The Annoyance Filter.pdf - Fourmilab

More documents

Recommendations

Info

138 MAIL FOLDER ANNOYANCE-FILTER §165 165. This static method tests for an argument to a header field and stores the argument, if present, into arg . The argument name is canonicalised to lower case, but the argument is left as-is. Quotes are deleted from quoted arguments. 〈 Class implementations 11 〉 +≡ bool mailFolder ::parseHeaderArgument (string &s, const string target , string &arg ) { if (s.length ( ) > target .length ( )) { string sc = s; string ::size type p, p1 ; stringCanonicalise (sc); if (((p = sc.find (target )) ≠ string ::npos ) ∧ (sc.length ( ) > (p + target .length ( ))) ∧ (sc[p + target .length ( )] ≡ ’=’)) { p += target .length ( ) + 1; if (p < s.length ( )) { if (s[p] ≡ ’"’) { if ((p1 = s.find (’"’, p + 1)) ≠ string ::npos ) { arg = s.substr (p + 1, p1 − (p + 1)); return true ; } } else { string ::size type i = p; for ( ; i < s.length ( ); i++) { if (¬isISOspace (s[i])) { break; } } if (i < s.length ( )) { int n = 0; while ((i + n) < s.length ( )) { if ((isISOspace (s[i + n])) ∨ (s[i + n] ≡ ’;’)) { break; } n++; } arg = s.substr (i, n); } else { arg = ""; } return true ; } } } } return false ; }
§166 ANNOYANCE-FILTER MAIL FOLDER 139 166. Certain versions of Microsoft Outlook contain a horrific bug where Outlook decides whether an attachment is executable based on its “Content−Type” declaration, but then actually decides whether to execute it based on its “file type” (the extension on the file name, for example “.EXE”). Predictably, mail worm programs exploit this by tagging their payload as an innocuous file type such as an audio or image file, but with an executable extension. The static method tests an attachment’s name against a list of vulnerable extensions. If it matches, this is almost certainly a worm, which we should filter through the byte stream parser rather than process normally. This will crack out the strings embedded in the worm, which will help us to fingerprint subsequent worms of the same type. The list of vulnerable extensions was compiled empirically from examining mail worms collected over a three year period. I do not know if the list is exhaustive; Microsoft vulnerability experts aware of any I omitted are encouraged to let me know about them. 〈 Class implementations 11 〉 +≡ bool mailFolder ::isSpoofedExecutableFileExtension (const string &s) { string sc = s; } stringCanonicalise (sc); if ((sc.length ( ) > 4) ∧ (sc[sc.length ( ) − 4] ≡ ’.’)) { string ext = sc.substr (sc.length ( ) − 3); stringCanonicalise (ext ); return ((ext ≡ "exe") ∨ (ext ≡ "bat") ∨ (ext ≡ "scr") ∨ (ext ≡ "lnk") ∨ (ext ≡ "pif") ∨ (ext ≡ "com")); } return false ; 167. Calculate the size in bytes of the message transcript if written to a monolithic file with lineOverhead bytes (by default 1) per line. 〈 Class implementations 11 〉 +≡ unsigned int mailFolder ::sizeMessageTranscript (const unsigned int lineOverhead ) const { assert(tlist ≠ Λ); } unsigned int n = tlist ⃗ size ( ), totsize = 0; if ((n > 1) ∧ (tlist ⃗ back ( ).substr (0, (sizeof messageSentinel ) − 1) ≡ messageSentinel )) { n−−; } list〈string〉::iterator p = tlist ⃗ begin ( ); for (unsigned int i = 0; i < n; i++) { totsize += p ⃗ length ( ) + lineOverhead ; p++; } return totsize ;
