Matt,
The CRLF problem has more to do with the email server and not Declude,
emails that are so badly broken should be either rejected by the email
server or these headers should be standardized by the email server.
Eitherway this is a much more complex issue than you make it out to be, by
just fixing it with a simple regexp, if it was as easy as that, do you not
think we would have done this already ?
"Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around." This is not how we are dealing
with this issue, it is not an additional Spam test as I clearly stated we
are dealing with this as a vulnerability because this should be addressed at
the email server level and not Declude, therefore the message will be
quarentined - as every instance we have seen of this has been invalid email.
The Long base 64 encoding is a similar issue whereby the mail server should
deal with these before they get to Declude as such emails are clearly in
violation of the RFC's and should be treated as suspect from the very
beginning.
To conclude, we are making every effort to address these issues because it
is not being done at the server level, have you contacted Imail and asked
for their response and/or fix ?
David B
www.declude.com
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 2:48 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David,
The CRLF thing doesn't affect me since I have my own solution, however for
those that use Subject tagging, adding another test won't help unless they
decide to just simply delete such messages. The header boundary could be
programatically determined with a great deal of ease (a simple regexp), and
Declude could insert it's headers into the correct place if this was done.
Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around.
Regarding the other things, I'm very alarmed that the official position is
still not even recognizing that these bugs surely exist, much less fixed at
this point. This concerns me greatly since I rely on this product for my
business, and if it takes months to just confirm a bug, especially one that
is widely reported, I can't responsibly rely on that product. It is pretty
much the same thing as having a virus scanner that takes months to catch a
particular virus, or having a Web browser that is never patch for a critical
flaw. I consider both the Mail From issue and the base 64 encoding issues
to be critical flaws that warrant immediate fixes. I am not alone in this.
If you don't have a lot of people still griping about this stuff, it is
because they are either not aware of the flaws, or they have already given
up on trying to get you guys to fix them, or given up on relying on Declude
altogether. These things should be fixed in hours or days and not weeks or
months when they occur.
I assume that you are not the person making these development decisions, so
this isn't directed at you, but those that make the calls need to fully
understand the critical nature of these flaws, and their role in making sure
that Declude can respond rapidly to such things not just now, but as they
occur in the future.
Thanks,
Matt
David Barker wrote:
Matt,
Headers not using proper CRLF line breaks is currently being tested
using
the new vulnerability NONSTANDARDCRLF test.
As for these items they are on the list for engineers to confirm and
test
and fix if they are bugs.
1. Invalid characters in the Mail FROM
2. Long base 64 encoding causing Declude EVA to fail decoding
3. WHITELIST IP being applied before IPBYPASS
David B
www.declude.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Matt
Sent: Wednesday, June 28, 2006 1:49 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
David,
I'm just wondering about the issue with the invalid characters in
the Mail
From's that caused massive spam leakage almost a month ago. Is this
too
supposed to be fixed?
I'm also very, very curious about the other bugs such as long base
64
encoding causing Declude Virus to fail decoding, WHITELIST IP being
applied
before IPBYPASS, and the issue where Declude's headers are inserted
at the
bottom of the message when the headers don't use proper CRLF line
breaks?
Thanks,
Matt
David Barker wrote:
I have added the request to the wish list. We are focusing
on
replicating problems and fixing items from the list I had
posted
earlier last week. We are looking to do a release Thursday 8
July it is
currently under going testing. This is all obviously subject
to change
just trying to keep you informed.
Items in next release:
1. Fix - ALLOWVULNERABILITIESFROM - full email address only
2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory
path
3. Add - Error in SM envelope file: if errors are found the
mail will
be moved to the error directory
4. Add - If the headers files are not found then the data
file is moved
to error directory.
5. Add - A new vulnerability test NONSTANDARDCRLF will be
included to
check for the end of the headers.
David B
www.declude.com
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
John,
Not to say that this wouldn't be something that is nice to
have, I can
think of dozens of things that are very largely useful on a
much more
regular basis. In fact, the current functionality provides
an
appropriate mechanism for blocking these as-is.
I would just simply like to see Declude catch up by fixing
the known
bugs first. When they catch up, then certainly they should
consider
feature requests, but it would make sense focus on new tests
and
improving existing ones, along with refining functionality.
I will
personally continue to hold back from such discussions until
it is
clear that they are capable of handling the bugs.
Sorry to make an example of you here; that's not the
intention of
course. I just thought that it would be constructive to
point this
stuff out for the benefit of Declude and it's customers
alike.
Matt
John T (Lists) wrote:
I know. :(
Declude, this is a feature who's time has come.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus:
zipped word doc with
Macro-Virus
As I know yes but
BANNAME my_notebook.doc
wouldn't work for files within zip-archives.
Markus
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 11:48
PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New
Virus: zipped word
doc with
Macro-Virus
Is the word document only named
that?
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006
11:32 AM
To:
declude.virus@declude.com
Subject: [Declude.Virus] New
Virus: zipped
word doc with
Macro-Virus
Some of us has noted in the
past two hours
that messages with an
zip-file
as
attachment has passed our
virus filters
It's a zip-file containing a
MS Word
Document named
"my_notebook.doc"
Most Virus-Scanners can't
catch it.
Virustotal has returned
only two
scanners with positive
results
Sophos has found
"WM97/Kukudro-A"
UNA has found a "Macro
Virus"
No other AV-Engine has
catched the
suspicious file.
We've added the following
lines to our
virus.cfg in order
to block as
much was we can at the
moment.
BANNAME prices.zip
BANNAME apple_prices.zip
BANNAME sony_prices.zip
BANNAME hp_prices.zip
BANNAME dell_prices.zip
BANNAME My_Notebook.doc
Regards
Markus
---
This E-mail came from the
Declude.Virus
mailing list. To
unsubscribe,
just send an E-mail to
[EMAIL PROTECTED],
and
type "unsubscribe
Declude.Virus". The
archives can be found
at
http://www.mail-archive.com.
---
This E-mail came from the
Declude.Virus mailing
list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".
The archives
can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus
mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The
archives can be
found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing
list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives
can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe
Declude.Virus". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
