Re: [Declude.Virus] Blank folding vulnerablity help
Follow-up (and warning for others). The problem was EDNS0. This is installed by default on Windows 2003 and must be disabled otherwise some firewalls and older versions of BIND will not resolve queries. More about disabling it can be found here: http://support.microsoft.com/kb/828263 The seriously strange thing is that I ran across this about a year ago and I had disabled EDNS0 on all of my production servers, and while the registry setting was still there showing it was disabled, reapplying the command to disable it, and restarting my DNS servers, caused the issue to go away. So it appears that some update or other unassociated config process caused EDNS0 to magically come back on with three of my boxes. Marc, the fact that your DNS service provider has issues with a default Windows 2003 setting would be good reason for you to insist that they change immediately, or move your DNS to another provider. When I ran into this a year ago it was an older version of BIND that was causing issues, but I have heard that old Cisco and SonicWall software can also block these packets. Matt Matt wrote: Marc, One other off-topic thing. For some reason, none of my Windows 2003 DNS servers will resolve any of your DNS records. I can however resolve through other servers running on both Mac's (BSD) and Linux, I can tracert to your DNS provider's IP space from my network, and I can query directly off of your DNS provider's servers using a query tool on my desktop. I tested 4 of my Windows 2003 DNS servers at two locations and two totally different networks though with timeouts on everything, and only for your domain and skynetweb.com. It seems that your provider is blocking or otherwise selectively not responding to queries made from Windows 2003 DNS (including nslookup running on those boxes). You might want to check into this because this is probably widespread. Matt Marc Catuogno wrote: Matt – thanks again. I can’t get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all… I may venture into the 3’s but I am still running IMAIL 8.15 – I’ve been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade… Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 – Sorry for the rant, but I hate I far behind I feel… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not… I have been putting off upgrading till IMAIL and Declude are all at nice stable releases… Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, One other off-topic thing. For some reason, none of my Windows 2003 DNS servers will resolve any of your DNS records. I can however resolve through other servers running on both Mac's (BSD) and Linux, I can tracert to your DNS provider's IP space from my network, and I can query directly off of your DNS provider's servers using a query tool on my desktop. I tested 4 of my Windows 2003 DNS servers at two locations and two totally different networks though with timeouts on everything, and only for your domain and skynetweb.com. It seems that your provider is blocking or otherwise selectively not responding to queries made from Windows 2003 DNS (including nslookup running on those boxes). You might want to check into this because this is probably widespread. Matt Marc Catuogno wrote: Matt – thanks again. I can’t get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all… I may venture into the 3’s but I am still running IMAIL 8.15 – I’ve been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade… Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 – Sorry for the rant, but I hate I far behind I feel… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not… I have been putting off upgrading till IMAIL and Declude are all at nice stable releases… Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=430
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, I'm using SmarterMail for hosted E-mail and 2.6 isn't quite where I would like to see it. I'm not sure what the new version will offer that 2.6 doesn't, but there will certainly be refinements for Declude such as support for WHITELIST AUTH and their port 587 support will enable us to lock it down to AUTH-only connections. On the other hand, some of the things that bother me somewhat are the proprietary format of the user's mail box files (there is a mix of binary and ASCII data and they can't be hand-edited). They also don't have tools available such as IMail's ExtractUsers.exe which outputs a file with all user information and their passwords. I also have some gripes about not being able to disable things like catch-all functionality and vacation messages, and I think that some of their default settings could be better thought out such as needing to check a box when entering a forwarding address or it will leave a copy of the messages on the server. On the flip side it does have some features that are nicer than IMail 8.15 such as a better Web interface and better performance. The interface is why I switched, but I still use IMail with Declude for doing all of my scanning. As far as IMail 2006 goes, I think they are doing a good job of listening, but naturally with such a big change to their Web interface one should wait a little bit for things to become fully vetted and stable. I think they are working fast to address all known issues. I also like the idea that IMail has opted for a very open Webmail implementation so that one can do a lot of tweaking to the Interface. I still haven't tried their Webmail, but if things turn out good, I might actually switch back from SmarterMail because for me it would be better to have just one platform to support, and I desire IMail's straightforward mailbox format and flexibility in tweaking Webmail. The way that SmarterMail works by showing messages on a totally different screen than the list of messages makes it impractical for doing spam review in capture accounts (unless you want to click back for every message). Maybe they will change to a framed format in 3.0, but until they do, I have no choice but to keep IMail. I'm sure that clears a lot of things up :) Matt Marc Catuogno wrote: Matt – thanks again. I can’t get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all… I may venture into the 3’s but I am still running IMAIL 8.15 – I’ve been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade… Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 – Sorry for the rant, but I hate I far behind I feel… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not… I have been putting off upgrading till IMAIL and Declude are all at nice stable releases… Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered yea
RE: [Declude.Virus] Blank folding vulnerablity help
Matt – thanks again. I can’t get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all… I may venture into the 3’s but I am still running IMAIL 8.15 – I’ve been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade… Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 – Sorry for the rant, but I hate I far behind I feel… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not… I have been putting off upgrading till IMAIL and Declude are all at nice stable releases… Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not… I have been putting off upgrading till IMAIL and Declude are all at nice stable releases… Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:
RE: [Declude.Virus] Blank folding vulnerablity help
So since I am running 1.82 I can either allow all vulnerabilities or not… I have been putting off upgrading till IMAIL and Declude are all at nice stable releases… Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
Re: [Declude.Virus] Blank folding vulnerablity help
ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
RE: [Declude.Virus] Blank folding vulnerablity help
Matt thank you – What version of Declude is needed for these “allows”? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
[Declude.Virus] Blank folding vulnerablity help
Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I don’t want to allow vulnerabilities through but…. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]