I have found some spam seems to pass through undetected that use attached inline images via "src="cid:" in HTML.  I adding this string specifically in the Keyword blacklist but it seems to have no effect on stopping them.   They still pass through.  I even sent a test email inbound with "src="cid:" as part of the content and it passed through the keyword filtering with no problem.  Apparently auto-executable code can also be inserted this way.

Microsoft says this is "a compatible ID (CID) reference" on http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q270922" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q270922" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q270922 - it is currently being used by worms such as W32/ mailto:Badtrans.B" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - Badtrans.B in the iframe exploit and incorrect MIME header to run automatically on unpatched systems.  See Microsoft Security Bulletin (MS01-020) at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp for more information on the exploit and MIME header themselves and a patch, update your anti-virus definitions, and scan/disinfect your systems.

Why is this not filtered?  As this can be exploited as a virus delivery method it seems especially significant.

Alan,

Can you please post the full contents of such an email, headers and body included? We usually find this easier to do with Outlook Express or any client other than MS Outlook...

Roberto Franceschetti
LogSat Software

Roberto I will forward a sample of these emails with headers to you directly.

Interesting thing is when I forward one of these to myself and then look at the code again, that piece of code has changed from

<IMG SRC="cid:pic1.jpg" ALT="">

to

<IMG alt="" src="ATT-0-ACDD296DD95B814393991EC7713B6FD9-pic1.jpg">

Alan,

You can not simply "forward" a message and keep the original source in tact.  This is a mistake many people fall prey to.  When you forward a message, you are forwarding a "rendered" version.  What happened is your mail client only displays the actual message as it was intended to be seen ... all comments and extraneous code removed.  That is what ends up being forwarded.

As to Roberto's comment about Outlook, what he is referring to is that Outlook "out smarts" you and it is nearly impossible get the actual, un-rendered source.

Outlook Express, however, if you right click on the message (not in the preview pane) and select details and the message source, you will be able to copy the actual source to send off to him.  I save to notepad, and zip it just to be sure.

Regards,

Dan S