Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ?
"Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around." This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
