RE: [Declude.Virus] Temp files ClamAV Windows not deleting
Jared: That is what happened to us.. ran out of C drive space .. and that cause a ton of issues. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jared Pickerell Sent: Tuesday, April 17, 2007 6:15 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting I'm running into the same problem. I ended up with a server out of hard drive space before I figured out what was going on. What can you do to let Declude/ClamWin delete them in the first place? As the administrator I can already delete the folders/files after the fact, but that doesn't solve the problem. Who needs to have ownership of the temp directory for Declude/ClamWin to delete these on its own? Also ClamWin was using very high CPU. Is ClamWin know for high CPU usage? With the temp files not deleting and the high CPU utilization, I ended up just removing ClamWin as one of the scanners. When the AVG fix came out it wasn't really an issue, but I would like to use Clam as a secondary scanner if possible? Any thoughts? Thanks Jared From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 1:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting You need to take ownership of the files as the administrator and then you can delete them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Tuesday, April 17, 2007 2:41 PM To: declude.virus@declude.com Subject: [Declude.Virus] Temp files ClamAV Windows not deleting Hi; I am having problem with viruses not being deleted from the temp directory when using the ClamWin - the following is the config entries: # CLAM- 1st Scanner #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=C:\Progra~1\ClamWin\db --tempdir=c:\Temp --no-summary -l report.txt #VIRUSCODE1 1 Any idea what I can do to have the virus files deleted from C:\temp? Thanks -Kami --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
Andrew.. Why not block any .exe attachments? In our system AVG is detecting it. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Saturday, December 30, 2006 12:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] New virus to add to your banned names in virus.cfg http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the CPR version to obtain the beta of the next pattern update. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, December 26, 2006 6:05 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to block an IP Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: J Porter [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Hi John: I have received 3 of these that are not in zip files. My_new_comp.doc About_me.doc Hp_laptops.doc All are similar in concept: With the following in the body and different subjects. Name after hello is also different. --- Hello Cristian Asanachescu Regards, Cristian Asanachescu Or - Hello Patricia Myrose Regards, Patricia Myrose - All files are 52 KB attachments. I am trying to see why it was not caught as virus.. It does not look right. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 5:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi; We are having a major problem. A large number of emails are getting caught with the following message: Containing: Possibly a new variant of JS/ virus In: [HTML segment] attachment I have added: ALLOWVULNERABILITYJS but it is not working. Almost every HTML email and newsletter is getting caught by this vulnerability "feature". How can we disable this? IT seems like allow directive is not working. Regards, Kami
RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 003/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 003/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 803/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8]03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus!03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652]03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109]03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txtVIRUSCODE1 13REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE2 3VIRUSCODE2 6VIRUSCODE2 8REPORT2 Infection: # AVG - 3rd ScannerSCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txtVIRUSCODE34VIRUSCODE35VIRUSCODE36VIRUSCODE37VIRUSCODE39REPORT3 identified # CLAM- 4th ScannerSCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, March 24, 2006 5:56 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami,You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners.Matt
RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi Matt Marcus.. Many thanks for your response.. I changed my config file to see if that resolves the problem. This problem comes and goes.. a lot of web forms appear to be having this issue. I added Matt's config file to see if that helps.. thanks Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, March 24, 2006 6:44 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami,This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txtI have no virus hits that match what you are showing for F-Prot using this config.Matt
RE: [Declude.Virus] [IMail Forum] Issues Using IMail 8.22 To Send Messages From Web Server
Hi Grant.. The problem is an issue we faced with as well. If you are sending HTML with fancy tags your emails are getting tagged as: -Virus: Possibly a new variant of JS/ -In: [HTML segment] We had all of our web messaging emails get caught as that virus. I changed the program to simply send an HTML without any tags other than BR for line break and it worked fine. We use ASPemail for 1 application and the problem started happening almost 2 or so weeks ago. All is fine now. Hope this helps. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Monday, March 20, 2006 10:36 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] [IMail Forum] Issues Using IMail 8.22 To Send Messages From Web Server I will get a support ticket open with Declude, but just as an FYI, I disabled Declude Virus last Friday and have not seen this issue again since. Therefore it appears Declude Virus might be taking the message and then timing out for some reason. I am still watching all the emails coming from my web server, but the past 20+ have went thru fine since disabling Declude Virus. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, March 17, 2006 1:39 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] [IMail Forum] Issues Using IMail 8.22 To Send Messages From Web Server Well, I do have Declude running with F-Prot. I just checked those logs and there is nothing in there for that message which is really odd... Maybe this is a Declude Issue now?!?! Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matti Haack Sent: Friday, March 17, 2006 1:22 PM To: Grant Griffith - IMail Subject: Re: [IMail Forum] Issues Using IMail 8.22 To Send Messages From Web Server GGI Well, here is the ASPMail log for an email that did not go out and GGI then below it is the Imail logs showing it timing out... As the session in the ASP-Mail log is completed without problems - and the session in the Imail log is not, there must be some proxy (or Virusscanner, ASSP etc.) between the both. The 250 and 221 messages are created by the recieving SMTP-Server. I assume it is a virusscanner, which stops sending on the message during the scan... Just an Idea. Maybe I am wrong... Matti GGI ASPMAIL LOG GGI 220 ei8htlegs.net (IMail 8.22 95649-4) NT-ESMTP Server X1 GGI HELO mail.ei8htlegs.net GGI 250 hello ei8htlegs.net GGI MAIL FROM:[EMAIL PROTECTED] GGI 250 ok GGI RCPT TO:[EMAIL PROTECTED] GGI 250 ok its for [EMAIL PROTECTED] GGI RCPT TO:[EMAIL PROTECTED] GGI 250 ok its for [EMAIL PROTECTED] GGI DATA GGI 354 Please start mail input. GGI Message body suppressed. GGI . GGI 250 Mail queued for delivery. GGI QUIT GGI 221 Closing connection. Good bye. GGI /ASPMAIL LOG GGI Imail Log GGI 03:16 20:36 SMTPD(12ab015a43ee) [64.184.24.60] connect GGI 64.184.24.36 port GGI 2919 GGI 03:16 20:36 SMTPD(12ab015a43ee) [64.184.24.36] HELO GGI mail.ei8htlegs.net GGI 03:16 20:36 SMTPD(12ab015a43ee) [64.184.24.36] MAIL GGI FROM:[EMAIL PROTECTED] GGI 03:16 20:36 SMTPD(12ab015a43ee) [64.184.24.36] RCPT GGI TO:[EMAIL PROTECTED] GGI 03:16 20:36 SMTPD(12ab015a43ee) [64.184.24.36] RCPT GGI TO:[EMAIL PROTECTED] GGI 03:16 20:41 SMTPD(12ab015a43ee) connection timed out GGI /Imail Log GGI Thanks, GGI Grant Griffith GGI Web Application Developer GGI Enhanced Telecommunications Corp. GGI (812)932-1000 GGI -Original Message- GGI From: [EMAIL PROTECTED] GGI [mailto:[EMAIL PROTECTED] On Behalf Of Grant GGI Griffith - IMail GGI Sent: Tuesday, March 14, 2006 10:49 AM GGI To: Imail_Forum@list.ipswitch.com GGI Subject: RE: [IMail Forum] Issues Using IMail GGI 8.22 To Send Messages From Web GGI Server GGI OK, I have logging turned on now for the ASPMail side of things. GGI Just have GGI to watch for it to occur again and then look at what both sides said. GGI Thanks, GGI Grant Griffith GGI Web Application Developer GGI Enhanced Telecommunications Corp. GGI (812)932-1000 GGI -Original Message- GGI From: [EMAIL PROTECTED] GGI [mailto:[EMAIL PROTECTED] On Behalf Of Eric GGI Shanbrom GGI Sent: Tuesday, March 14, 2006 10:41 AM GGI To: Imail_Forum@list.ipswitch.com GGI Subject: Re: [IMail Forum] Issues Using IMail GGI 8.22 To Send Messages From Web GGI Server GGI You are looking in the wrong direction. This is a message coming GGI into IMail GGI not going out to somewhere else. Since it hasn't been accepted for GGI delivery GGI by IMail there is nothing to re-queue and try again.. the question GGI here is GGI why didn't the conversation continue after the final RCPT TO.
