Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

WMFs blocked with MIME
From: "lsi" <stuart () cyberdelix net>
Date: Thu, 05 Jan 2006 13:35:36 -0000
Preliminary testing reveals that emails containing WMF files can be 
blocked by filtering for the MIME-encoded WMF header.  This approach 
works even if the file is called WORD.DOC.  The string to check for 
is:  

183GmgAA

These 8 bytes appear as the first 8 bytes of a MIME-encoded WMF.  
Thus, blocking all emails with those bytes in will block all emails 
containing WMFs.  

This technique can be used with common spam filters.  

Regarding web-based WMFs, of the three browsers on this system, only 
IE knows what to do with WMFs.  Fortunately, I don't use IE.  This 
is, however, one more reason I can use to convince my customers to 
dump it.  

Stu

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]