Klez Filters
Eudora Tip #140/03-Jul-2002

139, 26-Jun-2002 explained how to use the Blah Blah Blah button to reveal the real sender of the Klez worm.

When you use that button to reveal the extended headers you’ll also see the body of the message change. You can now see the HTML coding which underlies the message.

Here’s one of my recent virus-containing messages as I originally saw it:

This is a new website I wish you would enjoy it. Content-Type: audio/x-midi;
name=vide.scr
Content-ID: <U80223Pl02>

This is what it really says though:

<x-html><!x-stuff-for-pete base=”" src=”" id=”0″ charset=”"><HTML><HEAD></HEAD><BODY>

<iframe src=cid:U80223Pl02 height=0 width=0> </iframe>

<FONT>This is a new website [etc]

Now, the important part of all that is: <iframe src=cid:

Kaitlin Duck Sherwood, author of Overcome Email Overload with Eudora 5, (see Tip #132/08-May-2002) was kind enough to suggest that these kinds of virus-bearing messages can fairly reliably be filtered if we use that part of the body as the search term.

Here’s what she suggests:

It’s actually pretty easy to filter that class of virus. Look for

<iframe src=cid:

That’s HTML for “launch this attachment” and is a weakness in Internet Explorer (used by Outlook, Outlook Express, and Windows-Eudora by default).

Now, setting up a filter to look for that exact string in an email message is probably both over- and under-kill. “Over-” because you probably don’t need the whole thing; “under-” because a Bad Guy could add spaces or quotation marks to foil the filter, like so:

< iframe src=”cid:mooo23847″>

Just

iframe

or just

src=cid:

would catch the virii, but very very few legitimate messages.

If you want to be really careful, look in the body of the message for both

iframe

and

cid:

Kaitlin’s website is here:

<http://www.OvercomeEmailOverload.com/eudora/html/>

SPECIAL NOTE: No Tip next week as I’m taking a short break this weekend in Rotorua: <http://nz.com/tour/Rotorua/>