Use http://tools.declude.com
>From the EVA manual A vulnerability is a method that people can use to bypass virus scanning. Clearly, this is something that hackers and virus writers like to do. An E-mail that takes advantage of vulnerability may or may not actually contain a virus. By default, Declude EVA will catch all vulnerabilities as if they were viruses. This has stopped a number of new viruses before virus definitions were available to stop them. False positives are not common, but when they occur almost always turn out to be spam. CLSID Vulnerability: This vulnerability occurs when an E-mail uses a 'CLSID' as an extension. A CLSID is a long string that identifies a certain program (such as Notepad), and using the CLSID instead of a standard file extension will cause Windows to use the program identified by the CLSID to open the file. Windows will not display the CLSID extension, so a file with an innocent name such as "cutedog.jpg" could cause another program to run. Conflicting Encoding Vulnerability: This vulnerability occurs when the headers of an E-mail claim that two or more different encoding types are used. A MIME segment can only be encoded in one way, so if there are more than one encoding types listed, it is possible that the mail server virus scanner and the mail client will use different decoding methods on the E-mail. If this happens, a virus could bypass virus scanning on the mail server. Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). Outlook 'Boundary Space Gap' Vulnerability: This vulnerability occurs when there is a space or tab in the MIME boundary. This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an E-mail to be formed like this. Outlook 'CR' Vulnerability: This vulnerability occurs when an E-mail contains a single 'CR' character within the E-mail headers (as opposed to a 'CR' followed by an 'LF', which is used to end a line in SMTP). Outlook can treat this as the end of the headers, which would allow Outlook to see a virus that was embedded in the headers. RFC2822 2.2 says that CR and LF characters cannot appear alone in the headers. Also, there is no legitimate reason for an E-mail to contain a lone 'CR' in the headers. Outlook 'Long Boundary' Vulnerability: This vulnerability occurs when an E-mail has a MIME boundary that is longer than allowed by the RFCs. Outlook may see a virus when a virus scanner will not. There is no legitimate reason for an E-mail to be sent like this. Outlook 'Long Filename' Vulnerability: This vulnerability occurs when an E-mail has an attachment with a name longer than 256 characters long. When this occurs, it is possible for Outlook not to see the correct file extension, causing Outlook to think that a dangerous E-mail is actually safe. Outlook 'MIME header' Vulnerability: This vulnerability occurs when certain safe MIME types are used, but a potentially dangerous file type is attached. Outlook may execute the attachment automatically, without looking at its file extension. There is no legitimate reason for an E-mail to be sent like this, and a number of viruses use this vulnerability. Outlook 'MIME segment in MIME postamble' Vulnerability: This vulnerability occurs when it appears as though a MIME segment is occurring after the end of the MIME body (specifically, a MIME segment with a boundary other than the one specified appears in the MIME postamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an E-mail to be sent like this. Outlook 'MIME segment in MIME preamble' Vulnerability: This vulnerability occurs when it appears as though a MIME segment is occurring before it should (specifically, a MIME segment with a boundary other than the one specified appears in the MIME preamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an E-mail to be sent like this. Outlook 'Space Gap' Vulnerability: This vulnerability occurs when there is a space in one of the MIME headers where there is not normally a space (such as "Content-Type :" instead of "Content-Type:"). This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an E-mail to be formed like this. Partial (Fragmented) Vulnerability: This vulnerability occurs when one E-mail is split into separate parts, each in a separate E-mail. Although this is legal, it will bypass virus scanners, and therefore will likely soon be deprecated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Thursday, January 17, 2008 10:07 AM To: [email protected] Subject: [Declude.JunkMail] link to documentation Hi, Whenever I got a normal mail with a bug in it like: > Declude Virus v4.3.46 caught the [Outlook 'MIME segment in MIME Preamble' Vulnerability] virus in [No attachment] > from [EMAIL PROTECTED] to: [EMAIL PROTECTED] I wanted to send them a warning about it. Of course just the warning woud not be enogh, I needed to tell them WHAT the error was. I used to be able to simply send a link to the proper part of the manual on the Declude site but..... where did it go? Where is the explanation about what each Vulnerability is? The junkmail manual does not seem to have them, in fact searching for the word vulnerability in that entire maniual shows zero hits. Lookin for preamble in the knowledgebase does not show one relevant topic. Where did all that information go? And if it is still there... if I cannot find it how is someone less determined going to find it. I did spend a fair amount of time going over the site. :-( p.s. On the page: <http://www.declude.com/articles.asp?ID=100> http://www.declude.com/articles.asp?ID=100 I tried to click on <http://shopping.declude.com/tools/header.php> BADHEADER Lookup pointing to http://shopping.declude.com/tools/header.php. But that resulted in a 404 error. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] / <http://www.tio.nl> www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
