One of my servers started sending malformed headers yesterday for some reason. Declude picked it up as a the Outlook CR Vulnerability.What makes it harder to figure out is that it may be impossible to see the problem when the headers are sent in a new E-mail, as the body of an E-mail will often change around spaces, tabs, CRs and LFs.
I am wondering if anyone can tell me where the vulnerability is in the attached message (attachment is a copy of what Declude Quarantined).
I do not see any "stand-alone" CRs in the middle of the header and am a little confused as to where I should start looking for the culprit.
The problem turns out to be that the HELO/EHLO that your mailserver is sending has a CR in it:
Received: from blackbox.ipaul.com
[65.204.120.129] by winonaweb.com
IMail added this header when the mailserver identified itself as "blackbox.ipaul.com<CR>", rather than just
"blackbox.ipaul.com" (it should have sent "EHLO blackbox.ipaul.com<CR><LF>", but instead sent ""EHLO blackbox.ipaul.com<CR><CR><LF>").
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