RE: [Declude.Virus] SKIPIFFORGING
John.. I am seeing a lot of notices go out for forged viruses .. I think Scott was updating a list that Declude was checking against.. perhaps that list is not being updated by Barry company.. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John CarterSent: Friday, March 03, 2006 10:17 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] SKIPIFFORGING Imail 8.22Declude 4.0.9Is anyone else having the problem ofhaving forged virus notices sent even though you are using SKIPIFFORGING. I went back in the archives and found this from late 2004, so Scott was probably talking about 1.8x or early 2.x version. Did SKIPIFFORGING go away? John Using SKIPIFFORGING means we don't have to keep adding SKIPIFVIRUSNAMEHAS to the eml's for each new forging virus, right??? Can we then remove the SKIPIFVIRUSNAMEHAS lines? Correct -- *if* you are running the latest beta. What specifically do we put in virus.cfg and/or the individual eml's? Just a line "SKIPIFFORGING" at the top of the \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files is all that is necessary. You can put them in the other .eml files if you like, as well, but the sender.eml and otherpostmaster.eml are the important ones.-Scott
RE: [Declude.Virus] ClamAV sanesecurity definitions
Andrew: After the post I did the same and it is working great. I have done as Scott has stated. I review all the messages and none of our Declude filters are being triggered anymore. All the phishing attempts used to get caught by our filters.. with ClamAV and the phish.ndb all are being caught. One issue we have is the identification.. this is what a typical message looks like. = Declude Virus [Ver: 4.0.9] caught: -Virus: Unknown Virus-In: Unknown File-From: * DELETED -To: * DELETED -Direction: incoming -Date: 02 Mar 2006 12:33:16-Subject: Account review-Spool File: D2c44018bdb48.smd-Remote IP: 193.254.190.119= Extremely nice test and many thanks for posting it. Regards, - Kami
[Declude.Virus] Variant of JS/
Hi; Does anyone know whya lot of HTML emails are being caught with the following warning: Declude Virus [Ver: 4.0.9] caught: -Virus: Possibly a new variant of JS/-In: [HTML segment]-From: [EMAIL PROTECTED]-To: -Direction: incoming -Date: 26 Feb 2006 18:23:44-Subject: Don't forget to get Verified!-Spool File: D387601a33b70.smd-Remote IP: 216.113.188.112 We are having a lot of people telling us that their emails from PayPal are getting caught. Earlier this week we had the same issue with our email forms and finally had to make the simple text emails to get through this. Any ideas? Regards, - Kami
[Declude.Virus] Symantec Anti-Virus Software Open To Attack
Hi; Considering the latest discussion.. I thought if it has not been posted this article could be of interest.. - http://www.informationweek.com/story/showArticle.jhtml?articleID=175007150cid=RSSfeed_IWK_winsecurity Symantec Anti-Virus Software Open To AttackThe bug, which could result in a completely compromised machine, remains unpatched although Symantec has issued an advisory. "Symantec has not issued a patch for the vulnerability, but the DeepSight alert recommended that users disable scanning for RAR archive files.: --- I just saw this posted on InformationWeek at 5 p.m. It affects: All editions of Symantec's Norton Internet Security and Norton AntiVirus, including AntiVirus for the Macintosh, are at risk, as are other products which include the Library. Those include such enterprise-specific lines as AntiVirus Corporate Edition, Brightmail Anti-Spam, Client Security, and Gateway Security. Regards, - Kami
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
Hi Markus: I just updated F-Prot and scanned the one I received called Katherine.zip. It shows it as Suspicious file. McAfee is not detecting it. As suggested the best path at the moment could be: BANZIPEXTS ON We have: - Grisoft AVG - F-Prot - Clam AV - McAfee Only F-Prot with the latest update shows it as suspicious. Regards, - Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, December 15, 2005 10:55 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? Some of the small AV companies are reporting it as a Bagle variant and F-Prot is reporting it as MitGlieder.GU although it is not catching it on the server. Even if I can't explain why it is not catching it I can confirm this. F-Prot on virustotal is catching it. On my server with newest definitions it's not blocking it as a virus. Mcafee at the moment seems not catching it with newest signatures. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV 0.86.1 - Buffer Overflow warning
Hi .. I thought this could be of interest to the group- if you are using ClamAV -0.86.1. Saw this in a security newsletter. Regards,_ Kami * Widely Deployed Software * (1) HIGH: ClamAV Multiple Buffer Overflows Affected: ClamAV version 0.86.1 and prior Description: ClamAV is an open-source antivirus software designed mainly for scanning emails on UNIX mail gateways. The software includes a virus scanning library - libClamAV. This library is used by many third party email, web, FTP scanners as well as mail clients. The library contains three integer overflows that can be triggered by specially crafted TNEF (Microsoft Rich Text), CHM (Microsoft Help) and FSG (Packed Executable Format) files. The attacker can send the malicious files via email, web, FTP or a file share, and exploit the heap-based overflows to execute arbitrary code on the system running the ClamAV library. The technical details can be obtained by comparing the fixed and the affected versions of the software. Note that for compromising the mail/web/FTP gateways no user interaction is required. Status: The vendor has released ClamAV 0.86.2 to address these issues. Please look for third party updates for the software linked to libClamAV. Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. References: Posting by rem0te security http://archives.neohapsis.com/archives/bugtraq/2005-07/0414.html Third Party Software Using ClamAV http://www.clamav.net/whos.html#pagestart (Includes Mac OS X server) http://www.clamav.net/3rdparty.html#pagestart SecurityFocus BID http://www.securityfocus.com/bid/14359
RE: [Declude.Virus] Windows Update!
Title: Message Hi Goran: We have a set of Whitelist filters. As a matter of format: [Whitelist.Vendor.Microsoft] [Whitelist.List.Something] Then I have a combo filter that simply does: TESTSFAILED WHITELIST CONTAINS [Whitelist. This way I can do combo tests depending on the category and sub-category and do other things if needed. Hope that helps. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Sunday, April 10, 2005 8:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! Kami, What do you do in Global.cfg when an e-mail fails the MS Filter? Subtract a bunch of points? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 6:41 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM1ENDSWITH@microsoft.comMAILFROM1ENDSWITH.microsoft.comMAILFROM1ENDSWITH.arvatousa.net REVDNS1ENDSWITH.microsoft.comREVDNS1ENDSWITH.zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Sunday, April 10, 2005 6:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 12:38 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami image001.gif
[Declude.Virus] Windows Update!
Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami
RE: [Declude.Virus] Windows Update!
Title: Message Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM1ENDSWITH@microsoft.comMAILFROM1ENDSWITH.microsoft.comMAILFROM1ENDSWITH.arvatousa.net REVDNS1ENDSWITH.microsoft.comREVDNS1ENDSWITH.zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Sunday, April 10, 2005 6:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 12:38 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami
[Declude.Virus] W32/MyWife.c@MM virus
Hi; Is this a forging virus? Containing: the W32/[EMAIL PROTECTED] virus In: Unknown File attachment Subject: "03 Alai Alai Alaiyay" We are starting to get a lot of them and alerts are being received so that tells me Declude doe snot consider it forging. Regards, Kami
RE: [Declude.Virus] hlp attachments
Hi John.. I had never of it but.. Here is a Google search result.. http://www.uts.edu.au/email/advanced/executable.html http://office.microsoft.com/en-us/assistance/HA011402971033.aspx Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, December 28, 2004 1:51 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] hlp attachments I just had a client request blocking of hlp attachments. I have been extremely busy with 2 major projects and have not seen anything about this. Any one have information on a virus that uses that? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] PB installing 2.0B
Hi Serge: We had a similar issue but I think I know what happens. If Declude is in use then it can not copy the Declude.exe file in the install directory. We used to have the same issue when copying the Declude.exe file and IMail was processing email.. Since Declude.exe was in use you could not copy it over. I stopped the services and waited for the spool to clear then installed 2.b and it worked fine.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Monday, December 20, 2004 6:50 PM To: Declude.Virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] PB installing 2.0B I am trying to upgrade to 2.0B Getting an error of: Error copying file to taret directory With status at removing backup files Need Help, TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Version 2.0
Hi; Just an FYI- it seems like installation of Beta 2.0 will replace your postmaster and receipt.eml files. After updating to Beta 2.0 we started getting alerts from forging viruses and I had to copy the old files back from our backup copies. If you update you may want to make backup copy of the files and check them after installation. Regards, Kami
RE: [Declude.Virus] Exploit-MIME.gen.c
Mario: What virus software are you using? Are you using only one scanner? If you are using only one scanner I highly recommend you add another scanner. I have seen F-Prot for example not catch a virus and ClamAV does. We use AVG, F-Prot, ClamAV, and McAfee- but we don't have a heavy traffic on our server and can afford the CPU usage by 4 scanners. I think a lot of people use at least 2 or 3 scanners together. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Antonio Sent: Saturday, December 18, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Exploit-MIME.gen.c Dear List, One of our customers got the following message from a external Mail-gate anti-virus system: Virus Scanner found the Exploit-MIME.gen.c (Malicious Mobile Code) virus It seems as if this virus was not caught by our Declude Virus system. Do you know if this type of virus forges the From address? Regards Mario Antonio --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new interim version
Bennie: Look at Scott's email: Yes. v1.80 has basic (Microsoft method) detection of the GDIPlus.dll JPEG Exploit, but their way has false positives. The v1.80i1 interim at http://www.declude.com/version/interim (and likely tomorrow a 1.81 release) has full (Declude method) detection of the GDIPlus.dll JPEG Exploit, and is expected to have no false positives. All interims are always there. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bennie Sent: Friday, October 01, 2004 6:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] new interim version And where do you find these on the website??? I have been looking and cant seem to find them anywhere Bennie --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot 3.15b break Declude Virus?
We have been on B version for 2 weeks or so- no problems here. We use 3 scanners: F-Prot, AVG, and McAfee- all are working like one big happy family. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, October 01, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot 3.15b break Declude Virus? I read the thread about this, but I didn't determine the final conclusion. Does F-Prot 3.15b break Declude virus? I'm not aware of it breaking Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Error 10 in McAfee
Hi; For the past 2+ weeks I seeAVG returning error in Declude log file. This is our settings: # AVG - 3rd ScannerSCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txtVIRUSCODE3 6REPORT3 identified The error: 07/20/2004 00:00:23 Q98c30bb902725853 Could not find parse string identified in report.txt07/20/2004 00:00:23 Q98c30bb902725853 Error 10 in virus scanner 3.07/20/2004 00:00:23 Q98c30bb902725853 Scanned: Error in virus scanner. Has anyone seen this? I did not find anything in the archives regarding this. Regards, Kami
[Declude.Virus] FYI
Thought it could be of interest. Kami http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci958574,00.html?track=NL-102ad=479694 F-Secure antivirus software vulnerable to Sober-D worm By Edmund X. DeJesus, Contributing Writer07 Apr 2004 | SearchSecurity.com Once again, a security software vendor is warning users of flaws that could make their products vulnerable to precisely the attacks they are intended to protect against. F-Secure's Anti-Virus for MIMEsweeper requires fixes to close a gap that could allow infection by at least one worm. F-Secure, maker of a variety of virus protection and intrusion prevention products, has announced a vulnerability caused by an unspecified error in its Anti-Virus for MIMEsweeper product. MIMEsweeper is a content security product for e-mail and the Web. The vulnerability allows the Sober-D worm to bypass the usual e-mail antivirus security monitoring and infect computers. This worm travels in e-mail attached .zip files. Versions 5.41 and 5.42 of Anti-Virus for MIMEsweeper are vulnerable on all supported platforms. F-Secure has a fix for users. Recently, other security software vendors, including Internet Security Systems and Symantec, have also reported flaws that render certain products vulnerable to attack.
