David, >From my point of view, the problem with that response is that if Imail handle all the issues presented by abnormal mail messages, we would not need Declude. Imail handles normal messages just fine. If it were not for viruses and spammers, we would not see these problems. We got Declude to handle viruses and spammers.
Mike > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Wednesday, June 28, 2006 3:08 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Matt, > > The CRLF problem has more to do with the email server and not Declude, > emails that are so badly broken should be either rejected by the email > server or these headers should be standardized by the email server. > Eitherway this is a much more complex issue than you make it > out to be, by > just fixing it with a simple regexp, if it was as easy as > that, do you not > think we would have done this already ? > > "Introducing tests to score conditions that one's software > does not handle > correctly is not a fix, it's a work-around." This is not how > we are dealing > with this issue, it is not an additional Spam test as I > clearly stated we > are dealing with this as a vulnerability because this should > be addressed at > the email server level and not Declude, therefore the message will be > quarentined - as every instance we have seen of this has been > invalid email. > > The Long base 64 encoding is a similar issue whereby the mail > server should > deal with these before they get to Declude as such emails are > clearly in > violation of the RFC's and should be treated as suspect from the very > beginning. > > To conclude, we are making every effort to address these > issues because it > is not being done at the server level, have you contacted > Imail and asked > for their response and/or fix ? > > David B > www.declude.com > ________________________________ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matt > Sent: Wednesday, June 28, 2006 2:48 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > > David, > > The CRLF thing doesn't affect me since I have my own > solution, however for > those that use Subject tagging, adding another test won't > help unless they > decide to just simply delete such messages. The header > boundary could be > programatically determined with a great deal of ease (a > simple regexp), and > Declude could insert it's headers into the correct place if > this was done. > Introducing tests to score conditions that one's software > does not handle > correctly is not a fix, it's a work-around. > > Regarding the other things, I'm very alarmed that the > official position is > still not even recognizing that these bugs surely exist, much > less fixed at > this point. This concerns me greatly since I rely on this > product for my > business, and if it takes months to just confirm a bug, > especially one that > is widely reported, I can't responsibly rely on that product. > It is pretty > much the same thing as having a virus scanner that takes > months to catch a > particular virus, or having a Web browser that is never patch > for a critical > flaw. I consider both the Mail From issue and the base 64 > encoding issues > to be critical flaws that warrant immediate fixes. I am not > alone in this. > If you don't have a lot of people still griping about this > stuff, it is > because they are either not aware of the flaws, or they have > already given > up on trying to get you guys to fix them, or given up on > relying on Declude > altogether. These things should be fixed in hours or days > and not weeks or > months when they occur. > > I assume that you are not the person making these development > decisions, so > this isn't directed at you, but those that make the calls > need to fully > understand the critical nature of these flaws, and their role > in making sure > that Declude can respond rapidly to such things not just now, > but as they > occur in the future. > > Thanks, > > Matt > > > > > David Barker wrote: > > Matt, > > Headers not using proper CRLF line breaks is currently > being tested > using > the new vulnerability NONSTANDARDCRLF test. > > As for these items they are on the list for engineers > to confirm and > test > and fix if they are bugs. > > 1. Invalid characters in the Mail FROM > 2. Long base 64 encoding causing Declude EVA to fail decoding > 3. WHITELIST IP being applied before IPBYPASS > > David B > www.declude.com > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of > Matt > Sent: Wednesday, June 28, 2006 1:49 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > David, > > I'm just wondering about the issue with the invalid > characters in > the Mail > From's that caused massive spam leakage almost a month > ago. Is this > too > supposed to be fixed? > > I'm also very, very curious about the other bugs such > as long base > 64 > encoding causing Declude Virus to fail decoding, > WHITELIST IP being > applied > before IPBYPASS, and the issue where Declude's headers > are inserted > at the > bottom of the message when the headers don't use proper > CRLF line > breaks? > > Thanks, > > Matt > > > > David Barker wrote: > > > > I have added the request to the wish list. We > are focusing > on > replicating problems and fixing items from the > list I had > posted > earlier last week. We are looking to do a > release Thursday 8 > July it is > currently under going testing. This is all > obviously subject > to change > just trying to keep you informed. > > Items in next release: > > 1. Fix - ALLOWVULNERABILITIESFROM - full email > address only > > 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect > directory > path > > 3. Add - Error in SM envelope file: if errors > are found the > mail will > be moved to the error directory > > 4. Add - If the headers files are not found > then the data > file is moved > to error directory. > > 5. Add - A new vulnerability test > NONSTANDARDCRLF will be > included to > check for the end of the headers. > > David B > www.declude.com > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of > Matt > Sent: Tuesday, June 27, 2006 7:04 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] New Virus: zipped > word doc with > > Macro-Virus > > > John, > > Not to say that this wouldn't be something that > is nice to > have, I can > think of dozens of things that are very largely > useful on a > much more > regular basis. In fact, the current > functionality provides > an > appropriate mechanism for blocking these as-is. > > I would just simply like to see Declude catch > up by fixing > the known > bugs first. When they catch up, then certainly > they should > consider > feature requests, but it would make sense focus > on new tests > and > improving existing ones, along with refining > functionality. > I will > personally continue to hold back from such > discussions until > it is > clear that they are capable of handling the bugs. > > Sorry to make an example of you here; that's not the > intention of > course. I just thought that it would be constructive to > point this > stuff out for the benefit of Declude and it's customers > alike. > > Matt > > > > John T (Lists) wrote: > > I know. :( > > Declude, this is a feature who's time has come. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > > > Behalf Of > > > Markus > Gufler > Sent: Tuesday, June 27, 2006 3:10 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: > zipped word doc with > > > > > > Macro-Virus > > As I know yes but > > BANNAME my_notebook.doc > > wouldn't work for files within > zip-archives. > > Markus > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of John T (Lists) > Sent: Tuesday, June 27, > 2006 11:48 > PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New > Virus: zipped word > > > doc with > > > Macro-Virus > > Is the word document only named > that? > > John T > eServices For You > > "Seek, and ye shall find!" > > > > -----Original > Message----- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Markus Gufler > Sent: Tuesday, > June 27, 2006 > 11:32 AM > To: > declude.virus@declude.com > Subject: > [Declude.Virus] New > Virus: zipped > > > word doc with > > > Macro-Virus > > Some of us has > noted in the > past two hours > > > that messages with an > > > zip-file > > > as > > > attachment has > passed our > virus filters > > It's a zip-file > containing a > MS Word > > > Document named > > > > > "my_notebook.doc" > > > Most > Virus-Scanners can't > catch it. > Virustotal has returned > > > only two > > > scanners with positive > results > > Sophos has found > "WM97/Kukudro-A" > UNA has found a "Macro > Virus" > > No other AV-Engine has > catched the > suspicious file. > > We've added the > following > lines to our > > > virus.cfg in order > > > > > to block as > > > much was we can at the > moment. > > BANNAME prices.zip > BANNAME apple_prices.zip > BANNAME sony_prices.zip > BANNAME hp_prices.zip > BANNAME dell_prices.zip > BANNAME My_Notebook.doc > > Regards > Markus > > > > --- > This E-mail > came from the > Declude.Virus > > > mailing list. To > > > > > unsubscribe, > > > just send an E-mail to > [EMAIL PROTECTED], > > > and > > > type "unsubscribe > Declude.Virus". The > archives can be found > at > http://www.mail-archive.com. > > > > > --- > This E-mail came from the > Declude.Virus mailing > > > list. To > > > unsubscribe, just send > an E-mail to > [EMAIL PROTECTED], and > type "unsubscribe > Declude.Virus". > The archives > can be found > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus > mailing list. To > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], > > > and > > > type "unsubscribe Declude.Virus". The > archives can be > found > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing > list. To > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". > The archives > can be found > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe > Declude.Virus". The archives can be found at > http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing > list. To > unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be > found > at http://www.mail-archive.com. > > > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just > send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
