
usersupports##@paypal.com.
2. Routes to internal Exchange 5.5 mail system with Sybari Antigen.
Now shows sender as (e-mail address removed) instead of above.
3. Messages have no attachments.
4. Subject line is empty.
5. Message body contains garbage text beginning with this, but
including 20-30K more garbage.
6. Messages appear to be harmless, however, raising concern as more
Help Desk calls come in and now Paypal scam involved.

------------46734746001E1EB
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dear PayPal member,
We regret to inform you that your account is about to be expired in
next five business days. To avoid suspension of your account you have
to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you
have to run the attached application to this email. Just run it and
follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in
next five business days and you will not be able to use PayPal
anymore.
Thank you for using PayPal.

kkcksiis
------------46734746001E1EB
Content-Type: application/octet-stream; name="www.paypal.com.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="www.paypal.com.pif"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAABQRQAATAEDAA/puD8AAAAAAAAAAOAADwELAQI3AEAAAAAQAAAAUAcAcI8H

Problems:
1. Sender filters don't work as the message sender is changing before
it hits our internal system.
2. Subject filters don't work as the subjects are removed.
3. Attachment filters don't work as the attachment is no longer there.
4. We do not yet have content filtering capability, so can not filter
on file names appearing in body.
5. We do not have any filtering on our external server.

Is anyone else seeing these messages this way?
What are you doing to block?

Thanks,
Melanie
Click to expand...


I got the same Paypal, stopped with Mailwasher.
Now coming as zip files, stopped with benign.

Told my legit contacts to put rename legits files with a made up
character extension, which is allowed in MW and B9.


Frank
To Reply: madballs64 (at) gmx (dot) net
 
Top