Regarding that cookie "bug," I understood that Declude tagged the file appropriately based on the COM extension, but Outlook Express screwed up attaching it in the way that it did. This was actually a gif used for tracking, and it named the file according to the script argument's when Outlook attached it instead of as a GIF (decoded it shows GIF89a). Clearly this could have unintended consequences when you forward E-mail in Outlook Express that might end with a .com extension as a script argument. I'm guessing though that there's no good way for Declude to differentiate among something improperly named by Outlook and a real COM file without getting real deep in analyzing the content. I hope this stays very, very rare. At least the behavior is known now.
Matt
R. Scott Perry wrote:
Virus Bug
==================
The first bug is more straightforward, however it is related to Declude Virus, so please forgive me for not joining that group. In an E-mail that was forwarded from monstor.com, it tripped on a banned extension of .com because a cookie reference was attached by Outlook Express as follows:
Actually, this isn't a bug:
------=_NextPart_000_0001_01C3D1D2.DEDBF400 Content-Type: application/octet-stream; name="nojavascript&dcssip=jobsearch.monster.com" Content-Transfer-Encoding: base64 Content-Location:
http://cookie.monster.com/DCS000003_6D4Q/njs.gif?dcsuri=/nojavascript&dcssip=jobsearch.monster.com
The cookie isn't the problem; the name of the file is "nojavascript&dcssip=jobsearch.monster.com". That's a .com file.
I'm not sure if there is anything that can be done about this easily, but it was legitimate, and the attachment wasn't an executable, just a cookie.
The attachment was a .com file. It may have been a cookie with a funny name, but still a .com file. :)
JunkMail Bug
==============
The small bug with JunkMail is as follows. I've seen the following several times across a number of days with at least v1.77i7 and v1.77i10. I'm using the warn action and it always shows up with the same recipient (%ALLRECIPS%) repeated at least three or four times. The first example is unique, and the last three examples are from a dictionary attack coming from one spammer sent to addresses that never existed on the same domain.
There was an issue with one of the v1.77 interim releases that was fixed in 1.77i12 that may have caused this. A change was made in the way that Declude JunkMail retrieves the list of recipients.
-Scott
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
