Re: IE URL obfuscation - Detecting at Exchange Servers
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Wed, 24 Dec 2003 16:19:03 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Knowing that people continue to be concerned about the IE URL obfuscation technique, I decided to write up and publish a method of detecting such bad emails on Exchange Servers at reception time. Many people implement something like PostFix to filter email, which is more than capable of detecting such bad URIs, but those of us who use Exchange itself for our SMTP reception don't readily have such features.
However, Exchange 2000 and above does expose an interface which we can work with to implement virtually all of the functionality which PostFix affords us. They're called "Event Sinks", and using CDO they allow us to write an application which can be called during the, for example, OnArrival event in the SMTP server. We can also decide what we want when an event occurs, and based on that filtering, have our application started being passed the message itself (including its SMTP envelope), and the message status.
You can implement as many of these sinks as you like, each one customized to perform a specific task. The application you spawn can be in any language that supports the CDO libraries, so C, VB, VBScript and JScript are all viable (as are many more). Obviously the tighter the code you write the better the whole process will work. Implementing in VBScript, for example, might not work effectively on very large Exchange environments because message processing is effectively stalled while the sink events are processed by their respective applications.
So, I've written up a simple VBScript which implements the OnArrival event and, when passed the incoming message, checks to see if it contains a URI with the evil combination we want to avoid, or detect. The script includes code to abort the delivery, move the message to the badmail directory, or allow the message through. It logs details of any message which contains an evil URI.
Included on the web page that describes the code are links to MSDN articles about Exchange Event Sinks and CDO programming, including the tools you need to implement the script. The script is free to everyone (call it my Christmas present to NTBugtraq), feel free to modify or extend it. If you do implement something new, I'd appreciate seeing a copy of whatever you do (if you don't mind.) If anyone is able to convert this script into a tight compiled object, I'd sure appreciate the source to make available also.
Read the description here;
where you'll also find a link to the code. Enjoy, and relax.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----