I have an enclosed the headers of an e-mail which got blocked by Declude Virus as having the Vulnerability listed in the title of this message.
Great! Declude Virus is doing its job. :)
Any up-to-date mailserver virus scanner should have caught this E-mail:
...
Subject: Don't forget to claim your money...
X-Declude-Sender: [EMAIL PROTECTED] [65.206.228.74]
Specifically, they had a line with just a single space or tab in the headers of the E-mail. There is no logical reason to do this, and it creates a vulnerability (meaning that if Declude Virus did not block it, there could be a virus in there that Declude Virus would be unable to see).
The user thinks that this is a False Positive. In my opinion it is not a false positive if it is a real vulnerability but I know the user is going to need more information.
You are correct. It does indeed contain a real vulnerability.
What causes this Vulnerability to occur?
In most cases, poor programming. For example, if the programmer has code that says "If the line is equal to or greater than 80 characters, include the first 80 characters on the first line, and put the rest on another line that starts with a tab" (instead of "greater than 80 characters"). This would cause lone tab character on a line by itself if the header was exactly 80 characters long.
Not that I would ever do it, but is there anyway that Declude Virus can be configured to let these through? I understand perfectly if it can't be done but I want to be able to say to the user that I've at least asked.
Declude Virus does let you disable all vulnerability detection -- however, we strongly recommend that our customers not do this, as it will almost certainly guarantee that future viruses will be delivered unscanned.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
