Right, so if we detected actual file type (GIF instead of .js=NO), we would
know that it was a .gif and therefore not a threat...so it wouldn't get
banned.
Darin.
----- Original Message -----
From: "Matt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 11:50 AM
Subject: Re: [Declude.Virus] Banned extension tripped by Microsoft Outlook,
Build 10.0.3416
Turns out it was, and this also makes sense. Outlook only munged the
name and not the file. Here's the base64 code for the spacer image
along with the link and JavaScript is used to generate arguments
appended to the link:
----- Actual Attachment (GIF) -----
Content-Type: application/octet-stream;
name="nojavascript&WT.js=No"
Content-Transfer-Encoding: base64
Content-Location:
http://stats.bradyinternational.com/dcso262fk09tjxucaxis09t1m_7v1i/njs.gif?dcsuri=/nojavascript&WT.js=No
R0lGODlhAQABAIAAAP8A/wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==
----- Image Tag (original version was dynamic, this was the fall-back
used when attached) -----
<NOSCRIPT><IMG height=3D1=20
=
src=3D"http://stats.bradyinternational.com/dcso262fk09tjxucaxis09t1m_7v1i=
/njs.gif?dcsuri=3D/nojavascript&WT.js=3DNo"=20
width=3D1 border=3D0 name=3DDCSIMG> </NOSCRIPT><!-- END OF Data =
Collection Server TAG -->
----- JavaScript Used to Write The Image Tag -----
<SCRIPT language=3DJavaScript><!--=20
var gImages=3Dnew Array;=20
var gIndex=3D0;=20
var DCS=3Dnew Object();=20
var WT=3Dnew Object();=20
var DCSext=3Dnew Object(); =20
// Janet's changes below=20
var gDomain=3D"stats.bradyinternational.com";=20
var gDcsId=3D"dcso262fk09tjxucaxis09t1m_7v1i"; =20
// Add customizations here=20
//WT.sp=3D"@@SPLITVALUE@@"; =20
function dcsVar(){=20
=20
var dCurrent=3Dnew Date();=20
WT.tz=3DdCurrent.getTimezoneOffset()/60*-1;=20
WT.bh=3DdCurrent.getHours();=20
=
WT.ul=3Dnavigator.appName=3D=3D"Netscape"?navigator.language:navigator.us=
erLanguage;=20
if (typeof(screen)=3D=3D"object"){=20
WT.cd=3Dscreen.colorDepth;=20
WT.sr=3Dscreen.width+"x"+screen.height;=20
}=20
if (typeof(navigator.javaEnabled())=3D=3D"boolean"){=20
WT.jo=3Dnavigator.javaEnabled()?"Yes":"No";=20
}=20
if (document.title){=20
WT.ti=3Ddocument.title;=20
}=20
WT.js=3D"Yes";=20
if (typeof(gVersion)!=3D"undefined"){=20
WT.jv=3DgVersion;=20
}=20
DCS.dcsdat=3DdCurrent.getTime();=20
DCS.dcssip=3Dwindow.location.hostname;=20
DCS.dcsuri=3Dwindow.location.pathname;=20
if (window.location.search){=20
DCS.dcsqry=3Dwindow.location.search;=20
}=20
if =
((window.document.referrer!=3D"")&&(window.document.referrer!=3D"-")){=20
if (!(navigator.appName=3D=3D"Microsoft Internet =
Explorer"&&parseInt(navigator.appVersion)<4)){=20
DCS.dcsref=3Dwindow.document.referrer;=20
}=20
}=20
} =20
R. Scott Perry wrote:
>
>>> We do already have some support for that in Declude Virus Pro. But,
>>> the problem is that it often isn't possible to tell what the file
>>> type is without the extension. In this case, it would be very
>>> difficult to distinguish a .js file from a .txt file, for example.
>>>
>>> There is another problem, too -- if you have a file that Declude
>>> Virus identifies as a .GIF file, but it has an .EXE extension, do
>>> you really want it?
>>
>>
>>
>> The attachment in this case was the GIF file, just a spacer.gif used
>> elsewhere in that page.
>
>
> Actually, it wasn't, if I have the correct information:
>
> ----- Attachment MIME Definition -----
> Content-Type: application/octet-stream;
> name="nojavascript&WT.js=No"
> ...
>
> That file is named "nojavascript&WT.js=No". Although there is a
> Content-Location: header afterwards, the Content-Location: header
> isn't used as part of the file name.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail
> mailservers since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in
> mailserver vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com.
>
>
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
_____________________________________
[This E-mail virus scanned by 4C Web]
_____________________________________
[This E-mail virus scanned by 4C Web]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
