Darin, AFAIK the two are separate issues. Declude gets snookered for trusting the Q file.
Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, February 14, 2007 11:26 PM To: [email protected] Subject: SPAM-WARN:Re: [IMail Forum] BUG in Ver 8.22 vulnerability patch - Q File We're running Declude 2.06, waiting to go to 4.x when 2006.2 has been through a shakedown. Haven't seen this problem with the 8.22/2.06 combo. Are you thinking it's related to the same code that's causing the virtual domain deletion/aliasing problem? The log errors I see do show the actual user account, not a variable or token that hasn't been parsed or replaced properly. Darin. ----- Original Message ----- From: Michael Thomas - <mailto:[EMAIL PROTECTED]> Mathbox To: [email protected] Sent: Wednesday, February 14, 2007 10:42 PM Subject: [IMail Forum] BUG in Ver 8.22 vulnerability patch - Q File Darin, Ver 8.22 vulnerability patch has a bug. The following is a sample Q file. ============================== QC:\IMAIL\spool\D144b019300006079.SMD Hmail.mathbox.com I144b019300006079 WC:\IMAIL\mail.mathbox.com E0, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> NRCPT TO:[EMAIL PROTECTED] Rfh@ <mailto:[EMAIL PROTECTED]> customerdomain.com ============================== Note the "%s" instead of the sender domain. The email message looks normal. When Declude v3.1.3 tried to process the message, Declude would hang (not crash). Processor usage dropped to nearly zero. Could not stop/restart the Declude process. That sender sent about 10 messages to the same customer today, before I figured out what was going on. Declude hung on each one.Then I blocked the sender's IP address. I was able to save one original SMD file and its matching Q file. The SMD file is US ASCII plain text, no MIME sections, no attachment and is less than 2K.. An absolutely plain vanilla message. The log file contains interesting information: 02:14 08:53 SMTPD(144b019300006079) [63.150.236.14] connect 64.21.55.1 port 58070 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] HELO nrouter.hsix.com 02:14 08:53 SMTPD(144b019300006079) Percent (%) characters replaced with asterisks (*) in following entry 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] MAIL FROM:<[EMAIL PROTECTED]> 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] RCPT TO:<[EMAIL PROTECTED]> 02:14 08:53 SMTPD(144b019300006079) [x] looking up customerdomain.com in HOSTS 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] C:\IMAIL\spool\D144b019300006079.SMD 2030 02:14 08:53 SMTPD(144b019300006079) performing antispam checks So it looks like the sending SMTP's conversation contained the "%s" I do not know why SMTP produced that Q file. It should have rejected the message. I mean how do you deliver to a domain named "%s"? The percent character is not valid in domain names. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free)
