I'd be real interested to know how you determined that the boundary field should be discarded. According to the RFC you referenced, folding involves adding a LWSP-char after a CRLF. Are you assuming that was missing? And if you are, what are you basing that assumption on? More to the point, it isn't WebShield's job to correctly parse headers. It's WebShield's job to detect and remove viral attachments. If an incorrectly formed header is all it takes to bypass virus detection, then the virus writers will be screwing up their headers before this message gets cold. This is most certainly a problem with WebShield, and NAI needs to fix it. They should be parsing for: Content-Type: audio/x-wav; name="NEWS_DOC.DOC.scr" Content-Transfer-Encoding: base64 base64 decoding the content between the boundary markers and scanning the result to determine if it's viral. After all, the idea behind a gateway scanner is to *protect* stupid email clients, not pass the problem off to them. --On Friday, November 30, 2001 1:35 AM -0800 Joe Yandle <jwyat_private> wrote: > > This is not a bug in NAI WebShield, but rather a bug in any email > client which parses this as a valid MIME message. Read RFC 822, > section 3.1.1, if you don't understand how to correctly fold > email headers. Since the 'boundary' field should be discarded, > this email cannot be parsed for MIME attachments, and thus > logically does not contain the virus. Paul L. Schmehl, paulsat_private http://www.utdallas.edu/~pauls/ Supervisor, Support Services The University of Texas at Dallas AVIEN Founding Member
This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 21:13:15 PST