RE: [Declude.Virus] Outlook-CR vulnerability

Tue, 16 Apr 2002 07:17:45 -0700

I will do - virtually *every* instance I've seen so far has been legitimate email.

At 10:11 AM 4/16/2002, John Tolmachoff wrote:

>From what Scott Perry has said before is that he has not seen any
legitimate e-mail with the CR vulnerability. If you do have evidence of
legitimate e-mail that does have the CR vulnerability, you might want to
forward those examples directly to him so he can review them.

John Tolmachoff
IT Manager, Network Engineer
211 E. Imperial Hwy., Suite 106
Fullerton, CA  92835
714-578-7999, ext. 104
[EMAIL PROTECTED]
www.reliancesoft.com
 


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLean
Sent: Tuesday, April 16, 2002 5:11 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Outlook-CR vulnerability

Might I make this suggestion for detecting the Outlook-CR vulnerability,
to
try to attempt to reduce the false positives (which seem to be close to
100% at this point):

Whenever a CR without a LF is seen, check the message header to see if a

"BEGIN ..." is actually enclosed within it, indicating that a payload
actually exists. If not, perhaps a different notification could be made,
so
we can determine whether to simply warn, or quarantine based on the
analysis. Right now, I've had to turn off the Outlook-CR check
altogether,
because of too many complaints from users who are getting virus warnings

(as well as their senders) instead of their valid, non-infected, albeit
header-munged messages.

_______________________
Scott MacLean
[EMAIL PROTECTED]
ICQ: 9184011
http://www.nerosoft.com

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

_______________________
Scott MacLean
[EMAIL PROTECTED]
ICQ: 9184011
http://www.nerosoft.com

Reply via email to