RE: [Declude.Virus] Trend and McAfee installed on same machine
Scott: Just an idea... What if you extend the idea of Whitelist password to Declude Virus- for password protected zip files. If the subject has a code then the attachment with password protected will be skipped. If you can take the subject and delete the password before passing it on it can work great.. Sort of like the password protected list in IMail. This can solve a lot of problems.. But I am sure it can introduce more. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, March 25, 2004 7:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Trend and McAfee installed on same machine One option (with Declude Virus Pro) is to ban file extensions within .ZIP files (blocking all .EXE, .PIF, .SCR, .BAT, .COM, etc. files). The other option would be to rename the .ZIP file to use another extension. So if I understand correctly, I should be able to send a zip file to somebody on my server and they will receive it? But, if it was zip file that contained a scr or pif or whatever, Declude would stop it? Again, it all depends on how you have it set up. With BANEXT EZIP, all encrypted .ZIP files are blocked (which is recommended). In that case, you can send a .ZIP file to someone on your server and they will receive it (assuming it is not an encrypted .ZIP file). If you do not want to ban all encrypted .ZIP files, you'll need to use Declude Virus Pro with BANEZIPEXTS ON (to ban file extensions within encrypted .ZIP files; you can also use BANZIPEXTS ON to ban file extensions within non-encrypted .ZIP files) and a bunch of BANEXT lines (one per extension you wish to block). Then, those extensions will be blocked in standard files, as well as encrypted .ZIP and/or standard .ZIP files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Update- New virus
Hi; Just to update my last email. The new virus is still not being caught by scanners: Norton AV McAfee F-Prot AVG None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. As of 8:31 EST We are now blocking it with the new features. Regards, Kami In case it is of interest this is what we have in our .cfg file so far virus.cfg entries: BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEZIPEXTS ON attachment: winmail.dat
RE: [Declude.Virus] Update- New virus
1.78i8 === X-Note: This E-mail was scanned filtered by Declude [1.78i8] for SPAM virus. === Kami _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, March 03, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Update- New virus Kami, What verison of Declude are you running (1.78i7 or 1.78i8)? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Kami Razvan Sent: Wed 3/3/2004 8:32 AM To: [EMAIL PROTECTED] Cc: Subject: [Declude.Virus] Update- New virus Hi; Just to update my last email. The new virus is still not being caught by scanners: Norton AV McAfee F-Prot AVG None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. As of 8:31 EST We are now blocking it with the new features. Regards, Kami In case it is of interest this is what we have in our .cfg file so far virus.cfg entries: BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEZIPEXTS ON attachment: winmail.dat
RE: [Declude.Virus] Update- New virus
Erminio: I have a copy of this virus.. I don't think it is J. We have virus that is caught as J but this one that I have is not being caught. I can gladly send it to you off list to test.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E. Ballerini Sent: Wednesday, March 03, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Update- New virus R. Scott Perry wrote: None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. This new one -- (Dear user of your_domain.com e-mail server gateway...) likely is not going to get caught by any virus scanners. The only information that an AV program has about an encrypted .ZIP file is the filename, the size, and the CRC (a fingerprint of the file). This virus (Bagle.J) make the filename, size, and CRC random, so it will be nearly impossible for an AV program to detect it. Running McAfee WebShield 4.5 MR1a on a mailrelay before my mailserver (with Declude) with with Scan engine version 4.3.20 DAT version 4.3.4332 and it's detecting W32/[EMAIL PROTECTED] Erminio --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
Scott: I guess considering the concept is forging does not apply to blocking the zip files we should STOP sending banned extension notifications. True? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 9:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Update- New virus None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. This new one -- (Dear user of your_domain.com e-mail server gateway...) likely is not going to get caught by any virus scanners. The only information that an AV program has about an encrypted .ZIP file is the filename, the size, and the CRC (a fingerprint of the file). This virus (Bagle.J) make the filename, size, and CRC random, so it will be nearly impossible for an AV program to detect it. We are now recommending that people block encrypted .ZIP files. You can do this by addding a line BANEXT EZIP in the \IMail\Declude\virus.cfg file if you are using the latest interim release at http://www.declude.com/interim . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV
Scott: Have you considered adding the ClamAV to the list of scanners on your site? If you can put the configuration entries it would be a great help. Just a thought.. Kami
RE: [Declude.Virus] Another error
Hi; We had a similar issue.. Make sure you exclude C:\temp as well. McAfee moves a copy of the virus to that directory and then that causes issues.. Add C:\temp to the exclusion list. See if that helps. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Thursday, February 26, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another error Scott I have Mcafee on access scanner, but i specificaly exclude the imail the spool directory and all their subdirectories Regarding the backup, the error in occuring all day long, while we only run the backup once a day, so it cannot be that - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 26, 2004 12:39 PM Subject: Re: [Declude.Virus] Another error I have a lot of these any hints ? 02/24/2004 16:39:12 Q7b5e15400292c67d Error opening mime file E:\IMAILSRVR\spool\D7b5e15400292c67d.SMD 02/24/2004 16:39:12 Q7b5e15400292c67d Scanned: Error starting scanner The happens when Windows won't allow Declude to open the D*.SMD file for some reason. Do you have an on-access virus scanner, which may prevent Declude from opening one of the D*.SMD files? Are you running backup software that locks files before backing them up? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another error
If you use McAfee.. Then Exclude C:\Temp - if you are not doing it then you will have other errors. McAfee moves a copy of the virus to that directory before dealing with it. We proved it and added it. We exclude: User mailbox drive Spool drive C:\temp Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Thursday, February 26, 2004 2:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another error I was able to save the eicar virus to the spool directory Can't see a pattern happening many emails, not all will try to exclude temp directory as kami suggested attached is a zipped log, maybe you can spot a pattern - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 26, 2004 3:25 PM Subject: Re: [Declude.Virus] Another error I have Mcafee on access scanner, but i specificaly exclude the imail the spool directory and all their subdirectories Regarding the backup, the error in occuring all day long, while we only run the backup once a day, so it cannot be that Do you know if this is happening for all E-mails, or just some? Is there any pattern that you can see (happening at certain times of the day, every X hours, just for E-mails with viruses, etc.)? Also, I would suggest copying the eicar.com file (you can download it from http://www.eicar.org ) to the \IMail\spool directory, and seeing if you are able to then open it with Notepad. If not, the AV program is actually intefering somehow. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another error
One question .. Do you only have one scanner? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Thursday, February 26, 2004 2:44 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another error excluded c:\temp in more than one hour i got abou 300 emails 3 were infected and caught another one gave the following error: 02/26/2004 19:25:09 Q47f000750456e4e4 Couldn't open headers datafile 02/26/2004 19:25:09 Q47f000750456e4e4 Error opening mime file E:\IMAILSRVR\spool\D47f000750456e4e4.SMD 02/26/2004 19:25:09 Q47f000750456e4e4 Scanned: Error starting scanner all the rest were virus free Scott, Kami, what next ? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mcafee
Gene: If you review the archives you will see a great discussion on this topic. We did this research a while back and finally gave up.. The final word was McAfee requires you to buy a license for every mailbox you have. If you are an ISP then this makes no sense. There is no such thing as a single license server version of McAfee. If you buy the server version it comes with client licenses.. And each client for a mail server is defined as a User (or mailbox). McAfee has a Network server version that comes with client licenses. At the time we did the research (over a year ago) the price was several hundred dollars. For 1/3 of that price we added F-Prot (~$50) and AVG (~$100) and use 2 scanners. We even considered F-Secure but I think they wanted a license for every mailbox as well but I am not sure. Anyway-- trying to get an answer from anyone regarding McAfee will waste a lot of your time .. We had our CDW rep. research it and the final verdict was as I stated earlier. Of course all that could have changed .. But I doubt it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gene Head Sent: Wednesday, February 25, 2004 12:15 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Mcafee Do you have a part number/SKU for that? I've called Mcafee and can't seem to get them to understand what I need. They do have a version called VirusScan ASAP but they can't tell me if it has scan.exe. Gene -- Original Message -- From: Darrell LaRock [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 25 Feb 2004 10:41:56 -0500 I believe you have the consumer version. The corporate version is still at version 7.1. I know the corporate version has the scan/scan32.exe files. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gene Head Sent: Wednesday, February 25, 2004 9:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Mcafee Scott, I've re-installed it a couple of times but I haven't seen anywhere that I can tell it to do a full install. Does anyone have this version? Gene Head ACCRAM Inc. MCP,Net+,A+,CCNA,CCDA [EMAIL PROTECTED] [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, February 25, 2004 5:41 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Mcafee It's Mcafee Virus Scan Ver 8.0 Build 8.0.26 There isn't a scan.exe or scan32.exe on the drive. You'll need to do a Full Install. That should get the scan.exe installed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Error 9 in AVG
Scott: We are seeing errors in our other scanners. At first I thought Error 5 was because of F-Prot's new C release. But now we are seeing Error 9 in AVG as well. I just saw a virus get through and that is how I realized what is going on. could this be with the i4 release of Declude or it just happens that both of our scanners are now returning error. Regards, Kami
[Declude.Virus] W32.Valla.2048
Hi; Just received a new virus that apparently has been around since November 24. It seems like this virus is forging but Declude does not mark it as forging.. From: [EMAIL PROTECTED]Containing: the W32/Valla.a virus !!! virusIn: dotoo.exe attachmentSubject: "Failure Message" The following is the link at Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.valla.2048.html Any ideas? Regards, Kami
[Declude.Virus] W32/Valla.a virus
