Ruben,

In your Virus.cfg file, add the following line:

   ALLOWVULNERABILITY    OLBLANKFOLDING

This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list:

   BANPARTIAL    OFF
   ALLOWVULNERABILITY    OLCR
   ALLOWVULNERABILITY    OLSPACEGAP
   ALLOWVULNERABILITY    OLMIMESEGMIMEPRE
   ALLOWVULNERABILITY    MIMESEGMIMEPOST
   ALLOWVULNERABILITY    OLLONGFILENAME
   ALLOWVULNERABILITY    OLBLANKFOLDING
   ALLOWVULNERABILITY    OBJECTDATA
   ALLOWVULNERABILITY    OLBOUNDARYSPACEGAP
   ALLOWVULNERABILITY    OLMIMEHEADER
   ALLOWVULNERABILITY    OLLONGBOUNDARY


Matt



Mon Mariola - Rubén wrote:

The program "incredimail" generates subjects, in certain cases, ended with "0D 0A 09 0D 0A." These messages are captured by Declude virus like "Outlook 'Blank Folding' Vulnerability". I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed.

Thank you.
Ruben Marti.
Mon Mariola, S.L.

From Declude manual:

Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers).



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to