1
Declude Virus v4.12.11 caught the [Outlook 'Blank Folding' Vulnerability] virus in [No attachment]
Question asked by Nicolas Le Merle - February 23, 2016 at 12:27 AM
Unanswered
Hey Guys,
 
Is anyone else getting these alerts from a domains postmaster ? I am getting several come in a week for the same domain referencing the same sender domain and after contacting the sender domains admin they have confirmed there are no issues on their end yet I continue to receive these alerts.
 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam detection software, running on the system "sendersdomain.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content analysis details:   (-1.0 points, 5.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                             domain
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 
 
There is not much helpful info in the actual bounce back mail, and there is nothing attached either.
 
Regards,
Nic

3 Replies

Reply to Thread
0
Nicolas Le Merle Replied
February 23, 2016 at 12:36 AM
To Add: I tested my clients domain here: https://admin.uribl.com/ and it came back to say its NOT listed on the URIBL
 
So does: the below mean that the connection from my SM server to the URIBL server is not being established ?
0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
1
Scarab Replied
February 23, 2016 at 2:12 PM
These NDR responses are related to Declude (a third-party Anti-Spam product not related to SmarterMail but commonly installed alongside SmarterMail).
 
The Outlook Blank Folding Vulnerability occurs when there is a line in the headers with just a single space or a single tab. Older versions of Outlook (2000 and before) & Outlook Express could treat this as the end of headers, potentially allowing it to execute a virus that is embedded in the headers upon message preview. RFC2822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab.
 
However, that said, this vulnerability was never likely exploited in the wild and probably is no longer a threat as older versions of Outlook were either patched and modern E-mail clients don't have the same vulnerability. Likewise, for whatever reason, many legitimate emails do end up having a blank line with a single space or tab in the headers (I know back in the day the Incredimail E-Mail client did this). As such, it will give you plenty of false-positives.
 
We disabled this in Declude back in 2007 on our Mail Servers.
 
You can remove this by going to your \Declude directory and add the following line to your VIRUS.CFG file:
 
        ALLOWVULNERABILITY        OLBLANKFOLDING
 
 
1
Linda Pagillo Replied
March 2, 2016 at 7:09 AM
Hi Nic. There are a few different ways to bypass vulnerability scanning in Declude. Check out this KB article which shows you all possible ways...
 
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com

Reply to Thread