Scott: here is the alert for the virus: Regards, Kami = The Declude Virus software [Ver: 1.77i30] on durability.com has reported that you were sent an E-mail: From: [EMAIL PROTECTED]Containing: the W32/Valla.a virus !!! virusIn: dotoo.exe attachmentSubject: "Failure Message" The E-mail containing the virus has been deleted to prevent further damage. If the From address appears as [Forged] the virus has forged its sender therefore can not be tracked. Headers Follow: === Received: from msg1.net-up.com [62.106.65.252] by foroosh.com(SMTPD32-8.05) id A7513150058; Tue, 17 Feb 2004 14:11:13 -0500Received: from nqip ([62.106.16.173]) by msg1.net-up.com with SMTPid [EMAIL PROTECTED];Tue, 17 Feb 2004 20:09:49 +0100FROM: "Administrator" [EMAIL PROTECTED]TO: "Inet Client" [EMAIL PROTECTED]SUBJECT: Failure MessageX-ID: 798895329822232376Mime-Version: 1.0Content-Type: multipart/alternative;boundary="fnwhhglu"Message-Id: [EMAIL PROTECTED]Date: Tue, 17 Feb 2004 20:10:34 +0100
RE: [Declude.Virus] W32/Valla.a virus
Thanks Scott: I guess I was fooled by: Tue, 17 Feb 2004 20:09:49 +0100 FROM: Administrator [EMAIL PROTECTED] TO: Inet Client [EMAIL PROTECTED] SUBJECT: Failure Message X-ID: 798895329822232376 The from address in the header shows as @microsoft.com and that made me think it is forged.. The actual from address is @net-up.com. OK so it is not forging.. thanks Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, February 17, 2004 3:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] W32/Valla.a virus here is the alert for the virus: It doesn't look like this one was forged: From: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] The return address domain of net-up.com matches: Received: from msg1.net-up.com [62.106.65.252] by foroosh.com (SMTPD32-8.05) id A7513150058; Tue, 17 Feb 2004 14:11:13 -0500 the reverse DNS of 62.106.65.252 (ns3.net-up.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 20 FORGINGVIRUS line limit in 1.75 and earlier releases
Rick: It seems like you want to skip mailing the email if the sender is forged. With the latest release you can do the following. This is our sender.eml file. Using skipifforging you don't have to keep tarck of the forging viruses. Regards, kami === SKIPIFFORGING From: [EMAIL PROTECTED] To: %MAILFROM% Subject: WARNING: YOU MAY HAVE A VIRUS Time: %TIME% The Declude Virus software on %LOCALHOST% has reported that you sent an E-mail to: Recipients: %ALLRECIPS%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been deleted not delivered to prevent further damage. Headers Follow: %HEADERS% = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, February 05, 2004 5:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] 20 FORGINGVIRUS line limit in 1.75 and earlier releases Slightly off-topic, but since Scott just help me out with a related issue I thought I would pass it on to save some the same headache... Older versions of Declude (1.75 release has this problem...not sure which interim release fixed it) will stop functioning if you put more than 20 FORGINGVIRUS lines in the virus.cfg. So if you get the urge to do some tune-up and add all of these lines, make sure you're on the latest interim where this limit has been removed...or limit to 20 lines. Darin. - Original Message - From: Rick Klinge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 05, 2004 5:09 PM Subject: RE: [Declude.Virus] Kudos on saving me from myself Posting to my post.. Sorry.. Something like this or is mine wrong? Ommitt the dashes - ~Rick -- SKIPIFVIRUSNAMEHAS Braid SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Dumar SKIPIFVIRUSNAMEHAS Fizzer SKIPIFVIRUSNAMEHAS Ganda SKIPIFVIRUSNAMEHAS Holar SKIPIFVIRUSNAMEHAS Hybris SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Mimail SKIPIFVIRUSNAMEHAS Mydoom SKIPIFVIRUSNAMEHAS Palyh SKIPIFVIRUSNAMEHAS Sober SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Torvil SKIPIFVIRUSNAMEHAS Trojan SKIPIFVIRUSNAMEHAS Unknown SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Yaha SKIPIFSENDER @boss.com From: [EMAIL PROTECTED] To: %MAILFROM% Subject: WARNING: YOU MAY HAVE A VIRUS The Anti Virus software on %LOCALHOST% has reported that you sent an E-mail to %ALLRECIPS%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been quarantined to prevent further damage. There are many freely available Anti-Virus Software programs. Please navigate to ( http://www.pandasecurity.com ) to obtain free software tools to help you remove viruses on your computer. [EMAIL PROTECTED] Headers Follow: %HEADERS% Umm.. Don't you need to delete the blank line(s), within your *.eml files, right after your SKIPIFVIRUSNAMESHAS .. ?? ~Rick I recently added a couple of new SKIPIFVIRUSNAMEHAS entries to my .eml files. Then I noticed that I was no longer receiving any notifications at all. Upon reviewing the log, I found: 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\POSTMASTER.eml (is there a To: line before the first blank line?) 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\RECIP.eml (is there a To: line before the first blank line?) 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\SENDER.eml (is there a To: line before the first blank line?) Thanks Scott for the extra touches like this that help make our lives easier, in spite of our best efforts ;-) ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at
[Declude.Virus] Mailbox Copy
Scott: I am confused as to how add this to JM. Lets say we want to send a copy of the email to a certain mailbox and also CC the spam address for the domain. Rule1 mailbox spam Rule1 COPYTO[EMAIL PROTECTED] can these be done with one rule or is mailbox a final action? Regards, Kami
[Declude.Virus] Sobig.C
Scott: Are you treating Sobig.C as a forging virus? http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] Note: [EMAIL PROTECTED] may spoof the return address. In our alerts I don't see that you do considering the forging virus auto-detection done by Declude. Regards, Kami
[Declude.Virus] New Mimail..
http://www.eweek.com/article2/0,4149,1383346,00.asp?kc=EWNWS111703DTX1K599 Just in case you have not heard... May be a good added security could be: BANNAME www.paypal.com.scr even though we block .scr but why not a double safety.. Regards, Kami
RE: [Declude.Virus] mails from support@microsoft.com
We have been swamped by this too.. on a daily basis the volume is increasing rather than decreasing. Since this virus targets few people, namely those that participate in lists, we stopped notifying the recipient since the alert was becoming an issue too... Imagine getting 200+ alerts daily that a virus was caught .. This MiMail virus is not going away... Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Venkateswarlu Swarna Sent: Wednesday, November 12, 2003 2:15 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] mails from [EMAIL PROTECTED] Hi All, Around 20,000 mails are being received daily from [EMAIL PROTECTED] with subject: 'use this patch immediately'. That to in the peak hours between 10.00am to 5.00pm per min more than 15 mails is being received. All the mails are being caught by declude virus, but rtvscan.exe is eating up more than 40% processor resources in peak hours. We are using declude v1.75 standard. Imail v8.01. As given earlier in mailing list first declude virus tool is checking for viruses, so rtvscan.exe is eating up processor. Is there any way that we can simply drop mails from particular mailids with out scanning for virus also. Even I put this mailid in SMTP kill list it is being checked for virus and quarantined. Please suggest me to get rid of this. Thanks in advance. Regards, Venkateswarlu Swarna Systems Engineer Intelligroup Asia Pvt. Ltd. Hyderabad - 500063 Tel: +91-040-23297487 --- [This E-mail scanned for viruses by Declude Anti-Virus Tool] -DISCLAIMER This Message and any attachments (the message) is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its Purpose, any dissemination or disclosure, either whole or partial, is Prohibited except formal approval. The internet cannot guarantee the integrity of this message. BSNL shall (will) not therefore be liable for the message if modified. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Something interesting..
Oh Oh... I'm debating backing up all my info and running the exe just to see if anything happens. Remind me not to ever give you a loaded gun... :) Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, November 07, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Something interesting.. Yawn... I'm debating backing up all my info and running the exe just to see if anything happens. How about first searching the known viruses: http://vil.nai.com/vil/content/v_100807.htm Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude and win 2003 server
Hi; We have DNS issues... - Windows 2003 Standard - Declude JM, Virus - IMail 8.03 Every 2-3 days the DNS server can not be located and the outgoing mail gets stuck.. If you try to go to an internet site it can't find it.. We have searched all over MSDN for KB articles or IPSwitch site but have not found anything. Remedy: Reboot every other day... After reboot it is all fine. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, October 31, 2003 3:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server I consult on a server that has Imail 8.03 on Windows 2003. There are some issues. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 31, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] declude and win 2003 server We run Imail 7.x, Declude Junkmail and Virus, f-prot and AVG all on a Win2003 server. It works great! Does anyone run Imail 8.x on Win2003? We are upgrading to 8.x soon. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of andyb Sent: Friday, October 31, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] declude and win 2003 server Scott, Are there any compatibility issues with declude and win 2003 server? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude and win 2003 server
John.. We have two DNS servers both 2003. IMail is on its own server it still has that problem. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, October 31, 2003 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server The issues I have seen are related to DNS. Really bad is if you have MS DNS on the same server. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 31, 2003 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server What kind of issues? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, October 31, 2003 12:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server I consult on a server that has Imail 8.03 on Windows 2003. There are some issues. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 31, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] declude and win 2003 server We run Imail 7.x, Declude Junkmail and Virus, f-prot and AVG all on a Win2003 server. It works great! Does anyone run Imail 8.x on Win2003? We are upgrading to 8.x soon. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of andyb Sent: Friday, October 31, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] declude and win 2003 server Scott, Are there any compatibility issues with declude and win 2003 server? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude and win 2003 server
We use the DNS that comes with Windows 2003. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of andyb Sent: Friday, October 31, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Declude and win 2003 server What DNS software are you using? Is it located on the same server or elsewhere? - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 4:09 PM Subject: RE: [Declude.Virus] Declude and win 2003 server Hi; We have DNS issues... - Windows 2003 Standard - Declude JM, Virus - IMail 8.03 Every 2-3 days the DNS server can not be located and the outgoing mail gets stuck.. If you try to go to an internet site it can't find it.. We have searched all over MSDN for KB articles or IPSwitch site but have not found anything. Remedy: Reboot every other day... After reboot it is all fine. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, October 31, 2003 3:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server I consult on a server that has Imail 8.03 on Windows 2003. There are some issues. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 31, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] declude and win 2003 server We run Imail 7.x, Declude Junkmail and Virus, f-prot and AVG all on a Win2003 server. It works great! Does anyone run Imail 8.x on Win2003? We are upgrading to 8.x soon. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of andyb Sent: Friday, October 31, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] declude and win 2003 server Scott, Are there any compatibility issues with declude and win 2003 server? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude and win 2003 server
