RE: [Declude.Virus] Conflicting Encoding Vulnerability
In case Scott does not answer right away, can you post a log snippet? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED]] On Behalf Of Steve Flook Sent: Thursday, January 23, 2003 6:46 AM To: Declude mailing list (E-mail) Subject: [Declude.Virus] Conflicting Encoding Vulnerability Scott / list, I'm wondering if I can somehow disable this test, or possibly weaken it etc as I'm getting a couple of false positives from a particular client that is sending emails to herself from her AOL address. A declude -diag shows I'm running v1.65. The headers are below. I can send more info regarding that email if useful. Thanks, Steve Received: from imo-d03.mx.aol.com [205.188.157.35] by webster.270net.com with ESMTP (SMTPD32-7.13) id ADA68AA016A; Thu, 23 Jan 2003 09:35:18 -0500 Received: from [EMAIL PROTECTED] by imo-d03.mx.aol.com (mail_out_v34.13.) id 3.139.19f1c555 (18707) for [EMAIL PROTECTED]; Thu, 23 Jan 2003 09:37:26 -0500 (EST) From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 23 Jan 2003 09:37:26 EST Subject: Fwd: gmt Super Bowl Report 01/21/2003 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=part1_139.19f1c555.2b615826_boundary X-Mailer: AOL 7.0 for Windows US sub 10634 X-Country-Chain: X-Note: RDNS Real-Origin: [205.188.157.35] X-Note: SMTP Real-From: [EMAIL PROTECTED] X-Note: SMTP Real-To: (1) [EMAIL PROTECTED] X-Note: Tests Failed, If Any: None X-Note: WEIGHT, If Any: 0 --part1_139.19f1c555.2b615826_boundary Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit --part1_139.19f1c555.2b615826_boundary Content-Type: message/rfc822 Content-Disposition: inline Return-Path: [EMAIL PROTECTED] Received: from rly-xb04.mx.aol.com (rly-xb04.mail.aol.com [172.20.105.105]) by air-xb02.mail.aol.com (v90.10) with ESMTP id MAILINXB21-0121171850; Tue, 21 Jan 2003 17:18:50 -0500 Received: from recomm1.onlinerecommerce.com ([66.109.35.141]) by rly-xb04.mx.aol.com (v90_r1.1) with ESMTP id MAILRELAYINXB43-0121171810; Tue, 21 Jan 2003 17:18:10 -0500 Received: by recomm1.onlinerecommerce.com (Postfix, from userid 33) id A934945775; Tue, 21 Jan 2003 15:32:15 -0500 (EST) To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: Re: gmt Super Bowl Report 01/21/2003 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0005_01C2045D.33A4E770 Message-Id: [EMAIL PROTECTED] Date: Tue, 21 Jan 2003 15:32:15 -0500 (EST) X-Mailer: Unknown (No Version) --=_NextPart_000_0005_01C2045D.33A4E770 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: quoted-printable --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Conflicting Encoding Vulnerability
I'm wondering if I can somehow disable this test, or possibly weaken it etc Your only option is to disable vulnerability detection completely, which will almost certainly allow future viruses through. When it comes to vulnerabilities, it is best to just fix the problem. The headers are below. I can send more info regarding that email if useful. Do you have the log file entries for this E-mail? That should provide some very useful information. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Conflicting Encoding Vulnerability
Sure - should of thought to give that on the first shot... My log level was set to MID. I have set the log level to HIGH now for the time being. Here is 2 of them that were sent back to back. 01/23/2003 09:35:18 Qfda5036201b8bde7 Conflicting Encoding vulnerability in [7bit]. 01/23/2003 09:35:18 Qfda5036201b8bde7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 30313] 01/23/2003 09:35:18 Qfda5036201b8bde7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/23/2003 09:35:18 Qfda5036201b8bde7 Subject: Fwd: gmt Super Bowl Report 01/21/2003 01/23/2003 09:35:18 Qfda608aa016abf6e Conflicting Encoding vulnerability in [7bit]. 01/23/2003 09:35:18 Qfda608aa016abf6e Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 30315] 01/23/2003 09:35:18 Qfda608aa016abf6e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/23/2003 09:35:18 Qfda608aa016abf6e Subject: Fwd: gmt Super Bowl Report 01/21/2003 Steve -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Conflicting Encoding Vulnerability In case Scott does not answer right away, can you post a log snippet? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED]] On Behalf Of Steve Flook Sent: Thursday, January 23, 2003 6:46 AM To: Declude mailing list (E-mail) Subject: [Declude.Virus] Conflicting Encoding Vulnerability Scott / list, I'm wondering if I can somehow disable this test, or possibly weaken it etc as I'm getting a couple of false positives from a particular client that is sending emails to herself from her AOL address. A declude -diag shows I'm running v1.65. The headers are below. I can send more info regarding that email if useful. Thanks, Steve Received: from imo-d03.mx.aol.com [205.188.157.35] by webster.270net.com with ESMTP (SMTPD32-7.13) id ADA68AA016A; Thu, 23 Jan 2003 09:35:18 -0500 Received: from [EMAIL PROTECTED] by imo-d03.mx.aol.com (mail_out_v34.13.) id 3.139.19f1c555 (18707) for [EMAIL PROTECTED]; Thu, 23 Jan 2003 09:37:26 -0500 (EST) From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 23 Jan 2003 09:37:26 EST Subject: Fwd: gmt Super Bowl Report 01/21/2003 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=part1_139.19f1c555.2b615826_boundary X-Mailer: AOL 7.0 for Windows US sub 10634 X-Country-Chain: X-Note: RDNS Real-Origin: [205.188.157.35] X-Note: SMTP Real-From: [EMAIL PROTECTED] X-Note: SMTP Real-To: (1) [EMAIL PROTECTED] X-Note: Tests Failed, If Any: None X-Note: WEIGHT, If Any: 0 --part1_139.19f1c555.2b615826_boundary Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit --part1_139.19f1c555.2b615826_boundary Content-Type: message/rfc822 Content-Disposition: inline Return-Path: [EMAIL PROTECTED] Received: from rly-xb04.mx.aol.com (rly-xb04.mail.aol.com [172.20.105.105]) by air-xb02.mail.aol.com (v90.10) with ESMTP id MAILINXB21-0121171850; Tue, 21 Jan 2003 17:18:50 -0500 Received: from recomm1.onlinerecommerce.com ([66.109.35.141]) by rly-xb04.mx.aol.com (v90_r1.1) with ESMTP id MAILRELAYINXB43-0121171810; Tue, 21 Jan 2003 17:18:10 -0500 Received: by recomm1.onlinerecommerce.com (Postfix, from userid 33) id A934945775; Tue, 21 Jan 2003 15:32:15 -0500 (EST) To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: Re: gmt Super Bowl Report 01/21/2003 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0005_01C2045D.33A4E770 Message-Id: [EMAIL PROTECTED] Date: Tue, 21 Jan 2003 15:32:15 -0500 (EST) X-Mailer: Unknown (No Version) --=_NextPart_000_0005_01C2045D.33A4E770 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: quoted-printable --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Conflicting Encoding Vulnerability
Sure - should of thought to give that on the first shot... Actually, I should have caught this without looking at the logs -- for some reason, I was thinking of a different issue. The problem is: --=_NextPart_000_0005_01C2045D.33A4E770 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: quoted-printable Here, the encoding is shown as both 7bit and quoted-printable. Because of this, this MIME segment can be handled two different ways, and as a result, a virus could appear where no virus really is (if that makes any sense). In this case, it appears that someone at AOL received an E-mail with a vulnerability and then forwarded it on to someone else. So the problem here really lies with the sender of the original E-mail (onlinerecommerce.com). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Conflicting Encoding Vulnerability
hmm ok, thanks for the information. Now I'm wondering how I can explain THAT to the client :) Steve -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Conflicting Encoding Vulnerability Sure - should of thought to give that on the first shot... Actually, I should have caught this without looking at the logs -- for some reason, I was thinking of a different issue. The problem is: --=_NextPart_000_0005_01C2045D.33A4E770 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: quoted-printable Here, the encoding is shown as both 7bit and quoted-printable. Because of this, this MIME segment can be handled two different ways, and as a result, a virus could appear where no virus really is (if that makes any sense). In this case, it appears that someone at AOL received an E-mail with a vulnerability and then forwarded it on to someone else. So the problem here really lies with the sender of the original E-mail (onlinerecommerce.com). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.