I no longer have the original message, but I could probably have my user try
to do what he did to get the message sent from the web server in question.

Richard Edge                             
System Administrator
Computing Services Department
TRINITY WESTERN UNIVERSITY 
Voice: 604-513-2089       
E-mail: [EMAIL PROTECTED]
WWW: http://www.ucs.twu.ca
FAQ: http://www.ucs.twu.ca/resources/faq.htm 



-----Original Message-----
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 07, 2003 1:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] False positive??



>Thanks for the quickly response Scott. The information was sent on to 
>the programmer involved and here is his response.

I'll be quoting a lot here.  Be warned; it gets very technical.

> > The usual format for a MIME message is this, where you can have any 
> > number of boundary-header-content blocks.
> >
> > ------------------------------
> > message headers
> >
> > boundary
> > part headers
> > content
> >
> > boundary
> > part headers
> > content
> >
> > endboundary
> > ------------------------------
> >
> > You can optionally place content between the headers ad the first 
> > BHC
>block
> > (the preamble), which is what Declude is considering 'bad'.

That's not completely correct.

You can optionally place content between the headers and the boundary (this 
section between the headers and the boundary is referred to as the "MIME 
preamble").  In fact, most programs put content here (typically a variation 
of "If you can see this, your mail client does not support MIME").  Declude 
Virus has no problem with content in the MIME preamble.

> >
> > ------------------------------
> > message headers
> >
> > content
> >
> > boundary
> > part headers
> > content
> >
> > boundary
> > part headers
> > content
> >
> > endboundary
> > ------------------------------
> >
> > That extra content will never be displayed by the mail client, it is 
> > ignored.
> >
> > As Declude states on their web site (and backed up in the relevant 
> > RFCs), that is completely valid...

This part is accurate.

> > which means that Declude is intentionally deleting
> > valid email.

This is completely inaccurate.

This issue here is that in this MIME preamble, they have placed a "pretend 
MIME segment" (MIME headers that are in the MIME preamble, and therefore 
per the RFCs should be ignored).  The RFCs do allow this odd 
behavior.  However, there is no benefit to it.  Since there is no good 
reason to have this here, and it is unsafe (because it triggers an Outlook 
vulnerability), the E-mail is quarantined by Declude Virus.

What they are sending is:

------------------------------
message headers

part headers

boundary
part headers
content

boundary
part headers
content

endboundary
------------------------------

Here, a proper mail client will ignore the first "part headers" (since 
there is no boundary before them).  Outlook will (incorrectly) treat them 
as the beginning of a MIME segment.  As a result, it is (nearly) impossible 
for a virus scanner to determine if there is a virus in here that Outlook 
would see.

> >  I assume the developer at the time placed content there (usually a 
> > single line like 'this is a multipart MIME message') for a reason, 
> > but I don't know what it is.

That would be fine -- except that the single line is something like 
"Content-Transfer-Encoding: quoted/printable".  The programmer is 
essentially saying "I want a human to be fooled into thinking the content 
is encoded one way, even though it is really encoded another way."

> > Since the messages are completely
> > valid, I haven't changed the existing code, although I don't add it 
> > to new scripts that send email.

Since he is claiming that the E-mail is perfectly valid, and I haven't 
actually seen it, would it be possible to post the headers from it (if you 
still have it)?  Everything from the first Received: headers through the 
first line of recognizable content (either standard text or HTML) would be 
best.  That way, I can make sure that it isn't really a problem in Declude 
Virus.

                                                    -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to