Re: IE URL obfuscation - Detecting at Exchange Servers

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 12/24/03

  • Next message: Russ: "Administrivia #30794 - NTBugtraq considered a Power to be considered"
    Date:         Wed, 24 Dec 2003 16:19:03 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Knowing that people continue to be concerned about the IE URL obfuscation technique, I decided to write up and publish a method of detecting such bad emails on Exchange Servers at reception time. Many people implement something like PostFix to filter email, which is more than capable of detecting such bad URIs, but those of us who use Exchange itself for our SMTP reception don't readily have such features.

    However, Exchange 2000 and above does expose an interface which we can work with to implement virtually all of the functionality which PostFix affords us. They're called "Event Sinks", and using CDO they allow us to write an application which can be called during the, for example, OnArrival event in the SMTP server. We can also decide what we want when an event occurs, and based on that filtering, have our application started being passed the message itself (including its SMTP envelope), and the message status.

    You can implement as many of these sinks as you like, each one customized to perform a specific task. The application you spawn can be in any language that supports the CDO libraries, so C, VB, VBScript and JScript are all viable (as are many more). Obviously the tighter the code you write the better the whole process will work. Implementing in VBScript, for example, might not work effectively on very large Exchange environments because message processing is effectively stalled while the sink events are processed by their respective applications.

    So, I've written up a simple VBScript which implements the OnArrival event and, when passed the incoming message, checks to see if it contains a URI with the evil combination we want to avoid, or detect. The script includes code to abort the delivery, move the message to the badmail directory, or allow the message through. It logs details of any message which contains an evil URI.

    Included on the web page that describes the code are links to MSDN articles about Exchange Event Sinks and CDO programming, including the tools you need to implement the script. The script is free to everyone (call it my Christmas present to NTBugtraq), feel free to modify or extend it. If you do implement something new, I'd appreciate seeing a copy of whatever you do (if you don't mind.) If anyone is able to convert this script into a tight compiled object, I'd sure appreciate the source to make available also.

    Read the description here;

    http://www.ntbugtraq.com/badurls.asp

    where you'll also find a link to the code. Enjoy, and relax.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Russ: "Administrivia #30794 - NTBugtraq considered a Power to be considered"

    Relevant Pages

    • CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048
      ... Demo Exploit Code (downloads and runs .exe of fire burning on computer screen without user intervention): ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo ... code "NT1003" when registering to take the TICSA exam at www.2test.com. ...
      (NT-Bugtraq)
    • Re: IE URL obfuscation
      ... Russ wrote: ... > the top level URL of a site, ... code "NT1003" when registering to take the TICSA exam at www.2test.com. ... abilities to be an active stakeholder in today's enterprise security. ...
      (NT-Bugtraq)
    • Giving IE the boot?
      ... www.mozilla.org check them out, IE and Netscape are not the only options out there folks. ... Jeff Thomas ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. ...
      (NT-Bugtraq)
    • Re: More on IE URL obfuscation
      ... FWIW, the %01 in the URL doesn't seem to work on IE on Mac OSX. ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo ... code "NT1003" when registering to take the TICSA exam at www.2test.com. ...
      (NT-Bugtraq)
    • Re: Microsoft Security Bulletin MS03-049 - Installation problems?
      ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo ... code "NT1003" when registering to take the TICSA exam at www.2test.com. ... Promotion expires ...
      (NT-Bugtraq)