Hello Michael, Thanks for the great research.
Wouldn't this be the purpose of Vulnerability detection in Declude? "Declude detects mal-formed messages that can allow viruses to be hidden from email server virus scanners." We treat all vulnerabilities as viruses, send the notice and 86 the message. -David Thursday, October 19, 2006, 10:52:25 PM, you wrote: MTM> Hi All, MTM> Well, when responding on [email protected] to Will about RFC MTM> violations, I said I would test this and I did. MTM> -------------------- MTM> While writing this message, I happened to think about attachments. It would MTM> appear to me, that there is an implied possibility for attachments and MTM> therefore viruses to pass through undetected. All that should be required is MTM> that the lines that make up the entire email, including the attachment MTM> section, be terminated with line feeds instead of carriage return/line feed MTM> pairs. Under such condition, Declude would see only one line and not find MTM> the relevant sections. I will test this possibility. MTM> -------------------- MTM> Tested: Declude v3.1.1 for IMail MTM> As it happens, my suspicions were accurate. I wrote a script that could be MTM> modified to remove either the carriage-returns or the line-feeds from a MTM> message file. I then created a message in Outlook Express, added an MTM> executable file (uptime.exe) as an attachment and saved it in my Draft MTM> folder. I then dragged that message to the same location as the script and MTM> renamed it to match the file name in the script (Rfc.eml) I ran the script, MTM> which stripped the carriage-returns and produced Rfc2.eml. I renamed MTM> Rfc2.eml to RfcNoCr.eml. In the script, I then changed vbCr to vbLf and ran MTM> it again, which stripped the line-feeds and produced Rfc2.eml. I renamed MTM> Rfc2.eml to RfcNoLf.eml. MTM> Now, to get IIS SMTP to actually process the file, you must edit each file MTM> and remove the single Cr or Lf and press the Enter Key, producing a CrLf MTM> pair after the To field and the From field. I also added the string "No Cr" MTM> to the end of the subject of RfcNoCr.eml and added No Lf to the subject of MTM> RfcNoLf.eml. So for example change: MTM> -------------------- MTM> From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]>[Cr]To: MTM> "[EMAIL PROTECTED]"[Cr]Subject: Test Attachment Pass-Through on RFC MTM> Violation[Cr]<line continues> MTM> -------------------- MTM> Change To MTM> -------------------- MTM> From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> MTM> To: "[EMAIL PROTECTED]" MTM> Subject: Test Attachment Pass-Through on RFC Violation No Cr[Cr]<line continues>> MTM> -------------------- MTM> Now it so happens, a long time ago, I wrote a couple of tests to detect MTM> these RFC violations, so first I had to disable them in my GLOBAL.CFG, which MTM> I did by commenting them out. Note that I also BAN the .EXE extension and I MTM> left that enabled. MTM> Now copy and paste the two files into the pickup directory of your favorite MTM> IIS SMTP pickup directory. Viola, you just passed an executable through MTM> Declude and through your mail server. That executable could very well have MTM> been a virus. MTM> Note that Declude detected RfcNoLf.eml as [Outlook 'CR' Vulnerability]. Ok MTM> good. MTM> But Declude let RfcNoCr.eml pass straight through without calling the virus MTM> scanners, because Declude did NOT see an attachment. Also, because Declude MTM> did not see an attachment, Declude did not ban the .EXE extension. MTM> Here are the log entries from RfcNoLf.eml MTM> -------------------- MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Scanning Time: 218ms MTM> [kernel=31 user=187] MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Virus scanner 1 reports exit MTM> code of 0 MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Virus detected. Not continuing MTM> with remaining scanners. MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd 0: MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Starting EXT check . MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd MTM> C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\*.* MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd 0 MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Deleted MTM> C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\0. MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd report.txt MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Deleted MTM> C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\report.txt. MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd han=13e9c0 b=False MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd File(s) are INFECTED [[Outlook MTM> 'CR' Vulnerability]: 0] MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd High code=23. MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd AV returned 23 MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Scanned: CONTAINS A VIRUS MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd From: [EMAIL PROTECTED] To: MTM> [EMAIL PROTECTED] [incoming from XX.XXX.XXX.X] MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Subject: Test Attachment MTM> Pass-Through on RFC Violation No Lf MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Skipping non-AV E-mail MTM> BANnotify.eml MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd MTM> C:\IMAIL\Declude\postmaster.eml MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Starting E-mail file MTM> C:\IMAIL\Declude\postmaster.eml MTM> 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd C:\IMAIL\IMail1.exe -h MTM> "mathbox.com" -t "[EMAIL PROTECTED]" -u "[EMAIL PROTECTED]" -s MTM> "Mathbox Email Virus Scanning detected and quarantined a virus" -f MTM> "C:\IMAIL\spool\proc\work\D1b2101b7000083ba.sm0" MTM> 10/19/2006 20:41:23.487 q1b2101b7000083ba.smd TempName = MTM> C:\IMAIL\Declude\postmaster.eml MTM> -------------------- MTM> Here are the log entries from RfcNoCr.eml MTM> -------------------- MTM> 10/19/2006 20:41:10.690 q1b2101da000083bb.smd Setting Scan File 1 to MTM> C:\Progra~1\FSI\F-Prot\FPcmd.exe /TYPE /SILENT /SERVER /NOMEM /ARCHIVE MTM> /NOBOOT /DUMB /REPORT=report.txt. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd CFG: Setting report parse 1 to MTM> Infection. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting Scan File 2 to MTM> C:\imail\declude\runclamscan.exe log=3 MTM> C:\clamav-devel\bin\clamscan.exe MTM> --quiet --no-summary --tempdir=c:\tmp\ MTM> --database=C:\clamav-devel\share\clamav\ --max-ratio=0 --mbox -l report.txt. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd CFG: Setting report parse 2 to MTM> FOUND. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting virus directory to: MTM> C:\IMAIL\spool\virus MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Incoming E-mail scanning MTM> turned ON MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Outgoing E-mail scanning MTM> turned ON MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting AVAFTERJM to ON. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting MAXATONCE to 20. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting scanner timeout to 120 MTM> seconds MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting AUTOFORGE to OFF. MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Scanner 0 Virus Codes: 3 6 8 9 MTM> 10 . OK Codes: MTM> 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Scanner 1 Virus Codes: 1 . OK MTM> Codes: MTM> 10/19/2006 20:41:10.908 q1b2101da000083bb.smd Skip Extensions: GIF TXT MPG MTM> PNG MTM> 10/19/2006 20:41:10.955 q1b2101da000083bb.smd 48 Ban Extensions: ADE ADP ASD MTM> ASP BAS BAT BIN CAB CHM CMD COM CPL CRT DLL EXE HLP HTA HTO INF INS ISP JS MTM> JSC JSE KSH LNK MDB MDE MSI OCX PCD PIF REG SCF SCR SCT SHB SHS SYS VB VBE MTM> VBS VBX VSMACROS VXD WSC WSF WSH MTM> 10/19/2006 20:41:11.002 q1b2101da000083bb.smd Virus Pro Registered MTM> 10/19/2006 20:41:11.018 q1b2101da000083bb.smd Starting locality check MTM> (sender=mathbox.com; nr=1 ca=off). nHas=1. MTM> 10/19/2006 20:41:11.018 q1b2101da000083bb.smd [EMAIL PROTECTED] [0-0] is MTM> local domain1 viaFM MTM> 10/19/2006 20:41:11.018 q1b2101da000083bb.smd Ending locality check MTM> (cached), sender=local. MTM> 10/19/2006 20:41:11.018 q1b2101da000083bb.smd Local host = mathbox.com MTM> 10/19/2006 20:41:11.018 q1b2101da000083bb.smd MTM> [EMAIL PROTECTED] Offset=5 MTM> Flags=1 MTM> 10/19/2006 20:41:11.033 q1b2101da000083bb.smd Msgid: MTM> 10/19/2006 20:41:11.049 q1b2101da000083bb.smd Subject: Test Attachment MTM> Pass-Through on RFC Violation No Cr MTM> -------------------- MTM> Here is the script to strip Cr or Lf, just change the vbCr below to vbLf. MTM> Just save it as: MTM> Rfc.vbs MTM> -------------------- MTM> Dim InFile MTM> Dim OutFile MTM> Dim Fso, File MTM> Dim AllText MTM> InFile = "Rfc.eml" MTM> OutFile = "Rfc2.eml" MTM> Set Fso = CreateObject("Scripting.FileSystemObject") MTM> If Fso.FileExists( InFile ) = True Then MTM> Set File = Fso.OpenTextFile( InFile, 1, False, 0 ) MTM> AllText = File.ReadAll MTM> File.Close MTM> Set File = Nothing MTM> AllText = Replace( AllText, vbCr, "" ) MTM> Set File = Fso.OpenTextFile( OutFile, 2, True, 0 ) MTM> File.Write AllText MTM> File.Close MTM> Set File = Nothing MTM> End If MTM> Set Fso = Nothing MTM> -------------------- MTM> Finally, if you want to test for these RFC violations, see MTM> http://www.mathbox.com/NoCrTest/NoCrTest.zip MTM> Michael Thomas MTM> Mathbox MTM> 978-683-6718 MTM> 1-877-MATHBOX (Toll Free) MTM> --- MTM> This E-mail came from the Declude.JunkMail mailing list. To MTM> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MTM> type "unsubscribe Declude.JunkMail". The archives can be found MTM> at http://www.mail-archive.com. -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
