Might I make this suggestion for detecting the Outlook-CR vulnerability, to try to attempt to reduce the false positives (which seem to be close to 100% at this point):
Whenever a CR without a LF is seen, check the message header to see if a "BEGIN ..." is actually enclosed within it, indicating that a payload actually exists. If not, perhaps a different notification could be made, so we can determine whether to simply warn, or quarantine based on the analysis. Right now, I've had to turn off the Outlook-CR check altogether, because of too many complaints from users who are getting virus warnings (as well as their senders) instead of their valid, non-infected, albeit header-munged messages. _______________________ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
