Hi All,
Well, when responding on Junkmail to Will about RFC violations, I said I
would test this and I did.
--------------------
While writing this message, I happened to think about attachments. It would
appear to me, that there is an implied possibility for attachments and
therefore viruses to pass through undetected. All that should be required is
that the lines that make up the entire email, including the attachment
section, be terminated with line feeds instead of carriage return/line feed
pairs. Under such condition, Declude would see only one line and not find
the relevant sections. I will test this possibility.
--------------------
Tested: Declude v3.1.1 for IMail
As it happens, my suspicions were accurate. I wrote a script that could be
modified to remove either the carriage-returns or the line-feeds from a
message file. I then created a message in Outlook Express, added an
executable file (uptime.exe) as an attachment and saved it in my Draft
folder. I then dragged that message to the same location as the script and
renamed it to match the file name in the script (Rfc.eml) I ran the script,
which stripped the carriage-returns and produced Rfc2.eml. I renamed
Rfc2.eml to RfcNoCr.eml. In the script, I then changed vbCr to vbLf and ran
it again, which stripped the line-feeds and produced Rfc2.eml. I renamed
Rfc2.eml to RfcNoLf.eml.
Now, to get IIS SMTP to actually process the file, you must edit each file
and remove the single Cr or Lf and press the Enter Key, producing a CrLf
pair after the To field and the From field. I also added the string "No Cr"
to the end of the subject of RfcNoCr.eml and added No Lf to the subject of
RfcNoLf.eml. So for example change:
--------------------
From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]>[Cr]To:
"[EMAIL PROTECTED]"[Cr]Subject: Test Attachment Pass-Through on RFC
Violation[Cr]<line continues>
--------------------
Change To
--------------------
From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]"
Subject: Test Attachment Pass-Through on RFC Violation No Cr[Cr]<line
continues>
--------------------
Now it so happens, a long time ago, I wrote a couple of tests to detect
these RFC violations, so first I had to disable them in my GLOBAL.CFG, which
I did by commenting them out. Note that I also BAN the .EXE extension and I
left that enabled.
Now copy and paste the two files into the pickup directory of your favorite
IIS SMTP pickup directory. Viola, you just passed an executable through
Declude and through your mail server. That executable could very well have
been a virus.
Note that Declude detected RfcNoLf.eml as [Outlook 'CR' Vulnerability]. Ok
good.
But Declude let RfcNoCr.eml pass straight through without calling the virus
scanners, because Declude did NOT see an attachment. Also, because Declude
did not see an attachment, Declude did not ban the .EXE extension.
Here are the log entries from RfcNoLf.eml
--------------------
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Scanning Time: 218ms
[kernel=31 user=187]
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Virus scanner 1 reports exit
code of 0
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Virus detected. Not continuing
with remaining scanners.
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd 0:
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Starting EXT check .
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd
C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\*.*
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd 0
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Deleted
C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\0.
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd report.txt
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Deleted
C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\report.txt.
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd han=13e9c0 b=False
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd File(s) are INFECTED [[Outlook
'CR' Vulnerability]: 0]
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd High code=23.
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd AV returned 23
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Scanned: CONTAINS A VIRUS
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from XX.XXX.XXX.X]
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Subject: Test Attachment
Pass-Through on RFC Violation No Lf
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Skipping non-AV E-mail
BANnotify.eml
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd
C:\IMAIL\Declude\postmaster.eml
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Starting E-mail file
C:\IMAIL\Declude\postmaster.eml
10/19/2006 20:41:23.471 q1b2101b7000083ba.smd C:\IMAIL\IMail1.exe -h
"mathbox.com" -t "[EMAIL PROTECTED]" -u "[EMAIL PROTECTED]" -s
"Mathbox Email Virus Scanning detected and quarantined a virus" -f
"C:\IMAIL\spool\proc\work\D1b2101b7000083ba.sm0"
10/19/2006 20:41:23.487 q1b2101b7000083ba.smd TempName =
C:\IMAIL\Declude\postmaster.eml
--------------------
Here are the log entries from RfcNoCr.eml
--------------------
10/19/2006 20:41:10.690 q1b2101da000083bb.smd Setting Scan File 1 to
C:\Progra~1\FSI\F-Prot\FPcmd.exe /TYPE /SILENT /SERVER /NOMEM /ARCHIVE
/NOBOOT /DUMB /REPORT=report.txt.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd CFG: Setting report parse 1 to
Infection.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting Scan File 2 to
C:\imail\declude\runclamscan.exe log=3 C:\clamav-devel\bin\clamscan.exe
--quiet --no-summary --tempdir=c:\tmp\
--database=C:\clamav-devel\share\clamav\ --max-ratio=0 --mbox -l report.txt.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd CFG: Setting report parse 2 to
FOUND.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting virus directory to:
C:\IMAIL\spool\virus
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Incoming E-mail scanning
turned ON
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Outgoing E-mail scanning
turned ON
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting AVAFTERJM to ON.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting MAXATONCE to 20.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting scanner timeout to 120
seconds
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting AUTOFORGE to OFF.
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Scanner 0 Virus Codes: 3 6 8 9
10 . OK Codes:
10/19/2006 20:41:10.721 q1b2101da000083bb.smd Scanner 1 Virus Codes: 1 . OK
Codes:
10/19/2006 20:41:10.908 q1b2101da000083bb.smd Skip Extensions: GIF TXT MPG
PNG
10/19/2006 20:41:10.955 q1b2101da000083bb.smd 48 Ban Extensions: ADE ADP ASD
ASP BAS BAT BIN CAB CHM CMD COM CPL CRT DLL EXE HLP HTA HTO INF INS ISP JS
JSC JSE KSH LNK MDB MDE MSI OCX PCD PIF REG SCF SCR SCT SHB SHS SYS VB VBE
VBS VBX VSMACROS VXD WSC WSF WSH
10/19/2006 20:41:11.002 q1b2101da000083bb.smd Virus Pro Registered
10/19/2006 20:41:11.018 q1b2101da000083bb.smd Starting locality check
(sender=mathbox.com; nr=1 ca=off). nHas=1.
10/19/2006 20:41:11.018 q1b2101da000083bb.smd [EMAIL PROTECTED] [0-0] is
local domain1 viaFM
10/19/2006 20:41:11.018 q1b2101da000083bb.smd Ending locality check
(cached), sender=local.
10/19/2006 20:41:11.018 q1b2101da000083bb.smd Local host = mathbox.com
10/19/2006 20:41:11.018 q1b2101da000083bb.smd [EMAIL PROTECTED] Offset=5
Flags=1
10/19/2006 20:41:11.033 q1b2101da000083bb.smd Msgid:
10/19/2006 20:41:11.049 q1b2101da000083bb.smd Subject: Test Attachment
Pass-Through on RFC Violation No Cr
--------------------
Here is the script to strip Cr or Lf, just change the vbCr below to vbLf.
Just save it as:
Rfc.vbs
--------------------
Dim InFile
Dim OutFile
Dim Fso, File
Dim AllText
InFile = "Rfc.eml"
OutFile = "Rfc2.eml"
Set Fso = CreateObject("Scripting.FileSystemObject")
If Fso.FileExists( InFile ) = True Then
Set File = Fso.OpenTextFile( InFile, 1, False, 0 )
AllText = File.ReadAll
File.Close
Set File = Nothing
AllText = Replace( AllText, vbCr, "" )
Set File = Fso.OpenTextFile( OutFile, 2, True, 0 )
File.Write AllText
File.Close
Set File = Nothing
End If
Set Fso = Nothing
--------------------
Finally, if you want to test for these RFC violations, see
http://www.mathbox.com/NoCrTest/NoCrTest.zip
Michael Thomas
Mathbox
978-683-6718
1-877-MATHBOX (Toll Free)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
