Declude Virus v4.12.11 caught the [Outlook 'Blank Folding' Vulnerability] virus in [No attachment]
Question asked by Nicolas Le Merle - 2/23/2016 at 12:27 AM
Hey Guys,
Is anyone else getting these alerts from a domains postmaster ? I am getting several come in a week for the same domain referencing the same sender domain and after contacting the sender domains admin they have confirmed there are no issues on their end yet I continue to receive these alerts.
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam detection software, running on the system "sendersdomain.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content analysis details:   (-1.0 points, 5.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
There is not much helpful info in the actual bounce back mail, and there is nothing attached either.

7 Replies

Reply to Thread
Nicolas Le Merle Replied
To Add: I tested my clients domain here: https://admin.uribl.com/ and it came back to say its NOT listed on the URIBL
So does: the below mean that the connection from my SM server to the URIBL server is not being established ?
0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
Nicolas Le Merle Replied
Just checked the 'URIBL' antispam settings and when I ping the host name that is configured there I dont get a response:
Ping request could not find host multi.uribl.com. Please check the name and try again.
Scarab Replied
These NDR responses are related to Declude (a third-party Anti-Spam product not related to SmarterMail but commonly installed alongside SmarterMail).
The Outlook Blank Folding Vulnerability occurs when there is a line in the headers with just a single space or a single tab. Older versions of Outlook (2000 and before) & Outlook Express could treat this as the end of headers, potentially allowing it to execute a virus that is embedded in the headers upon message preview. RFC2822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab.
However, that said, this vulnerability was never likely exploited in the wild and probably is no longer a threat as older versions of Outlook were either patched and modern E-mail clients don't have the same vulnerability. Likewise, for whatever reason, many legitimate emails do end up having a blank line with a single space or tab in the headers (I know back in the day the Incredimail E-Mail client did this). As such, it will give you plenty of false-positives.
We disabled this in Declude back in 2007 on our Mail Servers.
You can remove this by going to your \Declude directory and add the following line to your VIRUS.CFG file:
Linda Pagillo Replied
Hi Nic. There are a few different ways to bypass vulnerability scanning in Declude. Check out this KB article which shows you all possible ways...
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
Nicolas Le Merle Replied
Cheers thanks ill take a look!
Nicolas Le Merle Replied
Thanks :)
karl kapacee Replied

 Will this this fix (http://know.mailsbestfriend.com/how_to_bypass_vulnerability_scanning_in_declude--282096967.shtml) cover below issue also?
Declude Virus v4.12.11 caught the [Partial Vulnerability] virus in Unknown File from 


Reply to Thread