I just found this bug. Essentially, if the MIME headers for an
attachment are mismatched, Declude "assumes" that it is an EXE for
virus scanning purposes, and this causes EXE triggers such as
bannotify.eml to be triggered. This is especially bad since it is
happening fairly commonly on zombie spam. For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg;You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a00009ecc.smd Vulnerability flags = 863This is clearly not desirable behavior, and I have run into a related bug previously (that was previously reported) where a filename that spans two lines (which is RFC compliant when 'folded') will be treated as an EXE and bounced if you are bouncing non-virus EXE's. It is absolutely necessary to allow for bannotify.eml bouncing of messages with EXE extensions because they are commonly received legitimately regardless of whether they are allowed or not, but to have EXE be the assumed extension at the same time causes a lot of different issues. Because of this, I would strongly suggest that Declude assume a different extension when necessary, such as "unknown" so that we can configure Declude Virus to handle "unknown" files in a different way. We could choose for instance to block them, but not bounce them. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. |
- [Declude.Virus] Bug in mismatched extensions ... Matt
- Re: [Declude.Virus] Bug in mismatched ex... Darrell \([EMAIL PROTECTED])
- Re: [Declude.Virus] Bug in mismatche... Matt
- Re: [Declude.Virus] Bug in misma... Darrell \([EMAIL PROTECTED])
- RE: [Declude.Virus] Bug in mismatched ex... Colbeck, Andrew
- Re: [Declude.Virus] Bug in mismatche... Matt
- RE: [Declude.Virus] Bug in misma... John T \(Lists\)