Re: [Declude.JunkMail] Damaged Image Files

[Matt]

Title: Message

There is also a longstanding bug in at least Declude Virus that has issues with very long base64 encoding.  I have seen no reports that this was fixed.  I am wondering in this case whether or not the bug is now being exploited by spammers also. Matt Jay Sudowski - Handy Networks LLC wrote: We had an issue with Declude “corrupting” images from SmarterStats long ago.  It turned out the SmarterStats wasn’t inserting line breaks in their images, and thus single lines were going out past 8,000 characters, at which point Declude truncated the line.  I wouldn’t be surprised if the spamware being used to send these was doing something similar.   Thanks! ----- Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX www.handynetworks.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 2:54 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files   Interesting.  As Matt, said, if you can get an original D*.SMD that would be great for following this trail.   I would note that in addition, use the headers that were received to track the sending IP and time, and check your IMail log, and from there you will have the GUID for the message.  Then check the Declude log for that GUID (but do a case-insensitive search).  That will tell you whether Declude processed the message at all; it could be that Declude processed the message but failed to insert the headers, or failed to lock the file and had to "fail open" and allow IMail to deliver the message without being able to insert the headers.   For more information, I found all 94 of the messages with this title sent to my server in today and yesterday, and found that they were all held as spam.  I then copied each to my workstation and compared the filesize to see if I could spot any that were obviously different.  They were all with 1 or 2 KB of each other, so I opened quite a few and found them all intact, and all with the Declude headers correctly placed.  My mileage will vary from yours, but it doesn't seem that I received any broken images in this particular spam run, and I've had no user feedback indicating spam received today.  Hopefully, this counter-example will help narrow down the problem.   I'm using Declude v2.0.6.16 from 2005-05-25 and IMail v8.14 with whatever hotfixes.   Andrew 8)       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Erik Sent: Tuesday, February 28, 2006 10:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time.  But what Evans wrote is true.  Either this "spammer" has corrected "his" image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto.   I've received and held 24 messages with the same title.  Re-queuing 3 of these to myself, they had an image that was intact.   They fail the usual RBL tests plus Message Sniffer.   Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here.   These are getting caught by my system   X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13]   Harry Vanderzand inTown Internet & Computer Services 519-741-1222     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files We’re getting the same.  Also using Declude with smartermail.  Because Declude doesn’t appear to be scanning the headers there is no way for us to stop them.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files   I’m getting a lot of messages that have only a graphic in them.  The graphic appears to have been damaged as only about ½ of it displays.  Declude has not modified the headers at all so I’m not sure if these are being scanned or not.  I don’t know how it could be bypassing Declude.  I have attached the .msg file.  Anyone have any ideas what might be causing this?   I’m running Declude 3.0.5.22 and SmarterMail 2.6.     The header is as follows:   Return-Path: <[EMAIL PROTECTED]> Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP;    Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: <[EMAIL PROTECTED]> From: "Abrahams"<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/related;             type="multipart/alternative";             boundary="------------ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180     Thanks, Evans Martin   EVANS MARTIN  [EMAIL PROTECTED] HOSTING:  http://www.martek.net PROGRAMMING:  http://www.martekware.com   iPlus Info Browser – IPB’s IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without.  http://www.martek.net/Default.aspx?tabid=96