Email Vulnerabilities

pg pg at NEWHONEST.COM
Tue Sep 24 07:54:38 IST 2002


outlook express could split an oversized email into a few smaller emails. It
will display something like [1/5] .... [5/5] in the subject line of each
split message. And when another outlook express received it (them), it will
join all of them (in this example, 5 of them) into one big email. Since
someone (bugtraq) reported that this could be a vulnerability, mailscanner
is modified to block it.

Sorry that tell you that I'm only a normal user to mailscanner (oh
mailscanner is so great!!!!). All the above comments are my own
understanding, not surely correct.

-Jason

----- Original Message -----
From: "Glynn S. Condez" <glynn at MAKATI.TECHSQUARE.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Tuesday, September 24, 2002 2:38 PM
Subject: Re: Email Vulnerabilities


> What is this split message all about? is it a new feature of mailscanner?
>
> --- Glynn ---
>
> ----- Original Message -----
> From: "pg" <pg at NEWHONEST.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Tuesday, September 24, 2002 1:54 PM
> Subject: Re: Email Vulnerabilities
>
>
> > Hi, I have the same problem. I think this is a new feature which
prohibit
> > "Split message" sent from outlook express. This could be quite a problem
> if
> > we can't recieve "split message" because from time to time we have to
> > receive big but splitted emails. Is there anyone who could help?
> >
> > -Jason
> > ----- Original Message -----
> > From: "Glynn S. Condez" <glynn at MAKATI.TECHSQUARE.COM>
> > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > Sent: Tuesday, September 24, 2002 1:10 PM
> > Subject: Re: Email Vulnerabilities
> >
> >
> > > Yeah, I got three emails coming to my inbox and the emails are very
> clear.
> > I
> > > only got this eicar.com email in my Deleted Items eventhough I haven't
> > > deleted. doest the mailscanner sends this to my Deleted Items coz
SWEEP
> is
> > > not working anymore?
> > >
> > > --- Glynn ---
> > >
> > > ----- Original Message -----
> > > From: "James Murchison" <james at un.net.au>
> > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > Sent: Tuesday, September 24, 2002 1:09 PM
> > > Subject: Re: Email Vulnerabilities
> > >
> > >
> > > > If your not getting the Virus Warning message the Scanner (Sweep)
> isn't
> > > > working. The {VIRUS} message is probably being generated by the
> allowed
> > > > files routine. If you have set your e-mail address as the
postmaster,
> > > > you should receive at least two messages (probably 3) 1 the return
> > > > warning 2 the Postmaster warning and 3 the original message
stripped.
> > > >
> > > > KR J.
> > > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
On
> > > > Behalf Of Glynn S. Condez
> > > > Sent: Tuesday, 24 September 2002 2:54 PM
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Re: Email Vulnerabilities
> > > >
> > > >
> > > > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and
what
> I
> > > > have found out is the speed, its more faster now and the the
> > > > vulnerability test from GFI doesn't work anyone.
> > > >
> > > > One thing I am wondering with, why does this eicar.com gfi test
email
> > > > goes to my outlook express deleted items with a modified subject
> > > > {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message
in
> > > > the body and the attachment is intact with the filename eicar.com.
im
> > > > just wondering about this.
> > > >
> > > > Also, I am using Sophos and I got this message in my console "Useful
> > > > life of SWEEP has beed exceeded" does the Sophos doesn't work
anymore?
> > > >
> > > >
> > > > --- Glynn ---
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Glynn S. Condez" <glynn at MAKATI.TECHSQUARE.COM>
> > > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > > Sent: Tuesday, September 24, 2002 10:37 AM
> > > > Subject: Re: Email Vulnerabilities
> > > >
> > > >
> > > > > Thanks Jeff for the great idea, it seems that there's  nothing
that
> I
> > > > > need to reconfigure except for the conf files of mailscanner.
> > > > >
> > > > >
> > > > > --- Glynn ---
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Jeff A. Earickson" <jaearick at COLBY.EDU>
> > > > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > > > Sent: Tuesday, September 24, 2002 10:28 AM
> > > > > Subject: Re: Email Vulnerabilities
> > > > >
> > > > >
> > > > > > Hi,
> > > > > >    I set up my mailscanner directory thus:
> > > > > >
> > > > > > lrwxrwxrwx   1 root     daemon        10 Sep 23 14:01 bin ->
> > > > bin-3.23-1/
> > > > > > drwxr-xr-x   2 root     none        1024 Sep 13 10:23
