Scott, on this particular one, I have also seen 2 caught. Should we initiate a dialog with Paypal so that they fix their problem?
John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Tuesday, August 12, 2003 1:32 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability = False Positive? > False Positive? > > > >I have an enclosed the headers of an e-mail which got blocked by Declude > >Virus as having the Vulnerability listed in the title of this message. > > Great! Declude Virus is doing its job. :) > > Any up-to-date mailserver virus scanner should have caught this E-mail: > > ... > >Subject: Don't forget to claim your money > > > >X-Declude-Sender: [EMAIL PROTECTED] [65.206.228.74] > ... > > Specifically, they had a line with just a single space or tab in the > headers of the E-mail. There is no logical reason to do this, and it > creates a vulnerability (meaning that if Declude Virus did not block it, > there could be a virus in there that Declude Virus would be unable to see). > > >The user thinks that this is a False Positive. In my opinion it is not a > >false positive if it is a real vulnerability but I know the user is going to > >need more information. > > You are correct. It does indeed contain a real vulnerability. > > >What causes this Vulnerability to occur? > > In most cases, poor programming. For example, if the programmer has code > that says "If the line is equal to or greater than 80 characters, include > the first 80 characters on the first line, and put the rest on another line > that starts with a tab" (instead of "greater than 80 characters"). This > would cause lone tab character on a line by itself if the header was > exactly 80 characters long. > > >Not that I would ever do it, but > >is there anyway that Declude Virus can be configured to let these through? > >I understand perfectly if it can't be done but I want to be able to say to > >the user that I've at least asked. > > Declude Virus does let you disable all vulnerability detection -- however, > we strongly recommend that our customers not do this, as it will almost > certainly guarantee that future viruses will be delivered unscanned. > > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you have been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.