I ran into this the other day. Outlook/Outlook Express allows users to "split attachments" over a certain size, and the default size is 60 KB. People tend to turn this on when they run into a limitation and then never turn it off.
You can turn off in Declude with BANPARTIAL OFF in your Virus.cfg, you can also instruct the sender to disable the message splitting by going to the account properties, last tab in Outlook Express, and have them uncheck the box.
Scott is of course correct that this represents a hole that can be exploited. My take on this is that AV companies should have sufficient definitions in place to detect fragments of an attachment that might use this method of propagation, though I haven't tested that theory because I am not aware of any viruses exploiting the hole if it can be effectively exploited.
A search of my logs showing the last 500,000 or so messages shows one bounce message generated by a misbehaving GroupWise 5.5 server belonging to a client, and then a bunch of legit messages sent by a single person to one of my clients. I turned this off last week, and will probably keep it off until I find evidence of an active exploit that can bypass virus scanning. I am also advising senders to turn off the functionality because the current configuration that allows these through is subject to change without warning.
I suppose that you could also develop a bounce message unique to this vulnerability using ONLYSENDIF that advises the sender about how to turn this off in Outlook/Outlook Express, and possibly other mail clients if supported. I may also take that route.
Matt
Jeff Kratka wrote:
Scott,
What is the Partial Vulnerability that Declude Virus is picking up. I have a customer asking me why and what and how to fix. "[Partial Vulnerability] virus in the Unknown File attachment. "
Jeff Kratka ************************************************ TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ************************************************
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