bin-3.22-14/
> > > > > > drwxr-xr-x   2 root     none        1024 Sep 23 13:46
bin-3.23-1/
> > > > > > lrwxrwxrwx   1 root     daemon        10 Sep 23 14:01 etc ->
> > > > etc-3.23-1/
> > > > > > drwxr-xr-x   2 root     none        1024 Sep 13 10:29
etc-3.22-14/
> > > > > > drwxr-xr-x   2 root     none        1024 Sep 23 13:55
etc-3.23-1/
> > > > > > drwxr-xr-x   3 root     none         512 May  2 11:52 man/
> > > > > > drwxr-xr-x   8 jaearick jaearick     512 Sep 23 14:06 src/
> > > > > > drwx------   4 root     none         512 May  3 09:38 var/
> > > > > >
> > > > > > When a new version of mailscanner comes out, I untar it and move
> the
> > > >
> > > > > > mailscanner/etc and mailscanner/bin directories to etc-[version]
> and
> > > >
> > > > > > bin-[version].  Then I do side-by-side comparisons of the
default
> > > > > > config versus my setup.  When I've carried my config changes
into
> > > > > > the new etc files, I stop mailscanner, change the symlinks,
> restart
> > > > > > mailscanner.  Virtually no down time.  It would be nice if this
> kind
> > > >
> > > > > > of directory versioning was incorporated into the tarfiles for
v4
> > > > > > somehow...
> > > > > >
> > > > > > ** Jeff A. Earickson, Ph.D                         PHONE:
> > > > 207-872-3659
> > > > > > ** Senior UNIX Sysadmin, Information Technology    EMAIL:
> > > > > jaearick at colby.edu
> > > > > > ** Colby College, 4214 Mayflower Hill,               FAX:
> > > > 207-872-3076
> > > > > > ** Waterville ME, 04901-8842
> > > > >
> > > >
> > ----------------------------------------------------------------------
> > > > > ----
> > > > > --
> > > > > >
> > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote:
> > > > > >
> > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800
> > > > > > > From: Glynn S. Condez <glynn at MAKATI.TECHSQUARE.COM>
> > > > > > > Reply-To: MailScanner mailing list
<MAILSCANNER at JISCMAIL.AC.UK>
> > > > > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > > > > Subject: Re: Email Vulnerabilities
> > > > > > >
> > > > > > > oh by the way, this the first time that I am going to upgrade
> the
> > > > > > > mailscanner, is it possible if I am going to rename the old
> > > > mailscanner
> > > > > > > directory and install the new version of mailscanner as
> > > > > > > mailscanner?
> > > > > > >
> > > > > > > or is there anything that I need to be reconfigure?
> > > > > > >
> > > > > > > Thanks
> > > > > > > --- Glynn ---
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Glynn S. Condez" <glynn at MAKATI.TECHSQUARE.COM>
> > > > > > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > > > > > Sent: Tuesday, September 24, 2002 10:02 AM
> > > > > > > Subject: Re: Email Vulnerabilities
> > > > > > >
> > > > > > >
> > > > > > > > This mailing list is great, the response is so fast  :)
well
> > > > > > > > I'll
> > > > do
> > > > > the
> > > > > > > > upgrade, email you guys about the results.
> > > > > > > >
> > > > > > > > thanks
> > > > > > > >
> > > > > > > > --- Glynn ---
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Mike Kercher" <mike at CAMAROSS.NET>
> > > > > > > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM
> > > > > > > > Subject: Re: Email Vulnerabilities
> > > > > > > >
> > > > > > > >
> > > > > > > > > Try upgrading to 3.22-15  I think Julian got it to detect
> all
> > > > > > > > > of
> > > > the
> > > > > > > > vulnerabilities.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: MailScanner mailing list
> > > > [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > > > > > > > Behalf Of Glynn S. Condez
> > > > > > > > > Sent: Monday, September 23, 2002 8:58 PM
> > > > > > > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > > > > > > Subject: Email Vulnerabilities
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Based on these website
http://www.gfi.com/emailsecuritytest,
> > > > > > > > > some
> > > > > of
> > > > > > > the
> > > > > > > > > test email that contents a test virus or codes goes
through
> > > > > > > > > and
> > > > the
> > > > > > > > > mailscanner doesn't detect the embedded scripts in the
> emails.
> > > > > > > > >
> > > > > > > > > In version 4, is it possible to scan these kinds of
viruses
> or
> > > > code?
> > > > > by
> > > > > > > > the
> > > > > > > > > way I'm using the stable version of mailscanner 3-22.7
with
> > > > > > > > > spamassassin2-31.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --- Glynn ---
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>



More information about the MailScanner mailing list