Hello Michael, On Tue, 17 Sep 2002 18:48:24 +0100 GMT (18/09/02, 00:48 +0700 GMT), Michael Thompson wrote:
MT> Message fragmentation is detailed in RFC 2046. [...] MT> By making use of this feature, a virus can easily bypass content MT> checking in various content checking email security solutions, MT> thus not being blocked at server level. This means that a virus MT> signature will not get caught. Without having checked the links or run a test myself, I do believe this is true. MT> the recipient is vulnerable to this kind of attack. The MT> fragmented message has circumvented server level MT> protection as well as the security settings of the MT> email client - meaning that were this virus MT> malicious, the network would have been infected. But this is not. The virus would have been downloaded without problem, but in TB, one would still have to click on it to activate it. As for me, I always save any exectutables to disk and scan them again before I run them, because I allow for an error in the AV program to not always detect viruses in MIME attachments. But evebn without this precaution, I believe TB decodes the MIME attachments into the temp directory and runs it from there, and an email scanner should detect it then. MT> Solution MT> ===================================================== MT> GFI MailSecurity Email Exploit Detection engine MT> has been updated to quarantine partial messages. MT> This exploit is being flagged as 18. Fragmented MT> Message - (Suspicious). Ad? -- Cheers, Thomas. Moderator der deutschen The Bat! Beginner Liste. Sign in a London department store: BARGAIN BASEMENT UPSTAIRS Message reply created with The Bat! 1.62/Beta1 under Chinese Windows 98 4.10 Build 2222 A using an AMD Athlon K7 1.2GHz, 128MB RAM ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
