[Declude.Virus] OT: e-mail headers
We are developing an ecommerce web site but we are having problems with the e-mail associated with the buying experience. The e-mail message contains a text part and a base64 part. Declude is catching the messages as a vulnerability. 20.2 Conflicting Encoding Vulnerability: This vulnerability occurs when the headers of an E-mail claim that two or more different encoding types are used. A MIME segment can only be encoded in one way, so if there are more than one encoding types listed, it is possible that the mail server virus scanner and the mail client will use different decoding methods on the E-mail. If this happens, a virus could bypass virus scanning on the mail server. I've been thrown into this project at this late date and was wondering if anyone could provide some help in solving this problem. I see the two encodings, but I don't know how to solve the problem. Here are part of the headers - Subject: Download New Song From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: PHP/4.3.8 Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 Thanks, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: e-mail headers
Greg, I am going to guess that the headers: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 ...are wrong for a message that contains both a text part and a base64 encoded part. If there are in fact two parts, it would seem proper for something like the following to replace them in the headers: Content-Type: multipart/mixed; boundary="unique_boundary" ...and then in the body the text and base64 code should be separated by the boundaries. Declude probably sees the Content-Type header as text/plain but then sees a base64 segment and tags the vulnerability. I believe that your headers would work if there was only a single base64 segment in the body and no plain text that wasn't encoded. Before jumping the gun, it would be nice to see the full source of the message. You can edit the text and screw up the base64 stuff if you wish since it's the formatting that really matters here. Matt System Administrator wrote: We are developing an ecommerce web site but we are having problems with the e-mail associated with the buying experience. The e-mail message contains a text part and a base64 part. Declude is catching the messages as a vulnerability. 20.2 Conflicting Encoding Vulnerability: This vulnerability occurs when the headers of an E-mail claim that two or more different encoding types are used. A MIME segment can only be encoded in one way, so if there are more than one encoding types listed, it is possible that the mail server virus scanner and the mail client will use different decoding methods on the E-mail. If this happens, a virus could bypass virus scanning on the mail server. I've been thrown into this project at this late date and was wondering if anyone could provide some help in solving this problem. I see the two encodings, but I don't know how to solve the problem. Here are part of the headers - Subject: Download New Song From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: PHP/4.3.8 Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 Thanks, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: e-mail headers
on 8/4/05 2:29 PM, Matt wrote: > Before jumping the gun, it would be nice to see the full source of the > message. You can edit the text and screw up the base64 stuff if you > wish since it's the formatting that really matters here. Matt, I'll send you the full source off list. Thanks, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: e-mail headers
Greg, I think I figured it out. I looked at your headers again and found two sets of the same headers: Subject: Download New Song From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: PHP/4.3.8 Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 It appears that the first set is wrong and should be removed if possible. Matt System Administrator wrote: on 8/4/05 2:29 PM, Matt wrote: Before jumping the gun, it would be nice to see the full source of the message. You can edit the text and screw up the base64 stuff if you wish since it's the formatting that really matters here. Matt, I'll send you the full source off list. Thanks, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
