Howto filter javascript in mail-data?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Howto filter javascript in mail-data?

L3 Networker

It seems to be not possible to write a custom signature, which filters out javascript in mails.

The challenge is to avoid something like that:

#> telnet server 25

helo willi

mail from:<otto@lbsost.de>
rcpt to:<m.huels@lbswast.de>
data
From: Mannis Emailcheck <otto@lbsost.de>
To: willi@lbswist.de
X-Mailer: Mein Mailer 
Subject: test fuer javascript
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Real-Name: otto.lbsost.de

<html>
<body>
<A HREF="javascript:void(0)"
onclick="window.open('http://www.dackel.de','OK-Link')">
OK</A>
<script>alert("Virus - please click here to exploit your computer")</script>

</body>
</html>

.

quit

I tried

.*(220 mail).*(.de ESMTP).*(\x3c\x).*([sS][cC][rR][iI][pP][tT])

as a data pattern. But if i put this data pattern in a data filtering rule, it only filters in attachements and not in the mail text itself.

Defined as spyware or vulnerability signature, you can only set

pattern-match -> smtp-req-argument

pattern-match -> smtp-resp-content

pattern-match -> unknown-req-tcp-payload

I will try and error this parameter in the next days (because its a lengthy process to install new rules on the firewall 😉 and do report the results in this thread.

so long

Manfred

3 REPLIES 3

L3 Networker

pattern-match -> smtp-resp-content does not works.

I've tried email header and email body pattern matches from the custom data patterns and it's worked in the past. Can you try creating a custom data pattern?

I tried to set the custom data pattern in a data filtering rule, which did not work.

Perhaps PA covers the SMTP header and the data-body in two different matching-machines? If so, i would have to set two patterns. But although ".*(\x3c\x[sS][cC][rR][iI][pP][tT])" has 7 byte, you cannot install it because of beeing too short. ".*(<script)"  and ".*(\x3c\xscript)" are both malformed, "script" has only 6 byte and again would it be not sufficient for this case.

  • 2378 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!