|
Scott, I finally captured a binhex message that caused the vir directory to be left behind. This one contained six JPG attachments, although I have definitely seen it with only one. I can forward you the entire message source (about 3 MB), or maybe you can get something from the attachment definition pasted below: --MS_Mac_OE_3171616584_11162912_MIME_PartIn Webmail, the above attachment name appears as "ISLAM !.jpg" which I assume comes from the encoded portion of the message. The file that corresponds to this within the leftover vir directory is called "1_1.exe". I seem to recall you indicating that binhex attachments don't have extensions and that this is why declude creates them by taking the file and giving it an EXE extension. I'm going to guess that what is happening here is some confusion in the code about what the proper name is because it is actually defined. Note that my system is configured to not scan JPG files, and while the "01.jpg" name in the attachment header could probably be forged and therefore is not good to trust, the one that comes from the actual encoded message, "ISLAM !.jpg", should have caused Declude to not scan it. I can provide log snippets as well as the contents of this vir directory if you need that also. This is only a minor nuisance that I see about 5-10 times a month and nothing actually gets blocked that shouldn't, although I would imagine there is a possibility that it could be a potential hole. Thanks, Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