Hi Jim: That is what we have.. Of course different IP's. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Nitterauer Sent: Friday, October 31, 2003 5:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server You can specify multiple DNS servers in the Imail configuration. EX: 66.210.217.11 66.210.217.12 Be sure to have atleast 2 and refer to them by IP address for best efficiency. Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Friday, October 31, 2003 3:34 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server John.. We have two DNS servers both 2003. IMail is on its own server it still has that problem. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, October 31, 2003 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server The issues I have seen are related to DNS. Really bad is if you have MS DNS on the same server. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 31, 2003 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server What kind of issues? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, October 31, 2003 12:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and win 2003 server I consult on a server that has Imail 8.03 on Windows 2003. There are some issues. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 31, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] declude and win 2003 server We run Imail 7.x, Declude Junkmail and Virus, f-prot and AVG all on a Win2003 server. It works great! Does anyone run Imail 8.x on Win2003? We are upgrading to 8.x soon. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of andyb Sent: Friday, October 31, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] declude and win 2003 server Scott, Are there any compatibility issues with declude and win 2003 server? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives
[Declude.Virus] Swen... 200+ daily
Title: Swen... 200+ daily Hi.. I have never seen a worst virus I (my email) am receiving 200+ viruses daily. We stopped notifying the receipient but report it to the sender. This is just out of this world I think it is not receiving much attention since it only targets the UseNet users and naturally mostly admins. This started with 10+ daily and now it is at 200+ .. Somehow I think if not fixed this may have the potential to overwhelm the networks.. Since Monday over 2000 viruses are trapped. The biggest ever in our system. Regards, Kami
RE: [Declude.Virus] W32_Webb_Worm Policy - Is this a new hoax
Does anyone know if Symantec actually uses this email: [EMAIL PROTECTED] Perhaps we should block that email at Imail level for now until the patches catch up. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Baumbach Sent: Tuesday, October 07, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] W32_Webb_Worm Policy - Is this a new hoax I received one today. the email had NAV32.zip and in the zip file was NAV32.exe it was NOT detected as a virus by EITHER F-Prot or AVG it was however cought as spam by CBL, FIVETEN-SPAM, SPAMCOP the header of the email was Received: from c-67-164-195-92.client.comcast.net [67.164.195.92] by phcc.org (SMTPD32-8.03) id AE4F17E00F8; Tue, 07 Oct 2003 07:06:55 -0400 Message-ID: [EMAIL PROTECTED] Date: Tue, 7 Oct 2003 04:10:24 -0700 From: [EMAIL PROTECTED] Subject: ** 22. CBL, FIVETEN-SPAM, SPAMCOP, WEIGHT-F, WEIGHT20, WEIGHT202 ** Last Update. To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--9D16FAF1684605E X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=67.164.195.92 X-RBL-Warning: FIVETEN-SPAM: 92.195.164.67.blackholes.five-ten-sg.com. X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?67.164.195.92 X-Declude-Sender: [EMAIL PROTECTED] [67.164.195.92] X-Declude-Spoolname: D9e4f017e00f890ba.SMD X-In-Date: 10/07/2003 Time: 07:07:23 -0500 ET. X-Country-Chain: UNITED STATES-destination X-In-Note: This E-mail was comming into phcc.org Declude ver.1.76i5. X-In-Spam-Tests-Failed: CBL, FIVETEN-SPAM, SPAMCOP, WEIGHT-F, WEIGHT20, WEIGHT202 Total Weight= 22 x-In-Organization: DcMetroNet.com is the ISP for phcc.org X-In-Abuse: Please send abuse reports to [EMAIL PROTECTED] X-In-Note: This E-mail was sent from ([EMAIL PROTECTED]) c-67-164-195-92.client.comcast.net ([67.164.195.92]). X-In-Recips: [EMAIL PROTECTED] really [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 349908174 Sincerely, William J. Baumbach II [EMAIL PROTECTED] 9975 Pennsylvania Ave. Manassas, Va. 20110-2028 Ph: 703-367-7900 ext:1708 Fax: 703-691-0946 - - Original Message - From: Bill Naber [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 7:55 AM Subject: [Declude.Virus] W32_Webb_Worm Policy - Is this a new hoax I just received an Email from [EMAIL PROTECTED] with the subject Last Update.. The message warns of the [EMAIL PROTECTED] worm, but a search on the Symantec site shows nothing of the kind. The message has a Nav32.zip attachment that doesn't fail on either F-Prot or NAV. The message appears to have originated via an ameritech.net dsl connection and it has some grammatical errors, so I'm not doubting that it is bogus. I've only received one of these messages, but I am curious if I'm on the leading edge or if this is a very random incident. In the short run, I've put in a filter on messages from [EMAIL PROTECTED], but I'm concerned that it will use other return addresses. I've included the text from the message body and the headers below. Thanks, -Bill Naber Kitchin Hospitality, LLC === Message Body October 06, 2003 Intruder Alert 4.1 W32_Webb_Worm Policy This policy detects the propagation of the W32.SobigF.Worm through changes in the registry. [EMAIL PROTECTED] is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code. In attachment you can find program that update your Norton Antivirus to Norton Antivirus 2004. Message Header == Received: from horace.mail.atl.earthlink.net [207.69.200.41] by mail.jamesoninns.com with ESMTP (SMTPD32-7.15) id A328716014C; Tue, 07 Oct 2003 07:27:36 -0400 Received: from samuel.mail.atl.earthlink.net ([207.69.200.65]) by horace.mail.atl.earthlink.net with smtp (Exim 3.33 #1) id 1A6q0J-0005vx-00 for [EMAIL PROTECTED]; Tue, 07 Oct 2003 07:27:47 -0400 X-MindSpring-Loop: [EMAIL PROTECTED] Received: from adsl-68-77-24-119.dsl.emhril.ameritech.net ([68.77.24.119]) by samuel.mail.atl.earthlink.net (Earthlink Mail Service) with SMTP id 1a6Q0f2aB3Nl3pv0 for [EMAIL PROTECTED]; Tue, 7 Oct 2003 07:27:42 -0400 (EDT) Message-ID: [EMAIL PROTECTED] Date: Tue, 7 Oct 2003 04:32:14 -0700 From: [EMAIL PROTECTED] Subject: Last Update. To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--9D16FAF1684605E X-CYBERsitter-SpamManager-In: Passed - Adult: 0 (Req: 50) Spam: 12 (Req: 18) Tot: 10 (Req: 20) X-CYBERsitter-SpoolFile: Da3280716014c8c2a.SMD X-Declude-Sender: [EMAIL PROTECTED] [207.69.200.41] X-Note: This E-mail was scanned by
RE: [Declude.Virus] F-Prot vs Other brands
Hi; We have never had any problem with F-Prot. It has always been working perfectly.. In all these years the Message.zip was the only incident that they were late in releasing the signature but that was because of the nature of the virus that required them to fix something in their code. F-Prot: $50 McAfee: cost per mailbox.. At what it will cost you to add McAfee you can add: F-Prot, AVG, and F-Secure and still have money left in the bank. We have multiple scanners (3) and even if F-Prot fails the other two pick it up. I highly recommend that you consider having at least 2 scanners... Declude virus pro allows you to do this and it is a much safer path to travel. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks Sent: Thursday, October 02, 2003 11:19 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-Prot vs Other brands With the problems I've seen with F-Prot like the one mentioned below. Why did you F-Prot users choose F-Prot over other brands like McAfee? Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
Chad: This is what we have in our virus.cfg file. No regrets and no apologies for blocking them. We think of this as a fact of life... BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw This has been discussed in the list a while back and there are links on Microsoft web site that explains most of these.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
If you look at the manual site you will the email called: Bannotify.eml That is what is sent when a banned extension is sent. I will send you a copy off list of what we have. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 5:30 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Ok thanks, but what does a user who sends this type of ext get from our server? Is there some sort of eml file I need to add? Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, October 02, 2003 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad: This is what we have in our virus.cfg file. No regrets and no apologies for blocking them. We think of this as a fact of life... BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw This has been discussed in the list a while back and there are links on Microsoft web site that explains most of these.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Swen... Incredible..
Title: Swen... Incredible.. Hi; I am just amazed as to how this Swen is working. In the last 10 days I have received over 500 Swen viruses. An analysis of all viruses.. Incredibly no 2 viruses have come from the same IP. In other words these 500 viruses have come from 500 different IP's. Not a single person in the domains hosted on our server has received a single incident. Just incredible Regards, Kami
[Declude.Virus] Couldn't open header datafile- Log file
Hi; I am just curious if anyone else is seeing this in their log files: Couldn't open header datafile I noticed that today and in tracing it back it appears that this is showing up in logs after 9/13 No incident of this is in any of the logs before 9/13 and after 9/13 it is there in every log.. Anyone else seeing this? Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Is Swen forging?
Title: Message I have not seen this discussed.. Is this virus forging itself? We just got our first incident.. === Declude Virus [Ver: 1.75i6] caught the W32/[EMAIL PROTECTED] virus in Q287581.exefrom [EMAIL PROTECTED] to: [EMAIL PROTECTED].Date: 09/18/2003 13:44:42Subject: Latest Net Critical UpdateSpool File: Dee7303a5011a2847.SMDRemote IP: 62.45.45.18 = Regards, Kami
[Declude.Virus] ISP's .. responsible..
Title: Message http://www.eweek.com/article2/0,4149,1258034,00.asp Hi; Not that I wish to start a debate on this.. but just wondering. Imagine if the responsibility is dumped on the ISP's .. I think Scott would be a happy man! Regards, Kami
RE: [Declude.Virus] double file extensions
We have blocked .exe since the day we could block it. If anyone wants to send a .exe he/she is intelligent enough to be able to zip it. Accepting .exe is asking for trouble. Outlook Express by default will block .exe .. I am not sure about Outlook but I don't think it does. We have an autoreply that is sent to anyone sending .exe or any of the blocked attachments asking them to zip it if they wish to send it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson Sent: Monday, September 08, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] double file extensions Curious is there any way to disable/prevent double extensions as attachments ? With one of the last new viruses this weekend one virus managed to slip through between my automated updates to at least myself. And this was a double extension .JPG.exe there are no reasons what soever in my opinion that anyone should ever need to send a attchment with a double extension like that. We run a ISP so I don't want to blindly just block .exe extensions (I do block .pif, .scr and a few other selected for which there shuold be no or very extremely minimal reason a user every need to send such a attachment). Please advise. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network eFax : 240-376-7272 Phone : 620-231- Fax : 620-231-4066 Online Store http://www.fament.com/catalog/ - Your Full Time Professionals - -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Recipient's alert- Not sent..
