Spam using Compatible ID (CID) reference "src="cid:" in HTML pass unde |
Post Reply 
|
| Author | |
Alan 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Spam using Compatible ID (CID) reference "src="cid:" in HTML pass undePosted: 06 August 2003 at 2:32pm |
|
I have found some spam seems to pass through undetected that use attached inline images via "src="cid:" in HTML. I adding this string specifically in the Keyword blacklist but it seems to have no effect on stopping them. They still pass through. I even sent a test email inbound with "src="cid:" as part of the content and it passed through the keyword filtering with no problem. Apparently auto-executable code can also be inserted this way. Microsoft says this is "a compatible ID (CID) reference" on http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q270922 - it is currently being used by worms such as W32/Badtrans.B in the iframe exploit and incorrect MIME header to run automatically on unpatched systems. See Microsoft Security Bulletin (MS01-020) at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp for more information on the exploit and MIME header themselves and a patch, update your anti-virus definitions, and scan/disinfect your systems. |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 August 2003 at 2:58pm |
|
Alan, Can you please post the full contents of such an email, headers and body included? We usually find this easier to do with Outlook Express or any client other than MS Outlook... Roberto Franceschetti |
|
|
|
|
Alan
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 August 2003 at 4:26pm |
|
Roberto I will forward a sample of these emails with headers to you directly. Interesting thing is when I forward one of these to myself and then look at the code again, that piece of code has changed from <IMG SRC="cid:pic1.jpg" ALT=""> to <IMG alt="" src="ATT-0-ACDD296DD95B814393991EC7713B6FD9-pic1.jpg">
|
|
|
|
|
Desperado
Senior Member 
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 August 2003 at 11:24pm |
|
Alan, You can not simply "forward" a message and keep the original source in tact. This is a mistake many people fall prey to. When you forward a message, you are forwarding a "rendered" version. What happened is your mail client only displays the actual message as it was intended to be seen ... all comments and extraneous code removed. That is what ends up being forwarded. As to Roberto's comment about Outlook, what he is referring to is that Outlook "out smarts" you and it is nearly impossible get the actual, un-rendered source. Outlook Express, however, if you right click on the message (not in the preview pane) and select details and the message source, you will be able to copy the actual source to send off to him. I save to notepad, and zip it just to be sure. Regards, Dan S |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.129 seconds.