Hi All, Well, when responding on Junkmail to Will about RFC violations, I said I would test this and I did. -------------------- While writing this message, I happened to think about attachments. It would appear to me, that there is an implied possibility for attachments and therefore viruses to pass through undetected. All that should be required is that the lines that make up the entire email, including the attachment section, be terminated with line feeds instead of carriage return/line feed pairs. Under such condition, Declude would see only one line and not find the relevant sections. I will test this possibility. --------------------
Tested: Declude v3.1.1 for IMail As it happens, my suspicions were accurate. I wrote a script that could be modified to remove either the carriage-returns or the line-feeds from a message file. I then created a message in Outlook Express, added an executable file (uptime.exe) as an attachment and saved it in my Draft folder. I then dragged that message to the same location as the script and renamed it to match the file name in the script (Rfc.eml) I ran the script, which stripped the carriage-returns and produced Rfc2.eml. I renamed Rfc2.eml to RfcNoCr.eml. In the script, I then changed vbCr to vbLf and ran it again, which stripped the line-feeds and produced Rfc2.eml. I renamed Rfc2.eml to RfcNoLf.eml. Now, to get IIS SMTP to actually process the file, you must edit each file and remove the single Cr or Lf and press the Enter Key, producing a CrLf pair after the To field and the From field. I also added the string "No Cr" to the end of the subject of RfcNoCr.eml and added No Lf to the subject of RfcNoLf.eml. So for example change: -------------------- From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]>[Cr]To: "[EMAIL PROTECTED]"[Cr]Subject: Test Attachment Pass-Through on RFC Violation[Cr]<line continues> -------------------- Change To -------------------- From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" Subject: Test Attachment Pass-Through on RFC Violation No Cr[Cr]<line continues> -------------------- Now it so happens, a long time ago, I wrote a couple of tests to detect these RFC violations, so first I had to disable them in my GLOBAL.CFG, which I did by commenting them out. Note that I also BAN the .EXE extension and I left that enabled. Now copy and paste the two files into the pickup directory of your favorite IIS SMTP pickup directory. Viola, you just passed an executable through Declude and through your mail server. That executable could very well have been a virus. Note that Declude detected RfcNoLf.eml as [Outlook 'CR' Vulnerability]. Ok good. But Declude let RfcNoCr.eml pass straight through without calling the virus scanners, because Declude did NOT see an attachment. Also, because Declude did not see an attachment, Declude did not ban the .EXE extension. Here are the log entries from RfcNoLf.eml -------------------- 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Scanning Time: 218ms [kernel=31 user=187] 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Virus scanner 1 reports exit code of 0 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Virus detected. Not continuing with remaining scanners. 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd 0: 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Starting EXT check . 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\*.* 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd 0 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Deleted C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\0. 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd report.txt 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Deleted C:\IMAIL\spool\proc\work\D1b2101b7000083ba.vir\report.txt. 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd han=13e9c0 b=False 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd High code=23. 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd AV returned 23 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Scanned: CONTAINS A VIRUS 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from XX.XXX.XXX.X] 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Subject: Test Attachment Pass-Through on RFC Violation No Lf 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Skipping non-AV E-mail BANnotify.eml 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd C:\IMAIL\Declude\postmaster.eml 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd Starting E-mail file C:\IMAIL\Declude\postmaster.eml 10/19/2006 20:41:23.471 q1b2101b7000083ba.smd C:\IMAIL\IMail1.exe -h "mathbox.com" -t "[EMAIL PROTECTED]" -u "[EMAIL PROTECTED]" -s "Mathbox Email Virus Scanning detected and quarantined a virus" -f "C:\IMAIL\spool\proc\work\D1b2101b7000083ba.sm0" 10/19/2006 20:41:23.487 q1b2101b7000083ba.smd TempName = C:\IMAIL\Declude\postmaster.eml -------------------- Here are the log entries from RfcNoCr.eml -------------------- 10/19/2006 20:41:10.690 q1b2101da000083bb.smd Setting Scan File 1 to C:\Progra~1\FSI\F-Prot\FPcmd.exe /TYPE /SILENT /SERVER /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd CFG: Setting report parse 1 to Infection. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting Scan File 2 to C:\imail\declude\runclamscan.exe log=3 C:\clamav-devel\bin\clamscan.exe --quiet --no-summary --tempdir=c:\tmp\ --database=C:\clamav-devel\share\clamav\ --max-ratio=0 --mbox -l report.txt. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd CFG: Setting report parse 2 to FOUND. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting virus directory to: C:\IMAIL\spool\virus 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Incoming E-mail scanning turned ON 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Outgoing E-mail scanning turned ON 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting AVAFTERJM to ON. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting MAXATONCE to 20. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting scanner timeout to 120 seconds 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Setting AUTOFORGE to OFF. 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Scanner 0 Virus Codes: 3 6 8 9 10 . OK Codes: 10/19/2006 20:41:10.721 q1b2101da000083bb.smd Scanner 1 Virus Codes: 1 . OK Codes: 10/19/2006 20:41:10.908 q1b2101da000083bb.smd Skip Extensions: GIF TXT MPG PNG 10/19/2006 20:41:10.955 q1b2101da000083bb.smd 48 Ban Extensions: ADE ADP ASD ASP BAS BAT BIN CAB CHM CMD COM CPL CRT DLL EXE HLP HTA HTO INF INS ISP JS JSC JSE KSH LNK MDB MDE MSI OCX PCD PIF REG SCF SCR SCT SHB SHS SYS VB VBE VBS VBX VSMACROS VXD WSC WSF WSH 10/19/2006 20:41:11.002 q1b2101da000083bb.smd Virus Pro Registered 10/19/2006 20:41:11.018 q1b2101da000083bb.smd Starting locality check (sender=mathbox.com; nr=1 ca=off). nHas=1. 10/19/2006 20:41:11.018 q1b2101da000083bb.smd [EMAIL PROTECTED] [0-0] is local domain1 viaFM 10/19/2006 20:41:11.018 q1b2101da000083bb.smd Ending locality check (cached), sender=local. 10/19/2006 20:41:11.018 q1b2101da000083bb.smd Local host = mathbox.com 10/19/2006 20:41:11.018 q1b2101da000083bb.smd [EMAIL PROTECTED] Offset=5 Flags=1 10/19/2006 20:41:11.033 q1b2101da000083bb.smd Msgid: 10/19/2006 20:41:11.049 q1b2101da000083bb.smd Subject: Test Attachment Pass-Through on RFC Violation No Cr -------------------- Here is the script to strip Cr or Lf, just change the vbCr below to vbLf. Just save it as: Rfc.vbs -------------------- Dim InFile Dim OutFile Dim Fso, File Dim AllText InFile = "Rfc.eml" OutFile = "Rfc2.eml" Set Fso = CreateObject("Scripting.FileSystemObject") If Fso.FileExists( InFile ) = True Then Set File = Fso.OpenTextFile( InFile, 1, False, 0 ) AllText = File.ReadAll File.Close Set File = Nothing AllText = Replace( AllText, vbCr, "" ) Set File = Fso.OpenTextFile( OutFile, 2, True, 0 ) File.Write AllText File.Close Set File = Nothing End If Set Fso = Nothing -------------------- Finally, if you want to test for these RFC violations, see http://www.mathbox.com/NoCrTest/NoCrTest.zip Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.