Back to Community Threads
1
Declude Virus v4.12.11 caught the [Outlook 'Blank Folding' Vulnerability] virus in [No attachment]
Question asked by Nicolas Le Merle - 2/23/2016 at 12:27 AM
Unanswered
Hey Guys,
 
Is anyone else getting these alerts from a domains postmaster ? I am getting several come in a week for the same domain referencing the same sender domain and after contacting the sender domains admin they have confirmed there are no issues on their end yet I continue to receive these alerts.
 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam detection software, running on the system "sendersdomain.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.

 Content analysis details:   (-1.0 points, 5.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                             domain
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 
 
There is not much helpful info in the actual bounce back mail, and there is nothing attached either.
 
Regards,
Nic

7 Replies

Reply to Thread
0
Nicolas Le Merle Replied
2/23/2016 at 12:36 AM
To Add: I tested my clients domain here: https://admin.uribl.com/ and it came back to say its NOT listed on the URIBL
 
So does: the below mean that the connection from my SM server to the URIBL server is not being established ? 
0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
0
Nicolas Le Merle Replied
2/23/2016 at 12:55 AM
Just checked the 'URIBL' antispam settings and when I ping the host name that is configured there I dont get a response:
Ping request could not find host multi.uribl.com. Please check the name and try again.
1
Scarab Replied
2/23/2016 at 2:12 PM
These NDR responses are related to Declude (a third-party Anti-Spam product not related to SmarterMail but commonly installed alongside SmarterMail).
 
The Outlook Blank Folding Vulnerability occurs when there is a line in the headers with just a single space or a single tab. Older versions of Outlook (2000 and before) & Outlook Express could treat this as the end of headers, potentially allowing it to execute a virus that is embedded in the headers upon message preview. RFC2822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab.
 
However, that said, this vulnerability was never likely exploited in the wild and probably is no longer a threat as older versions of Outlook were either patched and modern E-mail clients don't have the same vulnerability. Likewise, for whatever reason, many legitimate emails do end up having a blank line with a single space or tab in the headers (I know back in the day the Incredimail E-Mail client did this). As such, it will give you plenty of false-positives.
 
We disabled this in Declude back in 2007 on our Mail Servers.
 
You can remove this by going to your \Declude directory and add the following line to your VIRUS.CFG file:
 
        ALLOWVULNERABILITY        OLBLANKFOLDING
 
 
1
Linda Pagillo Replied
3/2/2016 at 7:09 AM
Hi Nic. There are a few different ways to bypass vulnerability scanning in Declude. Check out this KB article which shows you all possible ways...
 
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Nicolas Le Merle Replied
3/2/2016 at 9:20 AM
Cheers thanks ill take a look!
0
Nicolas Le Merle Replied
3/2/2016 at 9:20 AM
Thanks :)
0
karl kapacee Replied
8/31/2023 at 5:08 AM
Hello,

 Will this this fix (http://know.mailsbestfriend.com/how_to_bypass_vulnerability_scanning_in_declude--282096967.shtml) cover below issue also?
Declude Virus v4.12.11 caught the [Partial Vulnerability] virus in Unknown File from 

thanks
Karl
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus
Adding Delegates in Outlook for MacSmarterMail > Desktop and Mobile Synchronization
TLS 1.0/1.1 Deprecation InformationGeneral Topics
Connecting to Shared Resources in eM Client via EWSSmarterMail > Desktop and Mobile Synchronization
Moving SmarterMail to a New Hosting CompanySmarterMail > Domain/User Configuration and Management