Thanks for the quickly response Scott. The information was sent on to the programmer involved and here is his response.
I'll be quoting a lot here. Be warned; it gets very technical.
> The usual format for a MIME message is this, where you can have any > number of boundary-header-content blocks. > > ------------------------------ > message headers > > boundary > part headers > content > > boundary > part headers > content > > endboundary > ------------------------------ > > You can optionally place content between the headers ad the first BHC block > (the preamble), which is what Declude is considering 'bad'.
That's not completely correct.
You can optionally place content between the headers and the boundary (this section between the headers and the boundary is referred to as the "MIME preamble"). In fact, most programs put content here (typically a variation of "If you can see this, your mail client does not support MIME"). Declude Virus has no problem with content in the MIME preamble.
> > ------------------------------ > message headers > > content > > boundary > part headers > content > > boundary > part headers > content > > endboundary > ------------------------------ > > That extra content will never be displayed by the mail client, it is > ignored. > > As Declude states on their web site (and backed up in the relevant > RFCs), that is completely valid...
This part is accurate.
> which means that Declude is intentionally deleting > valid email.
This is completely inaccurate.
This issue here is that in this MIME preamble, they have placed a "pretend MIME segment" (MIME headers that are in the MIME preamble, and therefore per the RFCs should be ignored). The RFCs do allow this odd behavior. However, there is no benefit to it. Since there is no good reason to have this here, and it is unsafe (because it triggers an Outlook vulnerability), the E-mail is quarantined by Declude Virus.
What they are sending is:
------------------------------ message headers
part headers
boundary part headers content
boundary part headers content
endboundary ------------------------------
Here, a proper mail client will ignore the first "part headers" (since there is no boundary before them). Outlook will (incorrectly) treat them as the beginning of a MIME segment. As a result, it is (nearly) impossible for a virus scanner to determine if there is a virus in here that Outlook would see.
> I assume the developer at the time placed content there > (usually a single line like 'this is a multipart MIME message') for a > reason, but I don't know what it is.
That would be fine -- except that the single line is something like "Content-Transfer-Encoding: quoted/printable". The programmer is essentially saying "I want a human to be fooled into thinking the content is encoded one way, even though it is really encoded another way."
> Since the messages are completely > valid, I haven't changed the existing code, although I don't add it to > new scripts that send email.
Since he is claiming that the E-mail is perfectly valid, and I haven't actually seen it, would it be possible to post the headers from it (if you still have it)? Everything from the first Received: headers through the first line of recognizable content (either standard text or HTML) would be best. That way, I can make sure that it isn't really a problem in Declude Virus.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
