Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Spam using Compatible ID (CID) reference
  FAQ FAQ  Forum Search   Register Register  Login Login

Spam using Compatible ID (CID) reference "src="cid:" in HTML pass unde

 Post Reply Post Reply
Author
Alan View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Topic: Spam using Compatible ID (CID) reference "src="cid:" in HTML pass unde
    Posted: 06 August 2003 at 2:32pm

I have found some spam seems to pass through undetected that use attached inline images via "src="cid:" in HTML.  I adding this string specifically in the Keyword blacklist but it seems to have no effect on stopping them.   They still pass through.  I even sent a test email inbound with "src="cid:" as part of the content and it passed through the keyword filtering with no problem.  Apparently auto-executable code can also be inserted this way.

Microsoft says this is "a compatible ID (CID) reference" on http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q270922 - it is currently being used by worms such as W32/Badtrans.B in the iframe exploit and incorrect MIME header to run automatically on unpatched systems.  See Microsoft Security Bulletin (MS01-020) at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp for more information on the exploit and MIME header themselves and a patch, update your anti-virus definitions, and scan/disinfect your systems.

Why is this not filtered?  As this can be exploited as a virus delivery method it seems especially significant.

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 August 2003 at 2:58pm

Alan,

Can you please post the full contents of such an email, headers and body included? We usually find this easier to do with Outlook Express or any client other than MS Outlook...

Roberto Franceschetti
LogSat Software

Back to Top
Alan View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 06 August 2003 at 4:26pm

Roberto I will forward a sample of these emails with headers to you directly.

Interesting thing is when I forward one of these to myself and then look at the code again, that piece of code has changed from

<IMG SRC="cid:pic1.jpg" ALT="">

to

<IMG alt="" src="ATT-0-ACDD296DD95B814393991EC7713B6FD9-pic1.jpg">

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 August 2003 at 11:24pm

Alan,

You can not simply "forward" a message and keep the original source in tact.  This is a mistake many people fall prey to.  When you forward a message, you are forwarding a "rendered" version.  What happened is your mail client only displays the actual message as it was intended to be seen ... all comments and extraneous code removed.  That is what ends up being forwarded.

As to Roberto's comment about Outlook, what he is referring to is that Outlook "out smarts" you and it is nearly impossible get the actual, un-rendered source.

Outlook Express, however, if you right click on the message (not in the preview pane) and select details and the message source, you will be able to copy the actual source to send off to him.  I save to notepad, and zip it just to be sure.

Regards,

Dan S

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.266 seconds.