Re: [Declude.Virus] False Positive ClamAV
Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False Positive ClamAV
We're seeing the same bounce backs from other mail servers, same error 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net . Haven't heard back from any of the administrators of the other servers yet. Funny thing is, users who send from Eudora, or from our HP-Ux box are both getting caught by this rule. The emails have had pdf attachments, and others have had no attachment. Can't figure out what exactly is getting them marked as phishing mails. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, May 21, 2007 11:15 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False Positive ClamAV
I saw on another list that a new CLAMAV (possibly windows only) is flagging emails with http:// in the header with the RB-882 Phishing Virus. There is a URL added by default to mail that goes through declude. I'm testing it now, can any one back this up? Robert _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, May 21, 2007 11:15 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positive ClamAV
Interesting http://forums.clamwin.com/viewtopic.php?t=1106highlight=phishing I removed these lines from my global.cfg so at least I don't get flagged. #XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. #XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com Robert Shubert wrote: I saw on another list that a new CLAMAV (possibly windows only) is flagging emails with http:// in the header with the RB-882 Phishing Virus. There is a URL added by default to mail that goes through declude. I’m testing it now, can any one back this up? Robert *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* Monday, May 21, 2007 11:15 AM *To:* declude.virus@declude.com *Subject:* Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Bonno Bloksma mailto:[EMAIL PROTECTED] *To:* Declude.Virus@declude.com mailto:Declude.Virus@declude.com *Sent:* Monday, May 21, 2007 7:09 AM *Subject:* [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so// I //don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- Insanity: doing the same thing over and over again and expecting different results. Albert Einstein, (attributed) US (German-born) physicist (1879 - 1955) Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False Positive ClamAV
Besides the http://www.declude.com/x-note.htm; Declude also adds txt of RBL's that were triggered on an email containing http:// to the best of my knowledge this is not restricted by the RFC's This is an issue with Clam incorrectly identifying phishing using this method. With Declude 4.x AVG is a built in commercial grade AV scanner I would suggest disabling Clam and using the built in scanner until Clam has resolved this. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen Mitchell Sent: Monday, May 21, 2007 1:55 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Interesting http://forums.clamwin.com/viewtopic.php?t=1106highlight=phishing I removed these lines from my global.cfg so at least I don't get flagged. #XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. #XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com Robert Shubert wrote: I saw on another list that a new CLAMAV (possibly windows only) is flagging emails with http:// in the header with the RB-882 Phishing Virus. There is a URL added by default to mail that goes through declude. I'm testing it now, can any one back this up? Robert *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* Monday, May 21, 2007 11:15 AM *To:* declude.virus@declude.com *Subject:* Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Bonno Bloksma mailto:[EMAIL PROTECTED] *To:* Declude.Virus@declude.com mailto:Declude.Virus@declude.com *Sent:* Monday, May 21, 2007 7:09 AM *Subject:* [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so// I //don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- Insanity: doing the same thing over and over again and expecting different results. Albert Einstein, (attributed) US (German-born) physicist (1879 - 1955) Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL
Re: [Declude.Virus] False Positive or ?
I have a message sent by one of our users using the Imail 8.02 web messaging interface that was blocked by Declude Virus with an 'Outlook CR vulnerability'. Here is the information from the Declude virus log: Ouch -- I thought Ipswitch would have fixed this bug in 8.02. Imail v8's web messaging will send out E-mail containing a vulnerability under certain conditions, one of which is an attachment with 8-bit characters in it. The =82 in the filename translates to an 8-bit character. Ipswitch has reproduced this problem (over 3 months ago), but apparently have not fixed it yet. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False positive??
I attempted to duplicate the problem by getting this user to have their system generate another message the same way but it was delivered without problem, so I don't have a message for you to look at. I asked if the programmer in question had changed anything, but they stated that he did not. So I guess we'll never know, but I suspect that he found the problem and fixed it without letting us know. Richard Edge System Administrator Computing Services Department TRINITY WESTERN UNIVERSITY Voice: 604-513-2089 E-mail: [EMAIL PROTECTED] WWW: http://www.ucs.twu.ca FAQ: http://www.ucs.twu.ca/resources/faq.htm -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] False positive?? I no longer have the original message, but I could probably have my user try to do what he did to get the message sent from the web server in question. That would be very helpful. I am quite confident that the problem is on the other end, but it is helpful to know for certain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False positive??
