In my recent experience... >Outlook 'CR' Vulnerability
"It is possible to send attachments to Outlook Express users using non-standard attachment techniques. This can be accomplished by encapsulating the data in Carriage Return (<CR>) specifiers in the Subject line of an email. Upon receiving an email with a subject line containing carriage returns, Outlook Express will interpret the data section of the mail beginning in the subject line. This problem is compounded by the fact that mail filtering utilities do not search the subject line for this type of data, and can allow a malicious file to pass to an Outlook Express user." Declude (please correct if wrong) will detect this when a <CR> is not followed by a <LF> in the headers or MIME headers of an email. In a recent email example we saw <CR><CR><LF> in the MIME headers that rightly failed the test. David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 05 March 2003 11:14 To: [EMAIL PROTECTED] Subject: [Declude.Virus] Vulnerabilities explained Hi Scott, Is there a information page where you explain the different vulnerabilities and what are tipical causes of this? We have here a lot of hold messages with: Outlook 'Blank Folding' Vulnerability Outlook 'CR' Vulnerability Outlook 'Boundary Space Gap' Vulnerability Outlook 'MIME segment in MIME Postamble' Vulnerability Part of this mails are Spam. Most of them are auto-generated email messages. We keep the vulnerability blocking set to on because we see this function very important for new fast spreading viruses. If we want to explain to the programmers what they make wrong by generating their mail messages we need some info's... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
