RE: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
David, with your version of Declude Virus, you'd have to turn off all 10 of the CR vulnerability checks at one go. I'm at the same or similar version, and that's what I've decided to do. This directive goes in your virus.cfg: BANCRVIRUSESOFF Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, August 11, 2005 10:11 PM To: Matt Subject: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ??? Thursday, August 11, 2005, 8:50:32 PM, Matt wrote: With 2.0.6.16, which is available from the Declude site, you can turn off the Outlook CR Vulnerability. I have turned off all but a couple of these because of numerous false positive issues. Unfortunately, I'm still at 1.82 due to budget limitations ... our new budget kicks in December, and I'm still debating if I should upgrade Imail and Declude or switch to Smartmail and Declude (definitely will be staying with Declude virus/spam) ... I thought there was a way to turn off the testing with 1.82 too, but couldn't find it in the control file ?? there was ever an exploit spreading actively in the wild, I would rethink my position. I believe that Microsoft has long since patched the flaw, though it can certainly cause parsing issues in virus scanners that could lead to missing the payloads due to a message that was improperly formatted. My experience is similar, but 99% of the stuff caught has been spam anyway, so I haven't worried about it ... when I realized today it had caught a legitimate email, I was worried. Anyone know if there is a way to turn this off in 1.82?? - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 10:50:32 PM, Matt [EMAIL PROTECTED] wrote: M David, M With 2.0.6.16, which is available from the Declude site, you can turn M off the Outlook CR Vulnerability. I have turned off all but a couple of M these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
John, if I turn it off ... what else is being turned off, all of the vulnerability tests?? I couldn't even find a switch for that ... -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: Declude.Virus@declude.com Date: Fri, 12 Aug 2005 00:14:16 -0700 In older versions, it is off all or on all. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 11:43:50 PM, Colbeck, Andrew wrote: David, with your version of Declude Virus, you'd have to turn off all 10 of the CR vulnerability checks at one go. I'm at the same or similar version, and that's what I've decided to do. This directive goes in your virus.cfg: BANCRVIRUSESOFF I understand I'm putting myself at some risk by doing this, but is it great? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Here's what I turned off: ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYOLMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP This only works with 2.0.6.14+. There are more that are listed when you log into your account on declude.com and go to the page for 2.0.6.16. All of the above were producing repeated false positives from multiple sources, and ones like OLCR were especially problematic. Matt Don Brown wrote: Thursday, August 11, 2005, 10:50:32 PM, Matt [EMAIL PROTECTED] wrote: M David, M With 2.0.6.16, which is available from the Declude site, you can turn M off the Outlook CR Vulnerability. I have turned off all but a couple of M these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thanks. Friday, August 12, 2005, 9:47:16 AM, Matt [EMAIL PROTECTED] wrote: M Here's what I turned off: M ALLOWVULNERABILITYOLCR M ALLOWVULNERABILITYOLSPACEGAP M ALLOWVULNERABILITYOLMIMESEGMIMEPRE M ALLOWVULNERABILITYOLMIMESEGMIMEPOST M ALLOWVULNERABILITYOLLONGFILENAME M ALLOWVULNERABILITYOLBLANKFOLDING M ALLOWVULNERABILITYOBJECTDATA M ALLOWVULNERABILITYOLBOUNDARYSPACEGAP M This only works with 2.0.6.14+. There are more that are listed when you M log into your account on declude.com and go to the page for 2.0.6.16. M All of the above were producing repeated false positives from multiple M sources, and ones like OLCR were especially problematic. M Matt M Don Brown wrote: Thursday, August 11, 2005, 10:50:32 PM, Matt [EMAIL PROTECTED] wrote: M David, M With 2.0.6.16, which is available from the Declude site, you can turn M off the Outlook CR Vulnerability. I have turned off all but a couple of M these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. M --- M This E-mail came from the Declude.Virus mailing list. To M unsubscribe, just send an E-mail to [EMAIL PROTECTED], and M type unsubscribe Declude.Virus.The archives can be found M at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Had email from a company today (Photodex) rejected due to the Outlook 'CR' Vulnerability but from the headers it looks like the email originated from Thunderbird as the email client ... see headers below ... Is it time to drop the Outlook vunerbility test?? David Received: from eman.photodex.com http://eman.photodex.com [64.132.190.157http://64.132.190.157] by drdodell.com http://drdodell.com (SMTPD32-8.05) id AB6E1D23028A; Thu, 11 Aug 2005 10:31:26 -0700 Received: (qmail 7712 invoked from network); 11 Aug 2005 17:31:26 - X-AntiVirus: gadoyanvirus 0.3 Received: from unknown (HELO ?10.10.0.149?) (10.10.0.149http://10.10.0.149 ) by eman.vpn.photodex.com http://eman.vpn.photodex.com with SMTP; 11 Aug 2005 17:31:26 - Message-ID: [EMAIL PROTECTED] X-Photodex-Original-Date: Thu, 11 Aug 2005 12:32:11 -0500 From: Photodex Corporation - Chris [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: Re: ProShow Gold Support Request References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 11 Aug 2005 12:31:26 -0500 David, X-Declude-Sender: [EMAIL PROTECTED] [64.132.190.157http://64.132.190.157 ]X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: This E-mail was sent from ([64.132.190.157 http://64.132.190.157 ]). X-Hello: X-Declude-Virus: Detected [ Outlook 'CR' Vulnerability]. - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
David, With 2.0.6.16, which is available from the Declude site, you can turn off the Outlook CR Vulnerability. I have turned off all but a couple of these because of numerous false positive issues. As far as this message goes, it is almost definitely their antivirus scanning product that munged the headers (X-AntiVirus: gadoyanvirus 0.3), but it could be something else that adds or rewrites headers. They certainly look strange to me, and possibly not RCF compliant outside of the CR issues. Thunderbird definitely has no issues with this, nor does almost every legitimate E-mail client out there, but people that script E-mail generation (especially PHP stuff) or use obscure products seem to have issues with this frequently enough that it is not worth the trouble. If there was ever an exploit spreading actively in the wild, I would rethink my position. I believe that Microsoft has long since patched the flaw, though it can certainly cause parsing issues in virus scanners that could lead to missing the payloads due to a message that was improperly formatted. Matt David Dodell wrote: Had email from a company today (Photodex) rejected due to the Outlook 'CR' Vulnerability but from the headers it looks like the email originated from Thunderbird as the email client ... see headers below ... Is it time to drop the Outlook vunerbility test?? David Received: from eman.photodex.com http://eman.photodex.com [64.132.190.157http://64.132.190.157] by drdodell.com http://drdodell.com (SMTPD32-8.05) id AB6E1D23028A; Thu, 11 Aug 2005 10:31:26 -0700 Received: (qmail 7712 invoked from network); 11 Aug 2005 17:31:26 - X-AntiVirus: gadoyanvirus 0.3 Received: from unknown (HELO ?10.10.0.149?) (10.10.0.149http://10.10.0.149 ) by eman.vpn.photodex.com http://eman.vpn.photodex.com with SMTP; 11 Aug 2005 17:31:26 - Message-ID: [EMAIL PROTECTED] X-Photodex-Original-Date: Thu, 11 Aug 2005 12:32:11 -0500 From: Photodex Corporation - Chris [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: Re: ProShow Gold Support Request References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 11 Aug 2005 12:31:26 -0500 David, X-Declude-Sender: [EMAIL PROTECTED] [64.132.190.157http://64.132.190.157 ]X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: This E-mail was sent from ([64.132.190.157 http://64.132.190.157 ]). X-Hello: X-Declude-Virus: Detected [ Outlook 'CR' Vulnerability]. - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 8:50:32 PM, Matt wrote: With 2.0.6.16, which is available from the Declude site, you can turn off the Outlook CR Vulnerability. I have turned off all but a couple of these because of numerous false positive issues. Unfortunately, I'm still at 1.82 due to budget limitations ... our new budget kicks in December, and I'm still debating if I should upgrade Imail and Declude or switch to Smartmail and Declude (definitely will be staying with Declude virus/spam) ... I thought there was a way to turn off the testing with 1.82 too, but couldn't find it in the control file ?? there was ever an exploit spreading actively in the wild, I would rethink my position. I believe that Microsoft has long since patched the flaw, though it can certainly cause parsing issues in virus scanners that could lead to missing the payloads due to a message that was improperly formatted. My experience is similar, but 99% of the stuff caught has been spam anyway, so I haven't worried about it ... when I realized today it had caught a legitimate email, I was worried. Anyone know if there is a way to turn this off in 1.82?? - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook CR Vulnerability Checker?