Thanks for the quickly response Scott. The information was sent on to the programmer involved and here is his response. = - Original Message - From: Barney Boisvert [EMAIL PROTECTED] To: Lach Mullen [EMAIL PROTECTED] Sent: Monday, July 07, 2003 11:06 AM Subject: RE: We blocked an e-mail sent to you! The usual format for a MIME message is this, where you can have any number of boundary-header-content blocks. -- message headers boundary part headers content boundary part headers content endboundary -- You can optionally place content between the headers ad the first BHC block (the preamble), which is what Declude is considering 'bad'. -- message headers content boundary part headers content boundary part headers content endboundary -- That extra content will never be displayed by the mail client, it is ignored. As Declude states on their web site (and backed up in the relevant RFCs), that is completely valid, which means that Declude is intentionally deleting valid email. I assume the developer at the time placed content there (usually a single line like 'this is a multipart MIME message') for a reason, but I don't know what it is. I suspect there were problems with some email client not rendering multipart messages correctly if all the message content appeared in the parts, rather than in the message proper, but I don't know. Since the messages are completely valid, I haven't changed the existing code, although I don't add it to new scripts that send email. barneyb --- Barney Boisvert, Senior Development Engineer AudienceCentral [EMAIL PROTECTED] voice : 360.756.8080 x12 fax : 360.647.5351 www.audiencecentral.com = Richard Edge System Administrator Computing Services Department TRINITY WESTERN UNIVERSITY Voice: 604-513-2089 E-mail: [EMAIL PROTECTED] WWW: http://www.ucs.twu.ca FAQ: http://www.ucs.twu.ca/resources/faq.htm -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] False positive?? I have been contacted by one of our users who had a message blocked by Declude Virus and was sent a warning about a Outlook vulnerability contained in the email. The problem is that it was a web server generated email message and not sent from an Outlook/Outlook Express client. A vulnerability with a name referring to a product refers to a vulnerability *in* that product, not necessarily generated by it (for example, a hacker would likely take advantage of an IIS vulnerability using a special tool, not IIS itself). This does confuse a lot of people. [Outlook 'MIME segment in MIME Preamble' Vulnerability] You can find out more about this vulnerability at http://www.declude.com/Virus/vulnerability.htm . Most likely, the company sending the E-mail hired a web developer instead of a real computer programmer to write a program to send out the E-mail, and the web developer tried his best to send the E-mail, but didn't do it properly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False positive??
Thanks for the quickly response Scott. The information was sent on to the programmer involved and here is his response. I'll be quoting a lot here. Be warned; it gets very technical. The usual format for a MIME message is this, where you can have any number of boundary-header-content blocks. -- message headers boundary part headers content boundary part headers content endboundary -- You can optionally place content between the headers ad the first BHC block (the preamble), which is what Declude is considering 'bad'. That's not completely correct. You can optionally place content between the headers and the boundary (this section between the headers and the boundary is referred to as the MIME preamble). In fact, most programs put content here (typically a variation of If you can see this, your mail client does not support MIME). Declude Virus has no problem with content in the MIME preamble. -- message headers content boundary part headers content boundary part headers content endboundary -- That extra content will never be displayed by the mail client, it is ignored. As Declude states on their web site (and backed up in the relevant RFCs), that is completely valid... This part is accurate. which means that Declude is intentionally deleting valid email. This is completely inaccurate. This issue here is that in this MIME preamble, they have placed a pretend MIME segment (MIME headers that are in the MIME preamble, and therefore per the RFCs should be ignored). The RFCs do allow this odd behavior. However, there is no benefit to it. Since there is no good reason to have this here, and it is unsafe (because it triggers an Outlook vulnerability), the E-mail is quarantined by Declude Virus. What they are sending is: -- message headers part headers boundary part headers content boundary part headers content endboundary -- Here, a proper mail client will ignore the first part headers (since there is no boundary before them). Outlook will (incorrectly) treat them as the beginning of a MIME segment. As a result, it is (nearly) impossible for a virus scanner to determine if there is a virus in here that Outlook would see. I assume the developer at the time placed content there (usually a single line like 'this is a multipart MIME message') for a reason, but I don't know what it is. That would be fine -- except that the single line is something like Content-Transfer-Encoding: quoted/printable. The programmer is essentially saying I want a human to be fooled into thinking the content is encoded one way, even though it is really encoded another way. Since the messages are completely valid, I haven't changed the existing code, although I don't add it to new scripts that send email. Since he is claiming that the E-mail is perfectly valid, and I haven't actually seen it, would it be possible to post the headers from it (if you still have it)? Everything from the first Received: headers through the first line of recognizable content (either standard text or HTML) would be best. That way, I can make sure that it isn't really a problem in Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False positive??
I no longer have the original message, but I could probably have my user try to do what he did to get the message sent from the web server in question. Richard Edge System Administrator Computing Services Department TRINITY WESTERN UNIVERSITY Voice: 604-513-2089 E-mail: [EMAIL PROTECTED] WWW: http://www.ucs.twu.ca FAQ: http://www.ucs.twu.ca/resources/faq.htm -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 1:24 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] False positive?? Thanks for the quickly response Scott. The information was sent on to the programmer involved and here is his response. I'll be quoting a lot here. Be warned; it gets very technical. The usual format for a MIME message is this, where you can have any number of boundary-header-content blocks. -- message headers boundary part headers content boundary part headers content endboundary -- You can optionally place content between the headers ad the first BHC block (the preamble), which is what Declude is considering 'bad'. That's not completely correct. You can optionally place content between the headers and the boundary (this section between the headers and the boundary is referred to as the MIME preamble). In fact, most programs put content here (typically a variation of If you can see this, your mail client does not support MIME). Declude Virus has no problem with content in the MIME preamble. -- message headers content boundary part headers content boundary part headers content endboundary -- That extra content will never be displayed by the mail client, it is ignored. As Declude states on their web site (and backed up in the relevant RFCs), that is completely valid... This part is accurate. which means that Declude is intentionally deleting valid email. This is completely inaccurate. This issue here is that in this MIME preamble, they have placed a pretend MIME segment (MIME headers that are in the MIME preamble, and therefore per the RFCs should be ignored). The RFCs do allow this odd behavior. However, there is no benefit to it. Since there is no good reason to have this here, and it is unsafe (because it triggers an Outlook vulnerability), the E-mail is quarantined by Declude Virus. What they are sending is: -- message headers part headers boundary part headers content boundary part headers content endboundary -- Here, a proper mail client will ignore the first part headers (since there is no boundary before them). Outlook will (incorrectly) treat them as the beginning of a MIME segment. As a result, it is (nearly) impossible for a virus scanner to determine if there is a virus in here that Outlook would see. I assume the developer at the time placed content there (usually a single line like 'this is a multipart MIME message') for a reason, but I don't know what it is. That would be fine -- except that the single line is something like Content-Transfer-Encoding: quoted/printable. The programmer is essentially saying I want a human to be fooled into thinking the content is encoded one way, even though it is really encoded another way. Since the messages are completely valid, I haven't changed the existing code, although I don't add it to new scripts that send email. Since he is claiming that the E-mail is perfectly valid, and I haven't actually seen it, would it be possible to post the headers from it (if you still have it)? Everything from the first Received: headers through the first line of recognizable content (either standard text or HTML) would be best. That way, I can make sure that it isn't really a problem in Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False positive??
I no longer have the original message, but I could probably have my user try to do what he did to get the message sent from the web server in question. That would be very helpful. I am quite confident that the problem is on the other end, but it is helpful to know for certain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False positive??
We had this exact same problem on our system and it's a simple fix let me know if your interested in it! Sheldon - Original Message - From: Susan Duncan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 04, 2003 12:02 PM Subject: Re: [Declude.Virus] False positive?? Since we do some programming in Cold Fusion, I took a look through the Macromedia site. Mail sent via Cold Fusion is sent via a CFMAIL tag and is not really under the programmers control, at least not to the level of granularity that would be required to break something. There appeared to be a problem with the older versions of CF, but the tag seems to indicate the MX version which is the newest version. http://www.macromedia.com/support/coldfusion/ts/documents/tn18212.htm R. Scott Perry wrote: I have been contacted by one of our users who had a message blocked by Declude Virus and was sent a warning about a Outlook vulnerability contained in the email. The problem is that it was a web server generated email message and not sent from an Outlook/Outlook Express client. A vulnerability with a name referring to a product refers to a vulnerability *in* that product, not necessarily generated by it (for example, a hacker would likely take advantage of an IIS vulnerability using a special tool, not IIS itself). This does confuse a lot of people. [Outlook 'MIME segment in MIME Preamble' Vulnerability] You can find out more about this vulnerability at http://www.declude.com/Virus/vulnerability.htm . Most likely, the company sending the E-mail hired a web developer instead of a real computer programmer to write a program to send out the E-mail, and the web developer tried his best to send the E-mail, but didn't do it properly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Susan Duncan ([EMAIL PROTECTED]) TEL:(613) 231-SIRC x225 IT Director, SIRC FAX:(613) 231-3739 http://www.sportquest.com/ http://www.canadiansport.com/ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False positive??
I have been contacted by one of our users who had a message blocked by Declude Virus and was sent a warning about a Outlook vulnerability contained in the email. The problem is that it was a web server generated email message and not sent from an Outlook/Outlook Express client. A vulnerability with a name referring to a product refers to a vulnerability *in* that product, not necessarily generated by it (for example, a hacker would likely take advantage of an IIS vulnerability using a special tool, not IIS itself). This does confuse a lot of people. [Outlook 'MIME segment in MIME Preamble' Vulnerability] You can find out more about this vulnerability at http://www.declude.com/Virus/vulnerability.htm . Most likely, the company sending the E-mail hired a web developer instead of a real computer programmer to write a program to send out the E-mail, and the web developer tried his best to send the E-mail, but didn't do it properly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