Hi Scott: I was under the impression that if I put: SKIPIFVIRUSNAMEHAS Sobig In the recip.eml then the recipient of the virus will not be alerted if Sobig is the virus. This works fine for Sobig but I noticed that I am not receiving a virus notification for other viruses as well. So I tested the Eicar virus with the above in the recip.eml and without it. With that line in the recip.eml I do not get a notification for Eicar and without it I get a notification. Is this a feature, bug, or a misunderstaing on my part... Or possibly all of the above? :) Regards, Kami -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Saturday, September 06, 2003 12:33 PM To: [EMAIL PROTECTED] Subject: WARNING: YOU WERE SENT A VIRUS The Declude Virus software [Ver: 1.75i4] on durability.com has reported that you were sent an E-mail from [EMAIL PROTECTED], containing the : EICAR test file NOT a virus. virus in the eicar.com attachment. The subject of the E-mail was Test eicar.com file [eicarplain]. The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from www.declude.com [216.58.174.203] by foroosh.com (SMTPD32-8.02) id AC4015021C; Sat, 06 Sep 2003 12:33:04 -0400 X-Web-Originating-IP: 12.5.16.247 Message-Id: [EMAIL PROTECTED] X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 02 Nov 2000 20:23:17 -0500 From: WebMaster [EMAIL PROTECTED] To: User [EMAIL PROTECTED] Subject: Test eicar.com file [eicarplain] Mime-Version: 1.0 Content-Type: multipart/mixed; BounDary==_307115168==_ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New AVG Licensing..
Title: Message Hi; I just got a notice from AVG (Grisoft) that is disturbing.. their new upgrade is based on number of mailboxes. === With the launch of AVG Anti-Virus 7.0, we have introduced a broader product line, a new naming convention as well as a new license policy. (Visit www.grisoft.com to find out more.) The new license terms apply to the calculation of the number of licenses required to cover file and email servers, respectively. " The AVG 7.0 File Server Edition is licensed according to the number of workstations or connections to the servers on the network. " The newly introduced AVG 7.0 Email Server Edition is licensed according to the number of email accounts (or mailboxes) on the network. == So I guess for now only F-Prot is a cost effective approach. Regards, Kami
[Declude.Virus] Sobig F.. mutating..
Title: Message Hi; Interesting... "... Sobig is unusual in that it has the ability to go onto the Internet from its host PC and update itself with new capabilities, Huger said. Those capabilities could include tools for denial-of-service attacks or relaying spam. "It's entirely up to the author (of the virus)," Huger said. "It can download whatever its heart desires." http://www.informationweek.com/story/showArticle.jhtml?articleID=13100787 Regards, Kami
RE: [Declude.Virus] problems when testing a new server
How about a simple question? -- have you ran Declude.exe in the new server? If not simply double click the Declude.exe and test again. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS Sent: Tuesday, August 12, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] problems when testing a new server running the exact same version but what i found here is that if i log onto my webmail on the old server i can send and eicar.com file to my account on another domain and it is not being stopped either from the virus scanner or from the banext in my config file but do i send it from my mailclient it works ok -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska Sent: 12. august 2003 22:02 To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] problems when testing a new server Are you running the same versions of Imail and declude on each server, I seem to remember something a while back about needing a later version of Imail or Declude to catch webmail based virus attachments. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: ISPhuset Nordic AS [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 12:41 PM Subject: [Declude.Virus] problems when testing a new server Have sett up the server in the exact same with one exception on the old server i use f-prot312c on the new server i user f-prot314a_m when i run a test with eicar.com on the server localy in webmail it slips through when i have i only the on demand scanner installed copy of config # # Declude Virus configuration file # CODE6F4B90A4 # The in the LOGFILE option gets replaced with the month/date LOGFILE E:\virus\vir.log LOGLEVELMID CONSOLE OFF # SCANFILE is the location of the command-line virus scanner. Note that it # must include the full path. VIRUSCODE is the code that scanner returns if # it finds a virus. SCANFILEC:\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /NOFLOPPY /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 #VIRUSCODE 8 REPORTInfection PRESCAN ON # VIRDIR is the directory to move E-mails with viruses; by default, # it is set to 'virus' (\IMail\spool\virus). VIRDIR E:\virus # The MAXATONCE option limits the number of AV processes. For example, # MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing # purposes). A value of 0 (or commenting it out) allows unlimited processes # to run at the same time. #MAXATONCE 1 ## The following options allow you to limit scanning to only incoming or outgoing # E-mail, with v1.13 and higher. If they are commented out (# in front of them), # Declude will scan all E-mail. #INCOMING ON #OUTGOING ON BANEXT COM BANEXT PIF BANEXT EXE BANEXT SCR BANNAME message.zip when i turn on the real time protector i cant attatch the eicar.com file deny it just at is should Any good ideas here --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new variant...
Title: Message I have not seen this virus.. but from the sound of what I read at Symantec I thought it is coming via an email payload. I was wrong then... Oh well... two wrongs for one day.. it has to be Monday. Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beach, BillSent: Thursday, August 14, 2003 1:22 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] new variant... why add the file name? Plus, these aren't traveling via e-mail--it's an Internet worm.
RE: [Declude.Virus] F-Prot and Mimail
Hi; We use F-PROT and AVG (Grisoft) and we are catching it. I am not sure which one is catching it since I have not checked out logs but one of these is catching it. I highly recommend that you look into adding a 2nd scanner - if you have the Pro version. It is quite scary to just rely on one vendor. F-Prot: $50 AVG: $35 [http://www.Grisoft.com] For less than $100/year you will most definitely be more secure than just relying on one vendor. Just a thought.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Billy Sent: Monday, August 04, 2003 10:12 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-Prot and Mimail At this point is F-Prot catching it? If not has anyone found a good work around, without having to block all .zips... --- [This E-mail was scanned for viruses by QuestNet.net (http://www.QuestNet.net)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and Mimail
Hi Paul.. I am going h now... This is our email receipt.. Back when we got it: Qty. Item Unit Price TAX % Total == 1 x AVG Server Edition (up to 2 licenses) - English (Product ID: 502793)USD 38.000.00 0.00% 38.00 == TOTAL AMOUNT USD 38.00 I just checked the site... It now is showing $70 for 2 licenses. We do not need the mail server edition since that software actually connects with the email server. I think with their new release this is the software needed. http://esd.element5.com/product.html?productid=515118sessionid=67131771ran dom=b538143df795fa662c92f8b97589a052 For all their server pricings: http://esd.element5.com/product.html?productid=515470language=Englishstyle from=502792 All we need for Declude to work is a AV software that can be called. We are using the server edition and not the mail edition. Hope this helps.. Another one that we researched and may add at one point as a 3rd scanner is: F-Secure. I exchanged some email with them and their AV runs as a service as well. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of paul Sent: Monday, August 04, 2003 10:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot and Mimail Kami, F-Prot: $50 AVG: $35 [http://www.Grisoft.com] Where on the site is $35? I must be blind and missing it. The prices I see for AVG are $33 for workstation, not supporting Win2000 Server, and mail server edition STARTING at $120 for 6 boxes.. help? Due to F-prot's inability to get it's act together for this silly virus is making us look for a 2nd scanner. Granted, the body filters in place are handling the problem nicely, but it's still a pain. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Message.zip possible virus
Title: Message Hi; We have received several... in all of them this is also in common.. === X-Mailer: The Bat! (v1.61)X-Priority: 2 (High)Subject: [47~]your account koikrairMIME-Version: 1.0Content-Type: multipart/mixed; boundary="--4A394B45001229E"X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000400e].X-RBL-Warning: SUBJECTSPACES: Subject with at least 15 spaces found. With this: X-Mailer: The Bat! (v1.61) I am thinking that this is perhaps not a virus but some sort of attack .. The Bat! is in our filter file as a program that spammers use.. so that in the header gets a weight of 20. These are all caught as SPAM not as virus. Just thought to share.. perhaps we can find something in common.. For now we have added the following: BODY 0 CONTAINS filename="message().zip" BODY 0 CONTAINS name="message().zip" without () since the attachment has that signature in the body.. Regards, Kami
[Declude.Virus] More on the virus..
Title: Message Hi; Just in case you have not researched this.. here are some links: - http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] Apparently it is attempting to exploit the IE bug.. http://www.microsoft.com/technet/treeview/default.asp?url=""> Regards, Kami
[Declude.Virus] Interesting observation.. message.zip
Title: Message Hi; I just ran a test on our system and it appears that the message is coming from: admin@ postmaster@ Has anyone seen any of this virus coming from an email other than admin@ or postmaster@ All the ones we have seen come from this user @ a domain that the recipient has. I guess it sort of makes sense since it deals with account cancellation.. Regards, Kami
RE: [Declude.Virus] PestPatrol
Just in case Scott is taking a break for a change... Try: Scanfile1 Scanfile2 Name your scanfiles 1 and 2 and see if that makes a difference. I remember a similar issue when we were starting and that is how we have ours setup. Try it.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sent: Sunday, June 15, 2003 3:12 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] PestPatrol Hello, Has anyone tried using PestPatrol as one of the scanners? I am installing Declude 1.65 on a Imail 7.15 server. This server also has McAfee VirusScan 7.0 Enterprise (on-access scan is excluded in the .\spool directory). On the same box is PestPatrol 4.0. As per the manual I configured virus.cfg as follows: SCANFILE C:\Progra~1\Common~1\Networ~1\Engine\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE 13 REPORT Found SCANFILE1 C:\Progra~1\PestPa~1\PestPatrolCL.exe /Extensions=ALL /NoSound /NoPause VIRUSCODE1 2 When used in the above configuration I get the following in the log: Couldn't remove .vir directory C:\Services\IMail\spool\D091400a6554a.vir\: SHARING VIOLATION. Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool When I comment out PestPatrol, it works fine. Any ideas anyone? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Airline confirmations blocked
Hi Paul: This has come up in the past under different topics. We have a negative list that we add these type of emails. Our list is called NegativeEmailList. We subtract 100 points from each of these emails. I would not Whitelist them because at times you will get spam with faked addresses from these places. A negative list is much more desirable. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Navarre Sent: Friday, June 13, 2003 1:33 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Airline confirmations blocked I had two clients contact me today about similar situations. One had confirmation from United Airlines blocked, while the other had one from Northwest Airlines blocked. I understand why this is happening, and the necessity for Declude to stop malformed messages that could allow a virus to sneak through. Nevertheless I feel like I should be doing something (other than explaining the situation to the clients). Should I try to contact the airlines and try to get them to fix their software? Is there the possiblity of creating a whitelist feature a la Junkmail to handle this, or is that too risky? I'm just a little surprised that this hasn't come up more often. I am guessing this has happened to others too. Are others just using education? Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Airline confirmations blocked
:) John after I posted this I said OOPS.. He is talking about virus and not JM. We were having airline and other lists caught for spam and that is what I was talking about. After I saw the message appear in the virus list.. I went .. Wrong answer! Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, June 13, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Airline confirmations blocked We have a negative list that we add these type of emails. Our list is called NegativeEmailList. We subtract 100 points from each of these emails. I would not Whitelist them because at times you will get spam with faked addresses from these places. A negative list is much more desirable. Kami, that does not work as Declude Virus holds them, before JM processing gets done. Even if you had JM before Virus, they would pass JM (if so) but still be caught and held by Virus. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bugbear getting through
Hi Doug: In AVG go to: Program / AVG Control Center The first screen that shows up is apparently the Real Time scanner. Make sure all the options are unchecked in the first screen. If and of the options are checked the virus will be deleted and Declude AV will never get a chance to act on it. Once you do this the Resident Shield button in the Basic View shows a red line indicating it is not fully functional. It could me and the other 2 folks that were trying to figure this out, but the wording is not clear in this software. I will send you a screen shot in a separate email. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug McKee Sent: Wednesday, June 11, 2003 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bugbear getting through How did you deactivate teh real-time scanner in AVG? Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Wednesday, June 11, 2003 5:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bugbear getting through David: We researched this and I reported those findings in other postings. We are using now: - F-Prot: 1st scanner ($50/year) - Grisoft AVG: 2nd scanner $35/year We are also thinking of adding F-Secure at about $50/year So far with F-Prot and Grisoft we have been catching bugbear on a daily basis. I highly recommend a 2nd scanner (you need to have Virus Pro).. I think one scanner is extremely risky. For less than $150/year you can have 3 scanners from 3 different countries with hopefully different update times. Also with blocking all the extensions that Pro allows you to block chances of a virus getting through is almost close to 0. If you choose AVG make sure you stop all the real-time scanner capabilities. That baffled me for a long time until we figured out how to deactivate it. Once deactivated it is working like a charm. Hope this helps. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Wednesday, June 11, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bugbear getting through -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Unfortunately there is a problem with running a DOS anti-virus scanner on Windows NT 4.0/2000/XP systems. It is not guaranteed that all files will John, saw your response from F-Prot ... however, I am one of the ones who reported this to Scott ... I'm running the windows scanner and had it get through too ... so it isn't just the DOS version. Obviously time for a second scanner ... any suggestions for something? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [South Texas Internet scanned this E-mail for viruses using Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Grisoft- New finding.. FYI
Title: Message Hi; I have been exchanging email with the Tech Support at Grisoft about the Auto-Update. I thought it is good to know considering I have suggested this software recently as a scanner. Here is the response: == I am sorry, but the update manager does not run as a service. The update manager is managed by AVG Control Cetner. The AVG Control center starts, when a user logs on. I recommend to log on and lock the station. This problem will be solved in AVG 7, in this version, there will be possible to update also, when a user is logged off. The version 7 will be released in a few weeks. == Regards, Kami
RE: [Declude.Virus] OT: F-Prot status page
Hi; We had this problem with Windows NT 4.0. In 2003 we are not seeing this behavior. What version of Windows are you running? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, June 12, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: F-Prot status page Thanks for the reply.. But, we're still able to get the updates.. It's just that with the update status page open, no updates are done.. Instant you close it, updater runs again (if it's missed the update) and checks for updates again.. Also, noticed that the full system scan will also not run when the update status page is open.. I have it setup to run at 2am on Monday mornings with updates running at 6am and 6pm.. Monday mornings when I come in, I close the status page and it runs update once again; close that and the full system scan begins. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Leske Sent: Thursday, June 12, 2003 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: F-Prot status page http://www.mail-archive.com/declude.virus%40declude.com/msg05186.html Above link may wrap, but this might help. ~Rick Hello, I was wondering if anyone knows how to have F-Prot automatically close the status page when it's done looking for updates. I've noticed that when the page is left open, the updater won't go an look for new updates until it's closed. Once it's closed, all is well and it goes out and looks for the updates. I'm running the latest windows version.. Thanks.. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Grisoft- New finding.. FYI
Title: Message John.. I guess that is a possibility. Have not tried it.. yes you are right we don't want to leave the server logged on. The same issue also exists with F-Prot as we know. The update does not work if you are not logged on and have to run an update scheduled task. Does anyone know anything about F-Secure? Do they run as a service? Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Thursday, June 12, 2003 10:37 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] Grisoft- New finding.. FYI Thanks Kami. Since we are talking about Mail Servers, we all know that servers should not be left logged on. What about starting the AVG Control Center as a scheduled task just before the update manager needs to run? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Thursday, June 12, 2003 7:00 AMTo: Virus ListSubject: [Declude.Virus] Grisoft- New finding.. FYI Hi; I have been exchanging email with the Tech Support at Grisoft about the Auto-Update. I thought it is good to know considering I have suggested this software recently as a scanner. Here is the response: == I am sorry, but the update manager does not run as a service. The update manager is managed by AVG Control Cetner. The AVG Control center starts, when a user logs on. I recommend to log on and lock the station. This problem will be solved in AVG 7, in this version, there will be possible to update also, when a user is logged off. The version 7 will be released in a few weeks. == Regards, Kami
RE: [Declude.Virus] F-Prot Windows 2003
Title: Message Hi Josh: this is our setting: SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6REPORT1 Infection: So we are not using code 8. This is per Declude site. I have done many tests... virus gets caught but none of the scanners report the name. Eicar comes as unknown. Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua LevitskySent: Tuesday, June 03, 2003 2:46 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] F-Prot Windows 2003I am running Win2k3 Enterprise server and F-Prot. I wonder... There are 3 possible flags for viruses with F-Prot, and one of them was for files that were questionable. Do you have all 3 virus codes in use and maybe it is catching questionable ones? I cant Terminal Service in to my box from here but as I recall it was virus code 8 that was the one that could show unknown.-Josh From: "Kami Razvan" [EMAIL PROTECTED]Organization: ClickandPledge.comReply-To: [EMAIL PROTECTED]Date: Tue, 3 Jun 2003 14:21:58 -0400To: "Virus List" [EMAIL PROTECTED]Subject: [Declude.Virus] F-Prot Windows 2003Hi;Is anyone running:- Windows 2003- F-Prot [1st scanner]We use two scanners.2nd scanner: AVGnow - if I comment out AVG - F-Prot catches the virus so I know F-Prot is working.But we have a problem that a lot of viruses show up as unknown. The following is from Eicar.==The Declude Virus software [Ver: 1.70i2] on clickandpledge.com has reported that you were sent an E-mail from [EMAIL PROTECTED], containing the Unknown Virus virus in the Unknown File attachment. The subject of the E-mail was "Test eicar.com file [eicarplain]". The E-mail containing the virus has been quarantined to prevent further damage.==Sobig is being caught correctly but a lot of viruses show up as unknown.. I don't know if it is the scanners or what the deal is but almost 90% of viruses are caught as unknown.It is strange.. virus log file in debug mode shows both scanners are kicking in and the virus is easily caught but apparently neither of these reports the right name.Question: If one scanner reports unknown virus and the 2nd report a name would Declude know which name to take? I guess this can make a difference.Before moving to AVG we had McAfee and always had names for viruses.. now that we dropped McAfee and replaced it with AVG this is happening.any ideas?Regards,Kami
[Declude.Virus] Server 2003- F-Prot
Title: Message Hi; We posted a request to F-Prot for a problem we are having and this is the reply. Just FYI: Hello and thank you for your mail. We have not yet tested our product on 2003 Server Standard. We will need some time to do so. Best regards,Kolbrun ValbergsdottirF-Prot Antivirus Tech Support In case you are wondering! Regards, Kami
[Declude.Virus] Unknown Virus
Title: Message Scott: We are not constantly getting the Unknown virus as alerts. Declude Virus [Ver: 1.70i1] caught the Unknown Virus virus in Unknown Filefrom ???@hotmail.com to: [EMAIL PROTECTED] is just changed to cover the user. almost 100% of all alerts we get are like this if it is not a vulnerability. We use: Scanner 1: F-Prot Scanner 2: AVG Any ideas? Regards, Kami
RE: [Declude.Virus] Error in Virus Scanner
Hi Scott: One thing I noticed when we were moving our servers. I made a mistake in the file path for the virus scanners (2 of them) and did not realize it until I received a virus. The interesting thing that I noticed was the attachment (.scr) was with the virus. The virus.cfg had it listed as a banned extension. BANEXT scr To me it seems like from a programming perspective and a fail safe measure when the virus scanners return error (as wrong setup) the attachment ban should do it is supposed to do - simply as a fail safe measure. Just a thought.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, May 29, 2003 9:48 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Error in Virus Scanner 05/29/2003 06:26:42 Qe05301090146bcae Error 0 in virus scanner. Are you using two or more virus scanners? There does appear to be an issue with 1.70 where this message will appear in the log file if one or more scanners report an error, but the last one does not. This will be fixed in the next release (an interim release can be made available immediately if necessary). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Yahoo's Yahoo's...
Hi; I guess one thing that has always confused me about this is simply why would anyone want to use a free service such as Yahoo and send legitimate emails with a different return address? What I can see from those that use Yahoo, hotmail or other free services are two fold: 1: People who don't want to use their company email for personal communication 2: People who don't have any other email address and use free services such as Yahoo In both of these legitimate scenarios I can't imagine anyone using a different return address. Would this actually be indicative of spam? Someone using Yahoo servers with a different return address? Something else that I can also see is someone using a different server sending and have Yahoo as return address. Why would anyone use a free service for return address when one has access to a private mail server? Perhaps this discussion belongs to the Junkmail group. Just brainstorming... Has anyone given the variations much thought? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Ryan Sent: Friday, April 04, 2003 6:42 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Yahoo's Yahoo's... The disadvantage to this it that it would give a weight of -8 to E-mail from a valid yahoo.com mailserver that was sent with a non-Yahoo return address. -Scott Under what circumstances would this happen? Does Yahoo provide mail services for other companies and their domains? I would imagine mail from Yahoo's mail servers would always be from Yahoo or their users, right? I'm excited about trying: MAILFROM 8 CONTAINS @yahoo.com REVDNS -8 CONTAINS .yahoo.com But I want to be sure I understand your caution first. Thanks Scott! --Todd. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] W32/Sobig.A
Hi Jonathan: Sobig is actually an easy virus to totally block... We have simply added [EMAIL PROTECTED] to our Kill list in the SMTP tab. Sobig only comes (apparently) from this address. Per Symantec: == The W32.Sobig.A@mm worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the following characteristics: From: [EMAIL PROTECTED] Subject: The subject will be one of these: === So simply add [EMAIL PROTECTED] to your kill list at IMail SMTP tab and forget it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan Sent: Sunday, February 16, 2003 7:42 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] W32/Sobig.A Anyone else seeing an increase in W32/Sobig.A today? Looks like it's gonna take off just like the rest of em .. :\ Jonathan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] big@boss.com postmaster@boss.com
Hi; The virus appears to always come from: [EMAIL PROTECTED] So simply add that to the kill list in Imail. That way any email comes with that return address the server would not accept it. This is what Symantec says about this: The W32.Sobig.A@mm worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the following characteristics: From: [EMAIL PROTECTED] Subject: The subject will be one of these: Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Maze - Hostmaster Sent: Wednesday, February 05, 2003 3:47 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] [EMAIL PROTECTED] [EMAIL PROTECTED] Hello, It appears as though the Sobig virus is making it's rounds again. I've gotten three or four Undeliverable mails today. Anyway, I remember reading somewhere in this list (when the virus first hit) that there was a way for Declude to block these message before the server even tried to send them out. I've looked again, but am unable to locate the messages. Can someone give me the lo-down on how to block these. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] big@boss.com
Hi; Has anyone caught Sobig with any other eMail address than [EMAIL PROTECTED]? We blocked that address at the Imail kill list and have not seen any incidents anymore. First couple of days we were getting a lot of them but all had the same email. So we decided to block it at the SMTP Kill list. Now we don't see any... Just curious.. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] big@boss.com
Just a note regarding my earlier posting... Per eWeek newsletter: Not much is known about the virus at this point, but it seems to be a mass-mailing worm that behaves much like the Lirva worm that began spreading last week. It arrives via e-mail, always in a message from the address [EMAIL PROTECTED] and carrying one of four subject lines:.. http://www.eweek.com/article2/0,3959,826314,00.asp If the eMail [EMAIL PROTECTED] is blocked at the Imail SMTP KILL list - will Declude ever see the eMail? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Tuesday, January 14, 2003 9:34 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] [EMAIL PROTECTED] Hi; Has anyone caught Sobig with any other eMail address than [EMAIL PROTECTED]? We blocked that address at the Imail kill list and have not seen any incidents anymore. First couple of days we were getting a lot of them but all had the same email. So we decided to block it at the SMTP Kill list. Now we don't see any... Just curious.. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Interesting X-Header
This is just one of the many IP4R tests that you have activated. Take a look at this for detail: http://www.declude.com/junkmail/support/ip4r.htm They are all listed above. MONKEYFORMMAIL Lists servers running formmail, which can be used to send spam. Zone transfers required for large organizations (100,000+ queries/day). Has TXT records. Hope this helps.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Maze - Hostmaster Sent: Friday, December 20, 2002 10:18 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Interesting X-Header Was just curious what this meant. Have never seen this before. X-Spam-Tests-Failed: MONKEYFORMMAIL --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banned Extension
Title: Message Hi; The following is what we use and we got it from this list: - hope it helps. http://support.microsoft.com/default.aspx?scid=KB;en-us;291369 Regards, Kami # Banned Extensions BANEXTaspBANEXTbasBANEXTbatBANEXTCEOBANEXTchmBANEXTcmdBANEXTcomBANEXTexeBANEXThlpBANEXThtaBANEXTinfBANEXTispBANEXTjsBANEXTjseBANEXTlnkBANEXTmsiBANEXTmstBANEXTpcdBANEXTpifBANEXTregBANEXTscrBANEXTurlBANEXTvbeBANEXTvbsBANEXTwsBANEXTwsh BANEXTadBANEXTadp BANEXTcrt BANEXTins BANEXTmdb BANEXTmde BANEXTmsc BANEXTmsp BANEXTsct BANEXTshb BANEXTvbBANEXTwsc BANEXTwsf BANEXTcpl BANEXTshs BANEXTvsd BANEXTvstBANEXTvss BANEXTvsw
[Declude.Virus] Computer hackers mass-mailing trojans
Title: Message Hi; Has anyone seen this? http://www.messagelabs.com/viewNewsPR.asp?id=109cmd=PR MessageLabs is currently intercepting hackers who are mass-mailing trojans to unsuspecting users. The spread of this new threat suggests that infected machines could potentially be used in some kind of large-scale coordinated Internet hacking activity The details of the trojan are as follows: Trojan name: Maz Aliases: W32/Maz.A, Downloader-BO Number of copies seen so far: 615 Time Date first Captured: 10 Nov 2002, 14:58 GMT Origin of first intercepted copy: UK Number of countries seen active: 32 Top five most active countries: United States 60.7%Canada 9.3%Korea (South)5.0%Great Britain3.2%Mexico 2.1% = Regards, Kami
[Declude.Virus] %NOUNKNOWNVIRUSNAME%
Hi Scott: With the 1.62 beta is it safe to assume that the old variable:%VIRUSNAME% is now replaced with %NOUNKNOWNVIRUSNAME%. In our outgoing response to the sender we were using virusname variable. From the definition it appears that the new variable would be a more comprehensive variable. Is this a true statement? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus-owner;declude.com] On Behalf Of Scott MacLean Sent: Wednesday, November 06, 2002 5:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] W32.Brid.A@mm I have started seeing this worm getting through my Declude setup running F-Prot with up-to-date files (3.12b, definition files 10/7 2:32 pm): http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.a;mm.ht ml Anyone else? ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] FW: Version 3.12b of F-Prot Antivirus released
Just FYI.. In case those using f-prot have not received notification yet. Regards, Kami -- Version 3.12b of F-Prot Antivirus has been released and is now ready for download. This version of F-Prot Antivirus has been improved in many ways. The most obvious change for users is increased speed in scanning, both with the OnDemand scanner and the RealTime Protector. Numerous other smaller changes have also been made to make the use of F-Prot Antivirus easier and more effective. To update your registered version of F-Prot Antivirus to version 3.12b simply go to www.f-prot.com and click 'customer login' -- F-Prot Antivirus Alert Service http://www.f-prot.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] banned files
http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx Is this what you are looking for? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sheldon Koehler Sent: Friday, September 27, 2002 4:47 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] banned files I tried a quick search but cannot find the URL to Microsofts site that has a list of recommended file extensions to ban. I am starting on a FAQ entry for our support page and want to include that URL in the paragraph. If anyone has it, I would appreciate it greatly! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .shs files posible virus?
Title: Message Hmmm Interesting... another one to be added to the block extensions in the Declude Virus. But here is a statement from Symantec: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.smorph.html I think there is no reason for this extension to be e-Mailed. Can anyone think of a reason why it should not be blocked all together? Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim MatuskaSent: Wednesday, September 04, 2002 11:57 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] .shs files posible virus? Has anyone ran into .shs files? We have a user that has received a .shs file claiming to be an image. From what I am reading on the web these in most cases are viruses or trojan horses. Any thoughts, neither Declude w/F-prot or Norton AV on my local machine picked it up as a virus. Any thoughts? Jim Matuska Jr.Nez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [Declude.Virus] .shs files possible virus?
Here is another link: http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx On extensions their use. We block the following -- we feel if someone wants to send them they can always zip them, otherwise we just don't want to take any chances. BANEXT ASD BANEXT ASP BANEXT BAT BANEXT CAB BANEXT CHM BANEXT CMD BANEXT DLL BANEXT SCR BANEXT EXE BANEXT EML BANEXT JS BANEXT NWS BANEXT OCX BANEXT PIF BANEXT SHS BANEXT SYS BANEXT VBE BANEXT VBS BANEXT VBX BANEXT WSF BANEXT WSH BANEXT XML Hope this helps. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Wednesday, September 04, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] .shs files possible virus? About 6 months ago some one pointed me to a web site that listed all file extensions and their usage. Any one know the URL, or where can we find such information? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade link
Hi.. http://www.Declude.com/Virus/Manual.htm Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Chadwick Sent: Monday, May 20, 2002 7:28 AM To: Declude. Virus@declude. com Subject: [Declude.Virus] Upgrade link Can someone point me to the upgrade link? Why can't I find the link to download the latest version from the declude.com site? Mark Chadwick IT Support Engineer Science International --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Additional Scanners
Dave: Sorry but after calling Insight their search for the product I was referred to Network Associates. (OH NO.. Not again!). After explaining (Like I did last year) they told me that they no longer sell the product on a single license and it only comes in a minimum of 5 licenses. Starting two quarters ago they stopped selling single license versions of NetShield Security Suite. So there we go with McAfee.. No longer an option. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Setzer Sent: Tuesday, April 30, 2002 3:11 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Additional Scanners Kami- Did you find that Netshield product number that works with Declude? Thanks David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .