|
Sorry, I was working off of a subset of messages that I had separated
when I generated the stats that I shared earlier and I wanted to make
sure that I corrected my mistakes. In reality, I found 432 hits for
this vulnerability across about 3 million messages scanned. 9 out of
432 were false positives that also happened to have complaint headers.
The other 423 were all spam, all from the same spamware exhibiting the
same pattern. All of the headers that were associated with the false positives were from an Exchange system and Outlook clients, but I suspect that the headers were modified by a blackbox called MIMEsweeper from ClearSwift (http://www.clearswift.com/) that does virus scanning and had footers inserted in every one of the false positives. While Outlook clients use tabs for folding headers, all of these messages used 4 spaces and I suspect that tabs were rewritten as spaces by the MIMEsweeper device. While that is still compliant, Declude didn't like it and I suspect it is a simple coding error based on not defolding the header properly. Those 423 hits on spam amounted to a 0.014% hit rate. Regardless of this being fixed, if it was depreciated I personally don't think this is a useful test for JunkMail in the long run outside of the scope of BADHEADERS (might already be there), but that's a judgment call that isn't for me to make. Things could change overnight however since it is something that is easy to trip when manually coding the headers for a spam campaign. Here's an example of the offending code in every one of the 423 spams: Content-Type: multipart/mixed;boundary= "----=_NextPart_000_00C3_5E34EE5.81EF3A57" Note the space between the equals sign and the quote. You can filter for this easily in JunkMail Pro if you wished. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
