[Declude.Virus] What is Partial Vulnerability on a PDF
Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] What is Partial Vulnerability on a PDF
Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. That's the vulnerability -- a single attachment that has been split into multiple E-mails. This was cool in the early 90's to bypass the 50K size limit for E-mails. But today, it is not necessary, and causes a vulnerability (if not blocked, viruses could spread that way). We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? A mail client that gets all 5 parts should (if it supposed split E-mails) be able to automagically put them back together into one E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What is Partial Vulnerability on a PDF
I guess it would be nice to say BANPARTIAL EXE BANPARTIAL COM BANPARTIAL VBS Etc I don't think a PDF can be infected but then again you never know so maybe . In any case it is almost a damned if you do damned if you don't Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, June 03, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] What is Partial Vulnerability on a PDF Goran, Outlook/Outlook Express allows a sender to split messages over a certain size into multiple attachments. Messages of this type can bypass virus scanning and therefore represent a vulnerability. I have however personally determined that because it is so easy to turn on, and because I have yet to find any viruses that are currently exploiting this flaw, that it is better to leave it off for now rather than comb over my hold file looking for such messages and alerting those that are set up for this. Scott does provide a stitch for your Virus.cfg that can turn this off with the following: BANPARTIALOFF I don't feel that this is a set it and forget it type of setting, so use at your own risk, and keep your eyes and ears pealed for exploits in the event that a virus does start exploiting the flaw. Thankfully the trickery has gone down since the arrested that German teenager :) Matt Goran Jovanovic wrote: Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What is Partial Vulnerability on a PDF
I think the problem is, that while the extension may show up in one of the 5, it would not be in all 5 and therefore not an accurate test. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, June 03, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF I guess it would be nice to say BANPARTIAL EXE BANPARTIAL COM BANPARTIAL VBS Etc I don't think a PDF can be infected but then again you never know so maybe . In any case it is almost a damned if you do damned if you don't Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, June 03, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] What is Partial Vulnerability on a PDF Goran, Outlook/Outlook Express allows a sender to split messages over a certain size into multiple attachments. Messages of this type can bypass virus scanning and therefore represent a vulnerability. I have however personally determined that because it is so easy to turn on, and because I have yet to find any viruses that are currently exploiting this flaw, that it is better to leave it off for now rather than comb over my hold file looking for such messages and alerting those that are set up for this. Scott does provide a stitch for your Virus.cfg that can turn this off with the following: BANPARTIALOFF I don't feel that this is a set it and forget it type of setting, so use at your own risk, and keep your eyes and ears pealed for exploits in the event that a virus does start exploiting the flaw. Thankfully the trickery has gone down since the arrested that German teenager :) Matt Goran Jovanovic wrote: Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What is Partial Vulnerability on a PDF
Yes I looked again and you are right. So Declude would have to keep track of e-mail to e-mail and possible out of sequence and different clients marking the split stuff in different ways On/Off switch is the way to go (unfortunately) Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, June 03, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF I think the problem is, that while the extension may show up in one of the 5, it would not be in all 5 and therefore not an accurate test. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, June 03, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF I guess it would be nice to say BANPARTIAL EXE BANPARTIAL COM BANPARTIAL VBS Etc I don't think a PDF can be infected but then again you never know so maybe . In any case it is almost a damned if you do damned if you don't Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, June 03, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] What is Partial Vulnerability on a PDF Goran, Outlook/Outlook Express allows a sender to split messages over a certain size into multiple attachments. Messages of this type can bypass virus scanning and therefore represent a vulnerability. I have however personally determined that because it is so easy to turn on, and because I have yet to find any viruses that are currently exploiting this flaw, that it is better to leave it off for now rather than comb over my hold file looking for such messages and alerting those that are set up for this. Scott does provide a stitch for your Virus.cfg that can turn this off with the following: BANPARTIALOFF I don't feel that this is a set it and forget it type of setting, so use at your own risk, and keep your eyes and ears pealed for exploits in the event that a virus does start exploiting the flaw. Thankfully the trickery has gone down since the arrested that German teenager :) Matt Goran Jovanovic wrote: Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing