>From what Scott Perry has said before is that he has not seen any legitimate e-mail with the CR vulnerability. If you do have evidence of legitimate e-mail that does have the CR vulnerability, you might want to forward those examples directly to him so he can review them.
John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA� 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com � -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLean Sent: Tuesday, April 16, 2002 5:11 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Outlook-CR vulnerability Might I make this suggestion for detecting the Outlook-CR vulnerability, to try to attempt to reduce the false positives (which seem to be close to 100% at this point): Whenever a CR without a LF is seen, check the message header to see if a "BEGIN ..." is actually enclosed within it, indicating that a payload actually exists. If not, perhaps a different notification could be made, so we can determine whether to simply warn, or quarantine based on the analysis. Right now, I've had to turn off the Outlook-CR check altogether, because of too many complaints from users who are getting virus warnings (as well as their senders) instead of their valid, non-infected, albeit header-munged messages. _______________________ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
