Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

[R. Scott Perry]

We have a customer who is running Veritas Backup Exec.  When their backup 
runs a notification is triggered by Backup Exec and we bounce that 
notification through our IMail server and then on to the appropriate 
parties.  This notification system has been running fine for months now 
using our IMail server as a relay.

In the past week or so IMail has had trouble routing these messages.  Here 
is an example message...

-
From: "Postmaster" 
<[EMAIL PROTECTED]>

undeliverable to [EMAIL PROTECTED]
This one indicates that IMail can't deliver the E-mail to 
[EMAIL PROTECTED]  However:

Original message follows.

Subject: Backup Exec Alert: Job Success
...

There is no indication that Declude blocked this E-mail.

For those of you with a trained eye...

1)  Why does Declude flag the original notification message as having the 
blank folding vulnerability?  I'm OK with that I'm just curious to know why.
I don't see any indication that it did.

2)  Secondly and actually more importantly.  Why is my IMail system unable 
to deliver the notification to 
[EMAIL PROTECTED]  There appears to be a space 
right before [EMAIL PROTECTED] in the to line of the 
original notification.  I believe that space is being added by Backup 
Exec.  Would that cause the message to be undeliverable?
That would likely cause the message to be undeliverable.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

[R. Scott Perry]

Sorry about that.  I included the wrong message.  I had 2 issues confused
with each other.  Here is the one I was referring to where Declude blocks
the message...

Headers Follow:
Received: from bhfserver [68.74.44.200] by NexusTechGroup.com
  (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500
From: <[EMAIL PROTECTED]>
To:  < [EMAIL PROTECTED]>
Date: Fri, 02 Apr 2004 01:29:56 -0400
Subject: Backup Exec Alert: Job Failed (Server: "BHFSERVER") (Job: "Backup
0001")
X-Mailer: VERITAS SMTP Mail Component
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: [EMAIL PROTECTED]
The problem here is the blank line after the "Subject:" header.  That line 
presumably originally contained a single space or tab character, which 
introduces the "Blank Folding" vulnerability (which violates RFC2822).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

[Dan Geiser]

Hi, Scott,
Sorry about that.  I included the wrong message.  I had 2 issues confused
with each other.  Here is the one I was referring to where Declude blocks
the message...

---
-Original Message- 
From: Postmaster
Sent: Fri 4/2/2004 1:29 AM
To: [EMAIL PROTECTED]
Cc:
Subject: WARNING: YOU WERE SENT A VIRUS


The virus scanner software at Nexus Technology Group on NexusTechGroup.com
has reported someone sent you an E-mail from [EMAIL PROTECTED],
containing the [Outlook 'Blank Folding' Vulnerability] virus in the [No
attachment] attachment.  The subject of the E-mail was "Backup Exec Alert:
Job Failed (Server: "BHFSERVER") (Job: "Backup 0001") ".

The E-mail containing the virus has been deleted to prevent any damage.

Headers Follow:
Received: from bhfserver [68.74.44.200] by NexusTechGroup.com
  (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500
From: <[EMAIL PROTECTED]>
To:  < [EMAIL PROTECTED]>
Date: Fri, 02 Apr 2004 01:29:56 -0400
Subject: Backup Exec Alert: Job Failed (Server: "BHFSERVER") (Job: "Backup
0001")

X-Mailer: VERITAS SMTP Mail Component
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: [EMAIL PROTECTED]

---

Any ideas?

Thanks, Again,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 05, 2004 6:54 PM
Subject: Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in
Backup Exec 9.1 Notifications


>
> >We have a customer who is running Veritas Backup Exec.  When their backup
> >runs a notification is triggered by Backup Exec and we bounce that
> >notification through our IMail server and then on to the appropriate
> >parties.  This notification system has been running fine for months now
> >using our IMail server as a relay.
> >
> >In the past week or so IMail has had trouble routing these messages.
Here
> >is an example message...
> >
> >-
> >From: "Postmaster"
> ><<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]>
> >
> >undeliverable to <mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
>
> This one indicates that IMail can't deliver the E-mail to
> <mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]  However:
>
> >Original message follows.
> >
> >Subject: Backup Exec Alert: Job Success
> ...
>
> There is no indication that Declude blocked this E-mail.
>
> >For those of you with a trained eye...
> >
> >1)  Why does Declude flag the original notification message as having the
> >blank folding vulnerability?  I'm OK with that I'm just curious to know
why.
>
> I don't see any indication that it did.
>
> >2)  Secondly and actually more importantly.  Why is my IMail system
unable
> >to deliver the notification to
> ><mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]  There appears to be a space
> >right before <mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED] in the to line of
the
> >original notification.  I believe that space is being added by Backup
> >Exec.  Would that cause the message to be undeliverable?
>
> That would likely cause the message to be undeliverable.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.