Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test.
As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: >I have added the request to the wish list. We are focusing on >replicating problems and fixing items from the list I had posted >earlier last week. We are looking to do a release Thursday 8 July it is >currently under going testing. This is all obviously subject to change >just trying to keep you informed. > >Items in next release: > >1. Fix - ALLOWVULNERABILITIESFROM - full email address only > >2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path > >3. Add - Error in SM envelope file: if errors are found the mail will >be moved to the error directory > >4. Add - If the headers files are not found then the data file is moved >to error directory. > >5. Add - A new vulnerability test NONSTANDARDCRLF will be included to >check for the end of the headers. > >David B >www.declude.com > >________________________________ > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Matt >Sent: Tuesday, June 27, 2006 7:04 PM >To: declude.virus@declude.com >Subject: Re: [Declude.Virus] New Virus: zipped word doc with >Macro-Virus > > >John, > >Not to say that this wouldn't be something that is nice to have, I can >think of dozens of things that are very largely useful on a much more >regular basis. In fact, the current functionality provides an >appropriate mechanism for blocking these as-is. > >I would just simply like to see Declude catch up by fixing the known >bugs first. When they catch up, then certainly they should consider >feature requests, but it would make sense focus on new tests and >improving existing ones, along with refining functionality. I will >personally continue to hold back from such discussions until it is >clear that they are capable of handling the bugs. > >Sorry to make an example of you here; that's not the intention of >course. I just thought that it would be constructive to point this >stuff out for the benefit of Declude and it's customers alike. > >Matt > > > >John T (Lists) wrote: > > I know. :( > > Declude, this is a feature who's time has come. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Markus > Gufler > Sent: Tuesday, June 27, 2006 3:10 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with >Macro-Virus > > As I know yes but > > BANNAME my_notebook.doc > > wouldn't work for files within zip-archives. > > Markus > > > > -----Original Message----- > From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On > Behalf Of John T (Lists) > Sent: Tuesday, June 27, 2006 11:48 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Is the word document only named that? > > John T > eServices For You > > "Seek, and ye shall find!" > > > > -----Original Message----- > From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of > Markus Gufler > Sent: Tuesday, June 27, 2006 11:32 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus: zipped word doc with >Macro-Virus > > Some of us has noted in the past two hours that messages with an > zip-file > > > as > > > attachment has passed our virus filters > > It's a zip-file containing a MS Word Document named > > > "my_notebook.doc" > > > Most Virus-Scanners can't catch it. >Virustotal has returned > > > only two > > > scanners with positive results > > Sophos has found "WM97/Kukudro-A" > UNA has found a "Macro Virus" > > No other AV-Engine has catched the >suspicious file. > > We've added the following lines to our virus.cfg in order > > > to block as > > > much was we can at the moment. > > BANNAME prices.zip > BANNAME apple_prices.zip > BANNAME sony_prices.zip > BANNAME hp_prices.zip > BANNAME dell_prices.zip > BANNAME My_Notebook.doc > > Regards > Markus > > > > --- > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The >archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to >[EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives >can be found > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be >found > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > > >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe >Declude.Virus". The archives can be found at >http://www.mail-archive.com. > > > >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". The archives can be found >at http://www.mail-archive.com. > > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
