Thanks for the quickly response Scott. The information was sent on to the programmer involved and here is his response.
================================================================= ----- Original Message ----- From: "Barney Boisvert" <[EMAIL PROTECTED]> To: "Lach Mullen" <[EMAIL PROTECTED]> Sent: Monday, July 07, 2003 11:06 AM Subject: RE: We blocked an e-mail sent to you! > The usual format for a MIME message is this, where you can have any > number of boundary-header-content blocks. > > ------------------------------ > message headers > > boundary > part headers > content > > boundary > part headers > content > > endboundary > ------------------------------ > > You can optionally place content between the headers ad the first BHC block > (the preamble), which is what Declude is considering 'bad'. > > ------------------------------ > message headers > > content > > boundary > part headers > content > > boundary > part headers > content > > endboundary > ------------------------------ > > That extra content will never be displayed by the mail client, it is > ignored. > > As Declude states on their web site (and backed up in the relevant > RFCs), that is completely valid, which means that Declude is > intentionally deleting > valid email. I assume the developer at the time placed content there > (usually a single line like 'this is a multipart MIME message') for a > reason, but I don't know what it is. I suspect there were problems > with some email client not rendering multipart messages correctly if > all the message content appeared in the parts, rather than in the > message proper, but I don't know. Since the messages are completely > valid, I haven't changed the existing code, although I don't add it to > new scripts that send > email. > > barneyb > > --- > Barney Boisvert, Senior Development Engineer > AudienceCentral > [EMAIL PROTECTED] > voice : 360.756.8080 x12 > fax : 360.647.5351 > > www.audiencecentral.com ============================================================================ ===== Richard Edge System Administrator Computing Services Department TRINITY WESTERN UNIVERSITY Voice: 604-513-2089 E-mail: [EMAIL PROTECTED] WWW: http://www.ucs.twu.ca FAQ: http://www.ucs.twu.ca/resources/faq.htm -----Original Message----- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] False positive?? >I have been contacted by one of our users who had a message blocked by >Declude Virus and was sent a warning about a Outlook vulnerability >contained in the email. The problem is that it was a web server >generated email message and not sent from an Outlook/Outlook Express >client. A vulnerability with a name referring to a product refers to a vulnerability *in* that product, not necessarily generated by it (for example, a hacker would likely take advantage of an IIS vulnerability using a special tool, not IIS itself). This does confuse a lot of people. >[Outlook 'MIME segment in MIME Preamble' Vulnerability] You can find out more about this vulnerability at http://www.declude.com/Virus/vulnerability.htm . Most likely, the company sending the E-mail hired a web developer instead of a real computer programmer to write a program to send out the E-mail, and the web developer tried his best to send the E-mail, but didn't do it properly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
