[unisog] Spamming machines: a mystery dll?

Matt Crawford crawdad at fnal.gov
Mon Sep 29 17:57:46 GMT 2003

> Also, if you have Snort or another IDS/packet capture device
> at your border, you may want to watch for application/hta:
> alert tcp any 80 -> any any (msg:"HTA MIME Content in  
> HTML";content:"Content-Type\:";nocase;content:"application/ 
> hta";nocase;)
> alert tcp any any -> any 25 (msg:"HTA MIME Content in  
> SMTP";content:"Content-Type\:";nocase;content:"application/ 
> hta";nocase;)

The bad guy can hide from that!  Look at RFC 2045, "Multipurpose  
Internet Mail Extensions (MIME) Part One: Format of Internet Message  
Bodies", page 4:

    All of the header fields defined in this document are subject to the
    general syntactic rules for header fields specified in RFC 822.  In
    particular, all of these header fields except for Content-Disposition
    can include RFC 822 comments, which have no semantic content and
    should be ignored during MIME processing.

So the message could say

Content-Type: appl(e pie)ication/h(ope)t(o)a(ttack)

More information about the unisog mailing list