"Virus Scanner Test #21" undetected?

Julian Field mailscanner at ecs.soton.ac.uk
Sat May 1 16:22:28 IST 2004


At 16:10 01/05/2004, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi there,
>
>I just upgrade MailScanner to the latest version 4.30.3-1 and decided to
>test my configuration via http://www.testvirus.org .
>
>Of the 25 tests, one slipped through:
>Test #21: Eicar virus within zip file hidden using the "Long MIME
>Boundary Vulnerability"
>
>MailScanner stated this message as clean. Is this something to worry about?

The test is basically this:
1. Set the MIME boundary to a string as normal
2. Check to see if the MIME boundary turns up as a string starting with (1)

But catching this as an attack completely stops Eudora from working, as it
uses 1 MIME boundary per message, tacking things on the end as necessary
for other bits of the MIME structure.

So it's really an artificial test of the software that the guys who own
testvirus.org are trying to sell. Allowing this test to pass would actually
break quite a few messages. So I have no real intention of changing things
so that the test passes.

Don't for a minute assume that testvirus.org is "independent" just because
it is a .org domain. It's not. Check the whois record to see who really
owns it.

It is owned by Excedent (check out www.excedent.com to see who they really
are).
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list