Hello, is there a tool to check mail for Outlook Vulnerabilities? Not Declude, a command line tool that tells me the line or something like that. We are getting many of them, from small, big an bigger companies. Or anything I can see/do? Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook 'CR' Vulnerability
Does a Outlook 'CR' Vulnerability virus alert always mean malicious intent? It seems that a lot possible spam gets flagged like this. Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability
Does a Outlook 'CR' Vulnerability virus alert always mean malicious intent? It seems that a lot possible spam gets flagged like this. It doesn't always mean malicious intent -- it does, however, indicate that it is not possible to automatically detect whether or not the E-mail is malicious (and therefore it should be assumed that the E-mail is malicious until proven otherwise, even though it probably was just poorly constructed). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' vulnerability
We have the same problem... Please let me know if you found a workaround... Thanks ! Stef - Original Message - From: David Lewis-Waller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 04, 2003 5:22 AM Subject: [Declude.Virus] Outlook 'CR' vulnerability A company recently complained to us that an emails they send were being trapped by Declude Virus marked as having a Outlook 'CR' vulnerability. I checked on this and could not find a CR in then subject line of several emails from them held in the virus directory - any clues? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' vulnerability
We have the same problem... Please let me know if you found a workaround... The only workarounds are: [1] To have the sender fix the problem, and stop sending dangerous vulnerabilities, or [2] Disable vulnerability detection, and allow future viruses to be delivered unscanned. Given the severity of #2, we strongly recommend that people go with option #1 and prevent the vulnerability from being sent. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook 'CR' Vulnerability
During the last 8 hours, Declude Virus has caught 4 messages with the Outlook CR Vulnerability. While this in it self is a little different, as usually I only see 4 in 7 days, what really makes these stand out is they all have subject lines related to adult material. Each one is addressed to a different user on a different virtual domain. Each one comes from a different IP address range. The only thing I can see they have in common is the Outlook CR Vulnerability. Has anyone else seen this pattern? Could this be some kind of new virus? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook 'CR' Vulnerability
I see them once or twice a day to the same two users on the same virtual domain. The always contain adult material. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus-owner;declude.com]On Behalf Of John Tolmachoff Sent: Tuesday, November 12, 2002 9:51 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Outlook 'CR' Vulnerability During the last 8 hours, Declude Virus has caught 4 messages with the Outlook CR Vulnerability. While this in it self is a little different, as usually I only see 4 in 7 days, what really makes these stand out is they all have subject lines related to adult material. Each one is addressed to a different user on a different virtual domain. Each one comes from a different IP address range. The only thing I can see they have in common is the Outlook CR Vulnerability. Has anyone else seen this pattern? Could this be some kind of new virus? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail is scanned for viruses by Ucopian Networks Inc] [http://www.ucopiannetworks.com] --- [This E-mail is scanned for viruses by Ucopian Networks Inc] [http://www.ucopiannetworks.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook 'CR' Vulnerability
John, I've seen a TON of these... What I've noticed is that there is always one letter missing in the subject line... Usually at the beginning... This also peak my curiosity... But I haven't been able to figure out why/what it is... -Russ -Original Message- From: John Tolmachoff [mailto:jtolmachoff;reliancesoft.com] Sent: Tuesday, November 12, 2002 9:51 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Outlook 'CR' Vulnerability During the last 8 hours, Declude Virus has caught 4 messages with the Outlook CR Vulnerability. While this in it self is a little different, as usually I only see 4 in 7 days, what really makes these stand out is they all have subject lines related to adult material. Each one is addressed to a different user on a different virtual domain. Each one comes from a different IP address range. The only thing I can see they have in common is the Outlook CR Vulnerability. Has anyone else seen this pattern? Could this be some kind of new virus? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- CONFIDENTIALITY NOTICE: This email and any attachments are for the exclusive and confidential use of the intended recipient. If you are not the intended recipient, please do not read, distribute or take action in reliance upon this message. If you have received this in error, please notify us immediately by return email and promptly delete this message and its attachments from your computer system. --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook 'CR' Vulnerability
I should also add that they do not have a valid sender. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability
Can anyone tell me what the [Outlook 'CR' Vulnerability] is and where to fine information on it to give to the customer. I am running f-prot 3.12 as the scanner The issue is that there is a header with an illegal character in it (a carriage return, rather than the carriage return + linefeed that indicates the end of a line). There is no valid reason to have such as character in the headers, and it violates RFC specs (and would be reason to fail the BADHEADERS test in Declude JunkMail, although that is not currently tested for). Having such a character in the headers causes a fork in processing the E-mail -- some programs (AV scanners or mail clients) will handle the headers correctly, others (Outlook) will not, and will process the E-mail very differently (with extra headers that don't really exist, without headers that do exist, and even creating non-existent attachments with very real viruses). As a result, having such a character bypasses security mechanisms. http://www.openoffice.nl/special_interest/outlookbug.html has more information on this issue. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Outlook-CR vulnerability
I will do - virtually *every* instance I've seen so far has been legitimate email. At 10:11 AM 4/16/2002, John Tolmachoff wrote: From what Scott Perry has said before is that he has not seen any legitimate e-mail with the CR vulnerability. If you do have evidence of legitimate e-mail that does have the CR vulnerability, you might want to forward those examples directly to him so he can review them. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLean Sent: Tuesday, April 16, 2002 5:11 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Outlook-CR vulnerability Might I make this suggestion for detecting the Outlook-CR vulnerability, to try to attempt to reduce the false positives (which seem to be close to 100% at this point): Whenever a CR without a LF is seen, check the message header to see if a BEGIN ... is actually enclosed within it, indicating that a payload actually exists. If not, perhaps a different notification could be made, so we can determine whether to simply warn, or quarantine based on the analysis. Right now, I've had to turn off the Outlook-CR check altogether, because of too many complaints from users who are getting virus warnings (as well as their senders) instead of their valid, non-infected, albeit header-munged messages. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
Re: [Declude.Virus] Outlook 'CR' Vulnerability
I agree with Mike completely. Somewhere way down near the bottom of the requested new features I'd like to add: ability to turn off some or all of the virus .eml notifications if the Outlook 'CR' Vulnerability is the only test failed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Nice Sent: Saturday, February 23, 2002 8:55 PM To: [EMAIL PROTECTED] Subject: Re: MISSING_REVERSE_DNS:Re: [Declude.Virus] Outlook 'CR' Vulnerability I had a mini panic attack at all the spam it was catching as Outlook CR. I envisioned a bunch of list servers also using this formatting. However in practice, it is only the cheapest spamware that does this, so I left the option enabled. It makes a great mini-spamcatcher as well as blocking a potential virus problem. Thanks to Scott for giving us the tools to quickly address the vulnerability. Mike Nice - Original Message - I'm not surprised that there is some spam out there that has this flaw. I haven't heard of a case yet where legitimate mail was sent that way (and even if it was, the sender would need to fix the problem on their end). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .