[Mimedefang] javascript in html attachments

Paul Whittney pwhittney at net.bacconsulting.com
Fri Mar 5 13:54:50 EST 2004


I've recently seen an email (only one though, which is odd), with spam
in it, but hidden inside a javascript message. The email body seems very
light, just a simple subject, and simple "you file attached" in it.

The javascript creates two arrays, one about 800 items long, and a
second 100 or so element list. Next it creates a string from the 800 odd
items (which dont convert to character codes directly), but its value is
xor'ed with items from the second array, which does create a valid character
code. Then opens up a document window, and writes out the java string.
Thankfully, after converting it to perl, I found it was spam for
enlargement of (well, you get the idea ;-). But the issue was that the
spam checking didnt look at the attachment (or is that something wrong
with my filter?), but I'm not complaining, just wanted to show people
that this can happen to good well know attachments. (sorry if its old
news... but I had never seen it before).

What concerns me, is that the email script could use randow variable
words, so just scoring on words may miss it. I'm also concerned that
this will escalate into "Block all htm/html files", which seems to be
heading towards the mentality of "block every attachment", I would zip 
it, but people have decided they are bad too.. My rules for blocking
attachemnts are: if the code could be executed with a simple double
click in outlook (pif, scr, exe, com, bat, etc...), then I should 
do all I can to prevent users from getting them, and even force them 
to use zips, or get them to rename files to e_x_e, which requires at 
least two double clicks to run something (what about self 
extracting zips, do they actually come as exe's?)

Am I right that the filter wouldn't check this attachment under
spamAssassin?

Heres a fragment (humanDefanged, or course..)
----- start ----
[ARROW]script language="JavaScript"[ARROW]
oblivious = new Array(244,
41,210,10,56,163,31,233,220,219,17,
123,85,107,103,81,196,161,22,86,200,
100,165,189,45,43,109,74,82,177,127,
57,10,127,218,110,153,58,82,144,18,
58,131,61,4,65,190,75,98,158,185,
37,53,212,12,130,66,208,64,61,172,
...
60,144,104,172,180,246,18,77,121,159,
144,224,174,77);
levying = new Array(200,
97,134,71,116,157,18,227,224,153,94,
63,12,85,106,91,248,209,54,55,164,
...
catheter = 825;
Cromwellian = 235;
var enema = "";
for(littler = 0; littler < catheter; littler++)
  enema = enema + String.fromCharCode(oblivious[littler] ^
     levying[littler % Cromwellian]);
document.write(enema);
[ARROW]/script[ARROW]
----- end ------

Sorry for the train of thought being horid tangents, so many things 
going on at once.... Just hope this info helps someone..

-Paul Whittney



More information about the MIMEDefang mailing list