Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Matt, So far, the only case where I find this vulnerability is in the mail sent from the program Incredimail. If these lines are actually prohibited in RFC, it is safer to seek Incredimail technical support to solve your problem. But I fear that the explanation in Declude manual is false and that there is a section in RFC that says clearly that these lines are not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. - Original Message - From: Matt To: declude.virus@declude.com Sent: Monday, December 03, 2007 4:15 PM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Disable it and be done with it. There is no option to partially support the issue, and the issue is very likely not a threat. Just because something isn't RFC compliant doesn't mean that it is a threat. The vulnerability was from Outlook displaying attachments that were hidden by bad encoding, but that flaw was likely patched, or at least it has not been exploited in mass. Matt Mon Mariola - Rubén wrote: Matt, So far, the only case where I find this vulnerability is in the mail sent from the program Incredimail. If these lines are actually prohibited in RFC, it is safer to seek Incredimail technical support to solve your problem. But I fear that the explanation in Declude manual is false and that there is a section in RFC that says clearly that these lines are not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. - Original Message - From: Matt To: declude.virus@declude.com Sent: Monday, December 03, 2007 4:15 PM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
The AOL Feedback loop creates alot of these false positives also...we deactivated this test in our Declude a while back --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net - Original Message - From: Matt [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 03, 2007 11:41 AM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Disable it and be done with it. There is no option to partially support the issue, and the issue is very likely not a threat. Just because something isn't RFC compliant doesn't mean that it is a threat. The vulnerability was from Outlook displaying attachments that were hidden by bad encoding, but that flaw was likely patched, or at least it has not been exploited in mass. Matt Mon Mariola - Rubén wrote: Matt, So far, the only case where I find this vulnerability is in the mail sent from the program Incredimail. If these lines are actually prohibited in RFC, it is safer to seek Incredimail technical support to solve your problem. But I fear that the explanation in Declude manual is false and that there is a section in RFC that says clearly that these lines are not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. - Original Message - From: Matt To: declude.virus@declude.com Sent: Monday, December 03, 2007 4:15 PM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook 'Blank Folding' Vulnerability = False Positive? False Positive?False Positive? False Positive?
Scott, on this particular one, I have also seen 2 caught. Should we initiate a dialog with Paypal so that they fix their problem? We've already contacted them. They are most likely deleting the reports to them. Unfortunately, large companies like PayPal and Amazon are often unable to process reports of serious problems well (that isn't always the case, though -- Walmart made a great effort at fixing the problem once the appropriate people got involved). But feel free to report it -- if enough people do, they may listen. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability =False Positive?
I have an enclosed the headers of an e-mail which got blocked by Declude Virus as having the Vulnerability listed in the title of this message. Great! Declude Virus is doing its job. :) Any up-to-date mailserver virus scanner should have caught this E-mail: ... Subject: Don't forget to claim your money X-Declude-Sender: [EMAIL PROTECTED] [65.206.228.74] ... Specifically, they had a line with just a single space or tab in the headers of the E-mail. There is no logical reason to do this, and it creates a vulnerability (meaning that if Declude Virus did not block it, there could be a virus in there that Declude Virus would be unable to see). The user thinks that this is a False Positive. In my opinion it is not a false positive if it is a real vulnerability but I know the user is going to need more information. You are correct. It does indeed contain a real vulnerability. What causes this Vulnerability to occur? In most cases, poor programming. For example, if the programmer has code that says If the line is equal to or greater than 80 characters, include the first 80 characters on the first line, and put the rest on another line that starts with a tab (instead of greater than 80 characters). This would cause lone tab character on a line by itself if the header was exactly 80 characters long. Not that I would ever do it, but is there anyway that Declude Virus can be configured to let these through? I understand perfectly if it can't be done but I want to be able to say to the user that I've at least asked. Declude Virus does let you disable all vulnerability detection -- however, we strongly recommend that our customers not do this, as it will almost certainly guarantee that future viruses will be delivered unscanned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook 'Blank Folding' Vulnerability = False Positive? False Positive?
Scott, on this particular one, I have also seen 2 caught. Should we initiate a dialog with Paypal so that they fix their problem? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 12, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability = False Positive? False Positive? I have an enclosed the headers of an e-mail which got blocked by Declude Virus as having the Vulnerability listed in the title of this message. Great! Declude Virus is doing its job. :) Any up-to-date mailserver virus scanner should have caught this E-mail: ... Subject: Don't forget to claim your money X-Declude-Sender: [EMAIL PROTECTED] [65.206.228.74] ... Specifically, they had a line with just a single space or tab in the headers of the E-mail. There is no logical reason to do this, and it creates a vulnerability (meaning that if Declude Virus did not block it, there could be a virus in there that Declude Virus would be unable to see). The user thinks that this is a False Positive. In my opinion it is not a false positive if it is a real vulnerability but I know the user is going to need more information. You are correct. It does indeed contain a real vulnerability. What causes this Vulnerability to occur? In most cases, poor programming. For example, if the programmer has code that says If the line is equal to or greater than 80 characters, include the first 80 characters on the first line, and put the rest on another line that starts with a tab (instead of greater than 80 characters). This would cause lone tab character on a line by itself if the header was exactly 80 characters long. Not that I would ever do it, but is there anyway that Declude Virus can be configured to let these through? I understand perfectly if it can't be done but I want to be able to say to the user that I've at least asked. Declude Virus does let you disable all vulnerability detection -- however, we strongly recommend that our customers not do this, as it will almost certainly guarantee that future viruses will be delivered unscanned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.