Page 1 and 2:
§1 ANNOYANCE-FILTER INTRODUCTION 1
Page 3 and 4:
§3 ANNOYANCE-FILTER GETTING STARTE
Page 5 and 6:
§4 ANNOYANCE-FILTER OPTIONS 5 4. O
Page 7 and 8:
§4 ANNOYANCE-FILTER OPTIONS 7 −
Page 9 and 10:
§5 ANNOYANCE-FILTER PHRASE-BASED C
Page 11 and 12:
§6 ANNOYANCE-FILTER INTEGRATING WI
Page 13 and 14:
§7 ANNOYANCE-FILTER OPERATING A PO
Page 15 and 16:
§9 ANNOYANCE-FILTER A BRIEF HISTOR
Page 17 and 18:
§9 ANNOYANCE-FILTER A BRIEF HISTOR
Page 19 and 20:
§10 ANNOYANCE-FILTER DICTIONARY WO
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
§19 ANNOYANCE-FILTER DICTIONARY 25
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
§32 ANNOYANCE-FILTER FAST DICTIONA
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
§40 ANNOYANCE-FILTER MIME DECODERS
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
§47 ANNOYANCE-FILTER SINK MIME DEC
Page 51 and 52:
§50 ANNOYANCE-FILTER BASE64 MIME D
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
§60 ANNOYANCE-FILTER QUOTED-PRINTA
Page 59 and 60:
§63 ANNOYANCE-FILTER QUOTED-PRINTA
Page 61 and 62:
§66 ANNOYANCE-FILTER MULTIPLE BYTE
Page 63 and 64:
§68 ANNOYANCE-FILTER DECODER PAREN
Page 65 and 66:
§71 ANNOYANCE-FILTER EUC DECODER 6
Page 67 and 68:
§75 ANNOYANCE-FILTER SHIFT-JIS DEC
Page 69 and 70:
§79 ANNOYANCE-FILTER SHIFT-JIS DEC
Page 71 and 72:
§83 ANNOYANCE-FILTER UTF-8 UNICODE
Page 73 and 74:
§84 ANNOYANCE-FILTER UTF-8 UNICODE
Page 75 and 76:
§87 ANNOYANCE-FILTER INTERPRETERS
Page 77 and 78:
§91 ANNOYANCE-FILTER GB2312 INTERP
Page 79 and 80:
§96 ANNOYANCE-FILTER UNICODE INTER
Page 81 and 82:
§99 ANNOYANCE-FILTER APPLICATION S
Page 83 and 84:
§100 ANNOYANCE-FILTER FLASH STREAM
Page 85 and 86:
§105 ANNOYANCE-FILTER FLASH STREAM
Page 87 and 88: §108 ANNOYANCE-FILTER FLASH STREAM
Page 93 and 94: §114 ANNOYANCE-FILTER FLASH TEXT E
Page 105 and 106: §125 ANNOYANCE-FILTER PDF TEXT EXT
Page 107 and 108: §127 ANNOYANCE-FILTER PDF TEXT EXT
Page 109 and 110: §129 ANNOYANCE-FILTER MAIL FOLDER
Page 137: §164 ANNOYANCE-FILTER MAIL FOLDER
Page 143 and 144: §170 ANNOYANCE-FILTER TOKEN DEFINI
Page 145 and 146: §173 ANNOYANCE-FILTER TOKEN PARSER
Page 157 and 158: §185 ANNOYANCE-FILTER CLASSIFY MES
Page 163 and 164: §193 ANNOYANCE-FILTER POP3 PROXY S
Page 181 and 182: §223 ANNOYANCE-FILTER MAIN PROGRAM
Page 183 and 184: §228 ANNOYANCE-FILTER MAIN PROGRAM
Page 185 and 186: §232 ANNOYANCE-FILTER HEADER INCLU
Page 187 and 188: §237 ANNOYANCE-FILTER HEADER INCLU
Page 189 and 190:
§242 ANNOYANCE-FILTER HEADER INCLU
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
§250 ANNOYANCE-FILTER ISO 8859-1 C
Page 203 and 204:
§255 ANNOYANCE-FILTER RELEASE HIST
Page 205 and 206:
§256 ANNOYANCE-FILTER DEVELOPMENT
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Page 229 and 230:
§257 ANNOYANCE-FILTER INDEX 229 ch
Page 231 and 232:
§257 ANNOYANCE-FILTER INDEX 231 fs
Page 233 and 234:
§257 ANNOYANCE-FILTER INDEX 233 k:
Page 235 and 236:
§257 ANNOYANCE-FILTER INDEX 235 pa
Page 237 and 238:
§257 ANNOYANCE-FILTER INDEX 237 se
Page 239 and 240:
§257 ANNOYANCE-FILTER INDEX 239 17
Page 241 and 242:
ANNOYANCE-FILTER NAMES OF THE SECTI
Page 243 and 244:
ANNOYANCE-FILTER Section Introducti
show all

The Annoyance Filter.pdf - Fourmilab

Create successful ePaper yourself

Delete template?

Save as template?