Bypassing Content Filtering Software (Exploit)

Credit:
The information has been provided by Aidan O'Kelly

There are many ways you can get past mail filtering systems, because most of them will not emulate the exact behavior of the e-mail clients, especially if you have multiple clients. One of the most effective methods against Outlook/Outlook express is to just name the file

eviltrojan."e"x"e

Outlook/OE will just take the quotes out of the filename before it's executed.

Of course, most filtering systems will scan the file and recognize it as an executable(PE) and disallow it (same goes for VBS/JS files etc, they usually look for very common VB or JS code) but it is pretty obvious that they do not recognize all executable content (Like .bat files?) (Alternatively, encoded data as mentioned in the advisory).

One other thing, Outlook/OE will sometimes give an attachment that has no name a name, depending on the content-type, mostly all non-dangerous types. I.e. if you have a wav attachment, but it has no filename (in the MIME headers) but it has a content-type: audio/x-wav it will name it ATT00xxx.wav. This will work with .hta files if you don't name them and give them content-type=application/hta

Read more code
**Hidden Content: To see this hidden content your post count must be 1 or greater.**