>I'm glad that you have been able to nail this. Thank you for once again
>action so quickly.
>
>Would this have shown as one of those "premature" EOF log entries?
No, it would not have (at least with the samples we have seen).
>Given that we have seen two viruses sneak by, I feel you should make it a
>priority that we can BLOCK the "premature EOF" mime attachments.
That's an unrelated issue.
Both the Gibe and FBound had abnormalities in the way that MIME segments
were encoded, but the MIME segments were placed properly within the
E-mail. The EOF warning occurs if the MIME segments are not placed
properly -- and if it does occur, the data up until that point will still
be scanned.
So a normal E-mail might appear as:
E-mail headers
MIME segment #1 [text] headers
MIME attachment #1 ("quoted-printable" encoding)
MIME segment #2 [attachment] headers
MIME attachment #2 ("base64" encoded)
MIME "End of E-mail" EOF marker
These viruses had instead:
E-mail headers
MIME segment #1 [text] headers
MIME attachment #1 ("quoted-printable" encoding)
MIME segment #2 [attachment] headers
MIME attachment #2 (improperly "base64" encoded)
MIME "End of E-mail" EOF marker
Whereas a virus without the EOF marker would look like:
E-mail headers
MIME segment #1 [text] headers
MIME attachment #1 ("quoted-printable" encoding)
MIME segment #2 [attachment] headers
MIME attachment #2 ("base64" encoded)
>You ALREADY detect and log these situations in the VIRUS.log and you
>acknowledged that, at best, these are SPAM messages sent by broken clients -
>what's preventing you from letting us "BANMIMEFAILURE" pronto and
>"BADBOGUSURL" right now?
Because there is no advantage to it, except for the spam issue. It
wouldn't have stopped the malformed versions of the Gibe or FBound viruses,
or any other previous viruses that we are aware of.
Although it is likely that a new virus will appear that doesn't have the
EOF marker, Declude will still scan the E-mail -- so if a mail client can
save the attachment, Declude will be able to scan it.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .