[Declude.Virus]
http://danjacoby.de/modules/Search/life.html --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV
Michael, I created a step-by-step guide a little over a year ago for the proper installation. It's pretty simple to do. I can't say however if the steps have changed in the latest release, and obviously the version that I linked to is old now and should be updated. So here are my abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the Current Stable code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\freshclam.exe --datadir=C:\ClamAV\DB --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 6) From a command prompt run C:\ClamAV\clamd --install This will install the ClamWin Free Antivirus Scanner Service You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 7) Download the ClamAV GUI Wrapper from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and yo uwant to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for Virus scanner 1 reports in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument Matt On 4/29/2010 4:14 PM, Michael Cummins wrote: The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Andy Schmidt *Sent:* Thursday, April 29, 2010 3:14 PM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Michael Cummins *Sent:* Thursday, April 29, 2010 2:50 PM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't
Re: [Declude.Virus] OT - looking for a command line email tool - with attachments
Alex, The PDF should actually have the font embedded in it when it is created. There are options for doing this in most PDF generators. That part sounds like a non-E-mail sending issue. If you want to generate E-mails from a Windows server, I see no reason not to use CDOSYS which is built into Windows. Unlike CDONTS, CDOSYS can be pointed at your mail server with or without authentication and doesn't require MS SMTP to be installed or running on your box. Here's a link to some example code: http://www.w3schools.com/asp/asp_send_email.asp Matt Hirthe, Alexander wrote: Hello, can anyone help me? I'm looking for a command line tool to send mail (within our company) including an attachment. (I want to forward the incoming fax to the inbox of the user :) I can create the pdf, put it in a directory and now I only need a command line mailer **with** attachment. I tried different tools now, the best sent me the mail and the embedded pdf font was missing :-/ if I open the pdf on the server it's all working. ? Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Dr. Peter Baumeister Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: Alligate as a gateway for providers ?
Alligate doesn't filter POP3. Is that what you wanted to know? Matt Uwe Degenhardt wrote: Hi list, we are a small provider doing some shop-hosting services. As a side-service we are running one eMail-server for 65 domains and approximately 270 user. We tried Alligate (trial) as a gateway server to minimize the load on this server. But my administrator said, that POP3 eMail never goes through to our eMail-Server. Our request is, that the gateway is doing second level SMTP-Outbund filtering/checks and POP3 first level inbound filtering/checks. The eMail-server-SW is: SmarterMail 4.x on Windows2003 and SPAM/Virus-Filtering is done by Declude EVA. And the customers should be able to receive their eMails via SmarterMail directly (bypass Alligate). Any chance on doing this with Alligate ? Uwe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Kevin, Just to be more specific, if you use the HOLD action, those messages that are held will not be virus scanned. On our system, we use a combination of COPYFILE and ROUTETO, and they are in fact virus scanned when using AVAFTERJM. Matt Kevin Bilbee wrote: Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 13, 2008 6:10 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 I think VIRUSCODE 1 need to be added too? http://www.f-prot.com/support/windows/fpwin_faq/310.html Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, I do not know the exact reason. I have try to reduce scanlevel, heulevel, archive to 0 or 1, still very slow, I guess it is now scanning memory by default? Another question is , for REPORT=report.txt do we need ? REPORT=report.txt from instruction here, looks like need http://www.f-prot.com/support/windows/fpwin_faq/445.html but most users online post seems is not necessary. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 04, 2008 2:34 AM Subject: Re: [Declude.Virus] F-PROT 6 Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. - Original Message - From
Re: [Declude.Virus] RE: IMmail 2006.23 release notes
Some of us believe that it is the IMail1.exe executable that Declude uses and not the IMail.exe executable that is being discontinued. Regardless, if Declude stopped using IMail1.exe, it could generate bounces with a null sender, and that's long overdue. Matt Andy Schmidt wrote: Darrell, I think they are using SOME Imail mailer to send the Virus, Bounce and Postmaster notifications. However, I DO believe there is some confusion between the .EXE that is the mailer vs. the old .EXE that is a mailbox CLIENT software. (There used to be an Imail client where you could read/reply messages, etc.) Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, December 10, 2007 10:33 AM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: IMmail 2006.23 release notes
It's as easy as creating the spool files from scratch. Declude already does everything else that is necessary. There's no need for even something like BLAT. Matt Andy Schmidt wrote: it could generate bounces with a null sender, and that's long overdue. Agreed! There is no excuse for Declude NOT to have its own mailer -- after all, there is an Imail listening on SOME local port -- it's ridiculous that the matter of NULL senders hasn't been addresses. At LEAST make it a configuration option to use a standard tool, such as BLAT. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, December 10, 2007 2:06 PM *To:* declude.virus@declude.com *Subject:* Re: [Declude.Virus] RE: IMmail 2006.23 release notes Some of us believe that it is the IMail1.exe executable that Declude uses and not the IMail.exe executable that is being discontinued. Regardless, if Declude stopped using IMail1.exe, it could generate bounces with a null sender, and that's long overdue. Matt Andy Schmidt wrote: Darrell, I think they are using SOME Imail mailer to send the Virus, Bounce and Postmaster notifications. However, I DO believe there is some confusion between the .EXE that is the mailer vs. the old .EXE that is a mailbox CLIENT software. (There used to be an Imail client where you could read/reply messages, etc.) Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) Sent: Monday, December 10, 2007 10:33 AM To: declude.virus@declude.com mailto:declude.virus@declude.com Cc: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Disable it and be done with it. There is no option to partially support the issue, and the issue is very likely not a threat. Just because something isn't RFC compliant doesn't mean that it is a threat. The vulnerability was from Outlook displaying attachments that were hidden by bad encoding, but that flaw was likely patched, or at least it has not been exploited in mass. Matt Mon Mariola - Rubén wrote: Matt, So far, the only case where I find this vulnerability is in the mail sent from the program Incredimail. If these lines are actually prohibited in RFC, it is safer to seek Incredimail technical support to solve your problem. But I fear that the explanation in Declude manual is false and that there is a section in RFC that says clearly that these lines are not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. - Original Message - From: Matt To: declude.virus@declude.com Sent: Monday, December 03, 2007 4:15 PM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Partial Vulnerability test failures on legitmate email
To the best of my knowledge, this has never been exploited by a mass mailing virus, but some people do in fact go into their mail client and check the box to enable this despite it being old-hat. I would recommend leaving it off until the exploits actually occur. It is also possible that virus scanners can detect a virus in a partial message and of course there is spam blocking so it wouldn't mean a complete lack of detection on the server side. Matt Andy Schmidt wrote: Hi, Actually, the Partial/Fragmented Vulnerability is one that ideally should be left in place. Im not certain that this test can be circumvented individually at least its not on this list: http://www.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp. Before HTML messages and picture attachments and consequently support for messages that are many megabytes in size, there was a frequently used option (specially for NNTP newsgroups, if I recall correctly), where an email software would split a message into smaller fragments and then send each fragment was one email. The receiving software would look for the fragments and re-assemble them into a single message. Since it prevents virus detection at the server level, fragmented messages should no longer be accepted (and, with todays technology and size allowances, there really is no use for it). I have seen some devices (such as a Ricoh Sanner/Fax/Printer combination) still have the setting to create fragments after xx KB. And even Outlook Express can still generate fragments (see screenshot). However, Ive never had trouble explaining to clients (and senders), why this option should remain off: Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Randy Armbrecht Sent: Thursday, October 11, 2007 3:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] Partial Vulnerability test failures on legitmate email Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] exe in zip file why not blocked...
Dave, His logs show however that the AV scanners were called, so this message didn't hit HOLD or DELETE. Matt David Barker wrote: AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE to not call the AV in the Declude code. Try switching this OFF to see if it resolves the issue. David *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Scott Fisher *Sent:* Monday, July 30, 2007 10:27 AM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] exe in zip file why not blocked... Declude 4.3.57 AVAFTERJM ON YES. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Barker *Sent:* Monday, July 30, 2007 7:48 AM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Scott Fisher *Sent:* Friday, July 27, 2007 3:06 PM *To:* declude.virus@declude.com *Subject:* [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 /This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments./ --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More info about encrypted RAR virus and Declude failures
BANEXT RAR will block all RAR files, encrypted or not. That wasn't the issue at hand here. It was related to BANEZIPEXTSON (in my case) and possibly BANEZIPON. Matt Dan Shadix wrote: BANEXT rar has been working great for me. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Thursday, April 26, 2007 11:36 PM *To:* declude.virus@declude.com *Subject:* [Declude.Virus] More info about encrypted RAR virus and Declude failures I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. The information contained in this communication is privileged and confidential. If you have received this communication in error, please forward back to the sender and delete your copy immediately. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] new virus with .rar attachment
Symantec is being short-sighted. This is the same spammer sending this virus that was responsible for the seeded outbreak around New Year's. He starts his attacks at a moment's notice and ends them just as quickly. He can change his text faster than Symantec will ever be able to keep up with should he care to do so. He sends these through his network of spam zombies which he typically uses to send out stock spam. McAfee was detecting this within 2 hours of it first being seen. I saw hundreds of these within those two hours though. Thankfully it appears that almost all if not all were blocked as spam. Another saving grace is the fact that it came out as an encrypted RAR which very few people have support for. Be absolutely certain that he will be back. Matt Gary Steiner wrote: Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:11 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus with .rar attachment Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] More info about encrypted RAR virus and Declude failures
I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude 4.3.46 Release
David and Linda, Can I make a suggestion?... It would seem that you should either embed the code from pcre3.dll within Declude (if allowed), or at least modify decludeproc.exe so that it will not error out when this file is unavailable. Whenever you rely on outside files for ancillary functionality, it would be best to allow recovery from their unavailability. So if this is only used for filter files, then maybe you could just throw an error in the logs and skip all filter files. I could see locking conditions or other OS issues that could impact the availability of this file on occasion. If it is only loaded once when the service starts, then that's not such a big deal, but it is definitely better to lose regex than it is to lose Declude as these systems have to have high availability and should be designed that way. Thanks, Matt David Barker wrote: The file was pcre3.dll and this would have only effected upgrades prior to 4.3.40 of Imail, however the downloads now include pcre3.dll for all versions prior. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Monday, April 16, 2007 3:38 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude 4.3.46 Release Importance: High Just got off the phone with Tech Support. A file pcres.dll was not included in the original upgrade executable and if that file is not in the \Imail directory the decludeproc service will not start. She had to send me the file separately and they will now be changing the upgrade executable. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, April 16, 2007 11:24 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude 4.3.46 Release Addresses this AVG issue. If you currently only have AVG as your virus scanner I would consider this a critical update. EVA ADD Improved AVG virus database format for optimization EVA ADD Improved speed of AVG scanning by 15-20% EVA ADD Updated AVG (avgsdk.dll 1.2.449) DEC ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013) JM FIX Smartermail HELO was being picked up from the headers rather than the envelope JM FIX Fixed log entry for PCRE when matching on location SUBJECT David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Monday, April 16, 2007 10:09 AM To: declude.virus@declude.com Subject: AW: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 Hello Darell, are you (or David :) sure with the return codes? I'm getting 0.0.0.1 and these files on both servers: DarellAlex incavi.avm - 4/15/2007 - 4/06/2007 microavi.avg - 4/5/2007 - 4/05/2007 miniavg.avg - 2/16/2007 - 2/16/2007 avi7.avg - 2/21/2007 - 21/02/2007 I stopped decludeproc, renamed the AVG Files and started decludeproc and I got the same files, all from today, but with the same size than bevor. Alex Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Darrell ([EMAIL PROTECTED]) Gesendet: Montag, 16. April 2007 14:37 An: declude.virus@declude.com Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 Honestly, I am not sure what all the individual files are, but here are my dates incavi.avm - 4/15/2007 microavi.avg - 4/5/2007 miniavg.avg - 2/16/2007 avi7.avg - 2/21/2007 Howard - you can try this post from David from the Archive- http://www.mail- archive.com/declude.virus@declude.com/msg13473.html Darrell -- - - Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Howard Smith (N.O.R.A.D.) mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Cc: [EMAIL PROTECTED] ; 'David Barker' mailto:[EMAIL PROTECTED] Sent: Monday, April 16, 2007 6:28 AM Subject: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 I have not had a virus update from decludes AVG builtin scanner since 4/6/7 , has any one received any later updates , or suggestions to fix problem Howard Smith N.O.R.A.D. Inc. P.O. Box
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
The format is the same as before, but with a different code, i.e.: CODE YOUR-CODE-GOES-HERE Matt Bill Green dfn Systems wrote: I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Once you have the CODE in the Declude.cfg, make sure that you restart the decludeproc service in order to enable it. Matt Bill Green dfn Systems wrote: Is there an actual set of instructions for a Declude Upgrade for IMail? The Declude site lists Installation Instructions, but they are for SmarterMail. The Knowledge Base is no help. Declude Support has gone Home. My Upgrade has gone horribly wrong and I now seem to have a hybrid monster. Bill Green dfn Systems - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 6:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
I hate autoresponders...but people sometimes tell me that I am too critical, so I guess I actually love them. Matt Colbeck, Andrew wrote: I think I received 36 of them. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, January 04, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Importance: High Is it me or did everyone get this autoresponder about 300 times? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roconnor Sent: Thursday, January 04, 2007 9:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
Here's an update about the attempted workaround. I added "SKIPIFEXT mismatched.exe" to my bannotify.eml and it didn't prevent the bounce. It would seem that while Declude is using the EXE extension from mismatched.exe in determining the bannotify.eml action, it is not using that file name in the variable that SKIPIFEXT is using. It appears that there is no way to prevent the backscatter from this besides maybe turning off bounces for EXE's (which may or may not work), turning off all banned extension bouncing, or not blocking EXE's altogether. This definitely needs a solution since none of those options are acceptable nor is the potential of bouncing so much E-mail. I know that I can create something to delete these messages on my own system, but I would still be vulnerable to other exploits by broken spamware, and of course that's only me and this affects all Declude users that block EXE's and use bannotify.eml to bounce. Matt Colbeck, Andrew wrote: .. I hope that Declude will agree with Matt's point that backscatter must be avoided. There is ample precedent,for examplein that the BOUNCE action was renamed to BOUNCEONLYIFYOUMUST to prevent backscatter. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, October 02, 2006 5:44 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Matt, I agree with everyone of your points - My intent was to bring it up that I had reported this issue up a long time ago as I also thought that what was happening was undesirable. However, at the time Scott did not feel this was a bug. However, times change and back scatter is a huge issue. Maybe thats enough now to convince for an alteration of behavior. As my preference would be to handle mismatched exe's as its own class of which I would not send bannotify messages for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 8:24 PM Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Darrell, I'm sure that it is desirable to block (when the detection isn't erroring), however having this handled as if it was an EXE when it comes to the bannotify.eml is problematic. Backscatter can get you blacklisted, not to mention it is annoying to get such things for forged E-mail. I have Virus running after JunkMail and still I have bounced a dozen of these today alone (which excludes messages that reached my DELETE weight). For those that run JunkMail before Virus (the default), that number could be in the hundreds or thousands depending on volume since this comes from a major zombie spammer. I'm guessing that most are bouncing EXE's that aren't detected as viruses. To check this, just search your Virus log for "mismatched.exe". The behavior needs to be changed so that this doesn't trigger bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this should not bounce such messages by default as if they were EXE's. It makes sense to give it a unique extension for these conditions and let us determine what to do with them instead of lumping it together with actions for EXE's. Matt Darrell ([EMAIL PROTECTED]) wrote: I brought this up to Scott several years ago - and he said this is not a bug but a by design issue.He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message ----- From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam. For example, here a
[Declude.Virus] Bug in mismatched extensions causes backscatter on spam
I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam. For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg; name="smoky.1.jpg" Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED] Content-Disposition: inline; filename="smoky.1.gi" You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 863 10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800] 10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe 10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585] 10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with EXE extension [image/jpeg]. 10/01/2006 14:03:44.890 q02f8014a9ecc.smd Virus scanner 1 reports exit code of 0 10/01/2006 14:03:45.421 q02f8014a9ecc.smd Virus scanner 2 reports exit code of 0 10/01/2006 14:03:45.421 q02f8014a9ecc.smd Scanned: Banned file extension. [Prescan OK][MIME: 2 26380] 10/01/2006 14:03:45.437 q02f8014a9ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 62.161.108.7] 10/01/2006 14:03:45.437 q02f8014a9ecc.smd Subject: Re: diagnostician dull This is clearly not desirable behavior, and I have run into a related bug previously (that was previously reported) where a filename that spans two lines (which is RFC compliant when 'folded') will be treated as an EXE and bounced if you are bouncing non-virus EXE's. It is absolutely necessary to allow for bannotify.eml bouncing of messages with EXE extensions because they are commonly received legitimately regardless of whether they are allowed or not, but to have EXE be the assumed extension at the same time causes a lot of different issues. Because of this, I would strongly suggest that Declude assume a different extension when necessary, such as "unknown" so that we can configure Declude Virus to handle "unknown" files in a different way. We could choose for instance to block them, but not bounce them. Thanks, Matt ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
Darrell, I'm sure that it is desirable to block (when the detection isn't erroring), however having this handled as if it was an EXE when it comes to the bannotify.eml is problematic. Backscatter can get you blacklisted, not to mention it is annoying to get such things for forged E-mail. I have Virus running after JunkMail and still I have bounced a dozen of these today alone (which excludes messages that reached my DELETE weight). For those that run JunkMail before Virus (the default), that number could be in the hundreds or thousands depending on volume since this comes from a major zombie spammer. I'm guessing that most are bouncing EXE's that aren't detected as viruses. To check this, just search your Virus log for "mismatched.exe". The behavior needs to be changed so that this doesn't trigger bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this should not bounce such messages by default as if they were EXE's. It makes sense to give it a unique extension for these conditions and let us determine what to do with them instead of lumping it together with actions for EXE's. Matt Darrell ([EMAIL PROTECTED]) wrote: I brought this up to Scott several years ago - and he said this is not a bug but a by design issue.He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam. For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg; name="smoky.1.jpg" Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED] Content-Disposition: inline; filename="smoky.1.gi" You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 863 10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800] 10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe 10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585] 10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with EXE extension [image/jpeg]. 10/01/2006 14:03:44.890 q02f8014a9ecc.smd Virus scanner 1 reports exit code of 0 10/01/2006 14:03:45.421 q02f8014a9ecc.smd Virus scanner 2 reports exit code of 0 10/01/2006 14:03:45.421 q02f8014a9ecc.smd Scanned: Banned file extension. [Prescan OK][MIME: 2 26380] 10/01/2006 14:03:45.437 q02f8014a9ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 62.161.108.7] 10/01/2006 14:03:45.437 q02f8014a9ecc.smd Subject: Re: diagnostician dull This is clearly not desirable behavior, and I have run into a related bug previously (that was previously reported) where a filename that spans two lines (which is RFC compliant when 'folded') will be treated as an EXE and bounced if you are bouncing non-virus EXE's. It is absolutely necessary to allow for bannotify.eml bouncing of messages with EXE extensions because they are commonly received legitimately regardless of whether they are allowed or not, but to have EXE be the assumed extension at the same time causes a lot of different issues. Because of this, I would strongly suggest that Declude assume a different extension when necessary, such as "unknown" so that we can configure Declude Virus to handle "unknown" files in a different way. We could choose for instance to block them, but not bounce them. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --
Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
Yep, archive bombs are a huge threat since it only takes one message to kill a server that doesn't possess detection. Most AV programs have detection, but apparently ClamAV allows you to tune it. I would search for a value that approximated more than 99.9% compression if possible and block on that. I figure that a setting of 250 is 250:1 or 99.75% compression if I am reading things right, so maybe making it 1000 instead (i.e. 1000:1 or 99.9% compression) would be safer. The goal of a compression bomb is to just simply fill disk space and therefore impact a server's ability to function, typically by having many GB of data that decompresses from a zip/rar/etc. that is tiny in comparison. Matt Scott Fisher wrote: I think it is in their to defend against an archive bomb. Archive bomb: This is a seemingly small archive file that is actually highly compressed and expands into a huge file or several identical files. Such archives typically take quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus program that tries to scan them. Good anti-virus programs include a smart algorithm to avoid extracting such files - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, September 07, 2006 1:26 PM Subject: RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing here... It sounds like the max-ratio solution is a red herring. It sounds like ClamAV returned an error because it couldn't scan the overlarge file (compressed or not). It sounds like Gary's configuration is quarantining emails based on any non-zero return code from ClamAV and that this is not the behaviour he really wants. Comments? Flames? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, September 07, 2006 7:02 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Invalid file types triggering on an invalid file type
I found a message blocked for an "Invalid ZIP Vulnerability", but it doesn't have a zip attachment. The only attachment on this message is a winmail.dat. While that winmail.dat file clearly contains data of some sort, I am pretty certain that it is triggering vulnerabilities inappropriately, and I am positive that this message was not a virus. My Declude Virus logs are showing both the Invalid ZIP Vulnerability and a bogus .jpg file. I would like to turn this detection off. Is there a switch to turn off this detection? Detail follows: HEADERS FROM THE SINGLE ATTACHMENT = --=_NextPart_000_0056_01C6A9CF.4BDDA860 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" VIRUS LOG ENTRIES = 07/17/2006 06:32:40.488 q674000a2e465.smd Vulnerability flags = 862 07/17/2006 06:32:40.566 q674000a2e465.smd MIME file: winmail.dat [base64; Length=2312012 Checksum=33270092] 07/17/2006 06:32:40.800 q674000a2e465.smd Virus scanner 1 reports exit code of 0 07/17/2006 06:32:41.253 q674000a2e465.smd Virus scanner 2 reports exit code of 0 07/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .jpg file 07/17/2006 06:32:41.253 q674000a2e465.smd Invalid ZIP Vulnerability 07/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .Zip file 07/17/2006 06:32:41.253 q674000a2e465.smd File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0] 07/17/2006 06:32:41.253 q674000a2e465.smd Scanned: CONTAINS A VIRUS [MIME: 7 2314810] 07/17/2006 06:32:41.269 q674000a2e465.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from ##.##.48.210] 07/17/2006 06:32:41.269 q674000a2e465.smd Subject: FW: M341092022 / M341092023 Thanks, Matt ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] Invalid file types triggering on an invalid file type
I am running 4.0.9.4 I will also not upgrade to a newer version due to unacceptable licensing enforcement issues. Thanks, Matt Darrell ([EMAIL PROTECTED]) wrote: What version are you running Matt in version 3.0.5.20they fixed a ms-tnef issue with winmail.dat. This might be the issue you are seeing. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Tuesday, July 18, 2006 7:48 PM Subject: [Declude.Virus] Invalid file types triggering on an invalid file type I found a message blocked for an "Invalid ZIP Vulnerability", but it doesn't have a zip attachment. The only attachment on this message is a winmail.dat. While that winmail.dat file clearly contains data of some sort, I am pretty certain that it is triggering vulnerabilities inappropriately, and I am positive that this message was not a virus. My Declude Virus logs are showing both the Invalid ZIP Vulnerability and a bogus .jpg file. I would like to turn this detection off. Is there a switch to turn off this detection? Detail follows: HEADERS FROM THE SINGLE ATTACHMENT = --=_NextPart_000_0056_01C6A9CF.4BDDA860 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" VIRUS LOG ENTRIES = 07/17/2006 06:32:40.488 q674000a2e465.smd Vulnerability flags = 862 07/17/2006 06:32:40.566 q674000a2e465.smd MIME file: winmail.dat [base64; Length=2312012 Checksum=33270092] 07/17/2006 06:32:40.800 q674000a2e465.smd Virus scanner 1 reports exit code of 0 07/17/2006 06:32:41.253 q674000a2e465.smd Virus scanner 2 reports exit code of 0 07/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .jpg file 07/17/2006 06:32:41.253 q674000a2e465.smd Invalid ZIP Vulnerability 07/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .Zip file 07/17/2006 06:32:41.253 q674000a2e465.smd File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0] 07/17/2006 06:32:41.253 q674000a2e465.smd Scanned: CONTAINS A VIRUS [MIME: 7 2314810] 07/17/2006 06:32:41.269 q674000a2e465.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from ##.##.48.210] 07/17/2006 06:32:41.269 q674000a2e465.smd Subject: FW: M341092022 / M341092023 Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] 4.2 build 20 Released 6 July 2006
Thanks. That does help. Matt David Barker wrote: ALLOWVULNERABILITY NONSTANDARDHDR David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, July 07, 2006 11:08 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] 4.2 build 20 Released 6 July 2006 David, In reference the the NONSTANDARDHDR vulnerability, did you include the ability to turn this off? Thanks, Matt David Barker wrote: EVA ADD New NONSTANDARDHDR vulnerability test. Messages found to have broken headers are moved to the \virus folder EVA FIX ALLOWVULNERABILITIESFROM (for user) EVA FIX BANEXT buffer overflow SM ADD When an error is found in the envelope (.hdr) file the message is moved to the \error folder SM ADD Decludeproc will not start without a valid domainlist.xml SM FIX QUEUEFILE_SAVEFILE the log is showing the correct directory path SM FIX Allows admin to set VIRDIR to any directory path in the virus.cfg David Barker Product Manager Your Email security is our businessT 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, Mail servers have absolutely no requirement to inspect the contents of the data. This is Declude's job to do. Additionally, most mail clients do support both the CR flaw as well as the long base64 encoding flaw, so anything making it past Declude due to the holes created by these bugs is a critical flaw. There are so many things out there that violate the RFC's, it's almost not even worth arguing about who's responsibility it is since these things definitely exist and need to be dealt with appropriately. The issue with the CR's and Declude is not technically a vulnerability for any application out there besides Declude itself. Vulnerabilities in Declude have historically been formatting supported by mail clients which could be used to sneak past encoded attachments or scripting which could cause auto-execution or bypassing of virus scanners. The vulnerability only exists because Declude's SUBJECT action and header appending does not work appropriately, and some people chose to filter on such things instead of relying on other actions. I do in fact receive legitimate E-mail that have only CR's. Any PHP programmer out there can make this mistake just like multiple vendors are violating RFC's by including a space in the SMTP commands where they don't belong, or adding headers that don't properly bracket IP's, etc. If this is introduced as a vulnerability, I want to turn it off. The reason is because I don't want to scan a directory full of Q and D files searching for false positives, and I know that they will exist. Others may be less anal about this, or have different traffic patterns that isolates them from such issues, or might simply not care. Ultimately however, if you just simply placed the Declude inserted headers in the best possible place (before the first CRCR) then this wouldn't be an issue. I find it hard to believe that no one there can figure out how to do that. Regardless of who is right or wrong, right now every Declude user is vulnerable to viruses that may exploit the holes created by the base64 encoding error and the invalid character in the Mail From error. There is a virus that has been spreading for over a year that bypasses Declude's Virus' calling of virus scanners due to the long encoding lines, and the only reason why this hasn't become an issue is because he only sends EXE's which most of us block by default and only causes backscatter. If someone were to write a virus that was in a zip or a DOC though, which most of us don't block, it would bypass our virus scanners 100% of the time. If they wanted to exploit some scripting holes in mail clients, all they would have to do is send with a non ASCII character in the Mail From and they're good to go right past Declude. This is why these things are critical in nature. I don't want to continually bring this stuff up, I just want you guys to get it. Pretend for a second that I am right, and then look back at what you are doing. Please. Matt David Barker wrote: Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] the ebay spoof spam stuff
Bob, If they had a folder on a desktop, you have to assume that your server was hacked, rooted, and your account was exploited. The safest thing to do would be to change all of your administrative passwords everywhere on your network, and rebuild that server from a formatted disk. You could of course try to save the installation, but I have seen many such servers re-hacked and that suggests that being rooted is more common than not. Firewalling everything that isn't absolutely necessary is also very wise, and may have prevented this in the first place. They probably made their way in through some OS, service or scripting hack. Common targets of phishers is often any tool that allows uploads of one form or another such as content management systems/wiki's or discussion boards. For instance, PHP-Nuke is a favorite, and anything that comes with a control panel hosting environment. Lots of luck, Matt Bob McGregor wrote: this is a bit off-topic but we had one of our servers last night have the ebay spoof page loaded on it. Anyone have info as to how this gets loaded and, more imporantly how to keep it from happening? The only things I found was the htm page that was referenced in the spam e-mail and a folder on the desktop named sign in_files with the images associated with the page. I want to keep it from happening again. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
I think that in the context of scanning E-mail, where executables are normally banned, this switch has far less risk of a false positive. Generally, virus scanners in Declude are only run on executables and _javascript_, and most executables are in fact viruses. On a desktop or server, there are far more executables that could be legitimate and the extra heuristics might be unwanted. Matt marc wrote: really rare information about the /AI Switch... just found this about "Neural network": http://www.f-prot.com/support/windows/fpwin_faq/17.html We will not use it, because increases the risk of false alarms. marc At 03:55 29.03.2006, you wrote: What is the value of the "AI" switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: "Colbeck, Andrew" [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Mark, A full list of the switches are located on the F-Prot site at the following address: http://www.f-prot.com/support/windows/fpwin_faq/20.html Sometimes we must make assumptions about what these things mean. I believe that the three switches that you asked about are commonly used by Declude users on the lists, though I am not sure what the manual might be listing at this time. Matt Mark Reimer wrote: Matt, My config is similar to yours except you have AI/Packed/SERVER. What are the additional benefits to using these switches? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Friday, March 24, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami, This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txt I have no virus hits that match what you are showing for F-Prot using this config. Matt Kami Razvan wrote: Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 0 03/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 0 03/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 8 03/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I 03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8] 03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus 03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus! 03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652] 03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109] 03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE1 13 REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE2 3 VIRUSCODE2 6 VIRUSCODE2 8 REPORT2 Infection: # AVG - 3rd Scanner SCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt VIRUSCODE34 VIRUSCODE35 VIRUSCODE36 VIRUSCODE37 VIRUSCODE39 REPORT3 identified # CLAM- 4th Scanner SCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, March 24, 2006 5:56 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami, You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners. Matt
[Declude.Virus] New IE vulnerability, not patched yet
This one is apparently bad. Code is in the wild and they expect for some to start exploiting it. All versions of IE are affected except for the IE 7 beta 2 that was released 4 days ago. There are no patches out yet for the other versions of the browser. You cannot be infected through Outlook or Outlook Express, but they do believe that attackers might trick users to click on links from E-mail messages as a way of propagating. Based on experience, I would expect for the exploit to be delivered by plain/text or text/html messages that contain a link to an IP address, which would be another infected computer. Other such exploits have followed this path, though they have been mostly unsuccessful. This can however be a very effective way of delivering viruses since newly infected computers aren't as likely to be blacklisted, and virus scanners mostly won't pick this up. Declude using PRESCAN ON won't scan such messages, but I and some others have asked that PRESCAN ON be triggered by any linked IP address in the body of a message so that scanners can be called on phishing and linked viruses such as this potential exploit. I would like to request that again from Declude, but in the mean time, I will cross my fingers and hope that this potential never materializes. Note that PRESCAN ON saves about 50% or more CPU utilization when using two scanners, so turning it off isn't practical for many of us. Microsoft Security Advisory (917077) Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/917077.mspx Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Kami, You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners. Matt Kami Razvan wrote: Hi; We are having a major problem. A large number of emails are getting caught with the following message: Containing: Possibly a new variant of JS/ virus In: [HTML segment] attachment I have added: ALLOWVULNERABILITYJS but it is not working. Almost every HTML email and newsletter is getting caught by this vulnerability "feature". How can we disable this? IT seems like allow directive is not working. Regards, Kami
Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Kami, This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txt I have no virus hits that match what you are showing for F-Prot using this config. Matt Kami Razvan wrote: Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 0 03/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 0 03/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 8 03/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I 03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8] 03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus 03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus! 03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652] 03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109] 03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE1 13 REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE2 3 VIRUSCODE2 6 VIRUSCODE2 8 REPORT2 Infection: # AVG - 3rd Scanner SCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt VIRUSCODE34 VIRUSCODE35 VIRUSCODE36 VIRUSCODE37 VIRUSCODE39 REPORT3 identified # CLAM- 4th Scanner SCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, March 24, 2006 5:56 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami, You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners. Matt
[Declude.Virus] PLEASE fix the issue with banned extension being detected when they shouldn't be
I have sent this to both support and the lists previously, and it is a long-term known issue, and it should be easy enough to work around. It needs to be fixed. The problem is that Declude detects anything with a "com" extension as being a COM file. Unfortunately when Internet Explorer attaches a Web page that ends with ".com", or when you forward an E-mail in Netscape, it uses the subject as the file name, and if you end in ".com", or for that matter, any other banned extension (.exe, .bat, .pif, etc.) then Declude treats it like a banned file. I get false positives on this stuff all the time, but today I just realized that my own E-mail was being 86'd whenever I was forwarding something that ended in ".com". This makes banned extensions very problematic, and there is no reasonable method of reviewing such messages for false positives, so I am afraid to say that they mostly go missed. This is entirely fixable. The types of attachments are clearly not executable files despite the name. An exception should be made for both types with all banned extensions. The example below shows the construct of a MIME header that has a ".com" extension that Declude blocks: --=_NextPart_001_03E9_01C55C92.CCFBC5C0 Content-Type: application/octet-stream; name="c.gif?NC=1255NA=1154PS=73838PI=7329DI=305TP=http%3a%2f%2fmsnbc.msn.com%2f" Content-Transfer-Encoding: base64 Content-Location: http://c.msn.com/c.gif?NC=1255NA=1154PS=73838PI=7329DI=305TP=http%3a%2f%2fmsnbc.msn.com%2f To construct this exception, one should understand that they are always "Content-Type: application/octet-stream", and the "name" always matches the "Content-Location" with the exception of "http://" The following shows an example of a message attachment in Thunderbird (and all other Mozilla clients): --070203060502050101090601 Content-Type: message/rfc822; name="MailPure Filtering Service Instructions - example.com" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="MailPure Filtering Service Instructions - example.com" In this case one only needs to know that something that comes as "Content-Type: message/rfc822;" and "Content-Disposition: inline;" is clearly not a virus. Mail clients display such messages inline. Note that this isn't limited to just ".com", but it is the most common that is blocked by banned extensions if you have "COM" listed. The above Subject for instance could have said "What are your thoughts on Declude.exe", and that would have been blocked if it was forwarded. I suppose that it is possible that one or both of these things could be exploited, but they aren't currently, they are unlikely to be, and there is a very real issue with blocking files that shouldn't be blocked. I am afraid to say that extension blocking is not reliable. It could e made reliable, and this issue has been know for a long time, but it's still here. Please, please, please fix this. Thanks, Matt
Re: [Declude.Virus] language specific messages
Canada...home of the ridiculously long disclaimers :) Matt Colbeck, Andrew wrote: Tu peut l'escrite en Francais et Espanol dans la meme recip.eml; je vu beaucoup de cette technique en Canada, mais c'est en Anglais et Francais. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 11:12 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED]] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Running declude 4.x
This is also affecting Nick Hayer's posts, and seemed to start when Declude started using 4.0.8 for this list. Based on the headers that are being shown in the body, it appears that this is Decldue 4.0.8 that is pushing some of the existing headers into the body. For those with headers in the body using prior versions of Declude, this may be due to the header formating of the sending software and not necessarily Declude. That is a known issue, and it really has to do with Declude needing to do some error correction if I understand the conditions properly. These two things appear to be from different causes. Matt Kaj Sndergaard Laursen wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: 19. februar 2006 08:33 To: Declude.Virus@declude.com Subject: [Declude.Virus] Running declude 4.x I am wondering if the headers showing in the body of this message was intentional. If not then there is a bug in declude 4.x. I'm also seeing this with Declude 3.0.5.26. Some mails, like the "Oxygen" mail-list from Panda consistently shows up with some headers shown in the mail. I'm using Outlook 2003. Regards, Kaj --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Running declude 4.x
Title: Message Kevin, I would report it to their support address for a direct response (as they have instructed). Considering the weekend and holiday, and the likely fact that this will require a new release, I wouldn't expect a fix immediately, nor necessarily a response today. In the meantime I would suggest downgrading to 3.0.5.23 or below since this appears to have popped up after that. Matt Kevin Bilbee wrote: I guess Declude needs to standup and answer this thread. It is there software. I can repeate the issue by sending a message from our Copier. With the 3.x version we were running it worked fine as soon as I upgraded to 4.0.8 I had complaints from my users. On the copier emails it happens when there is notext after the SUBJECT: header. If we include a subject then declude handles the message properly. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Sunday, February 19, 2006 9:27 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Running declude 4.x This is also affecting Nick Hayer's posts, and seemed to start when Declude started using 4.0.8 for this list. Based on the headers that are being shown in the body, it appears that this is Decldue 4.0.8 that is pushing some of the existing headers into the body. For those with headers in the body using prior versions of Declude, this may be due to the header formating of the sending software and not necessarily Declude. That is a known issue, and it really has to do with Declude needing to do some error correction if I understand the conditions properly. These two things appear to be from different causes. Matt Kaj Sndergaard Laursen wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: 19. februar 2006 08:33 To: Declude.Virus@declude.com Subject: [Declude.Virus] Running declude 4.x I am wondering if the headers showing in the body of this message was intentional. If not then there is a bug in declude 4.x. I'm also seeing this with Declude 3.0.5.26. Some mails, like the "Oxygen" mail-list from Panda consistently shows up with some headers shown in the mail. I'm using Outlook 2003. Regards, Kaj --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV Footer ...
Andrew, There is no native capability to do this dynamically. Adding a footer is also a difficult task since it must be integrated properly and selectively into multiple MIME segments, and without breaking certain types of messages that rely on strict formating (such as calendaring). Sandy has a free app that allows for inserting footers into messages, but I don't believe it supports dynamic content. Look at the footer of one of Sandy's posts for a link. Matt Andrew Peskin wrote: Hello all ... I am trying to do the following: On each message scanned by Declude and ClamAV, I would like to add a footer, specifying that the message has been scanned and found to be free of any virus, which version of ClamAV scanned it, which virus database was used, and what the date of the last update was to the virus database. Here is an example of a footer I would like ... --- No Virus Found Scanned by ClamAV ClamAV 0.88/1290/Thu Feb 16 04:14:53 2006 Does anyone know how to accomplish this with Declude and ClamAV? Your help would be greatly appreciated. Thanks. Andrew --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM
Thanks for the clarificaiton. Matt David Franco-Rocha [ Declude ] wrote: When scanning for viruses after JunkMail through use of the above directive, the following rule applies: All email will continue to be scanned for viruses EXCEPT those emails having a final JunkMail action of: HOLD DELETE David Franco-Rocha Declude Technical / Engineering --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Encoded viruses...worried
You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the ".uue" extension, but I doubt that would have changed your results. I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action. I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them. Matt Colbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:44 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -
Re: [Declude.Virus] Blank folding vulnerablity help
Follow-up (and warning for others). The problem was EDNS0. This is installed by default on Windows 2003 and must be disabled otherwise some firewalls and older versions of BIND will not resolve queries. More about disabling it can be found here: http://support.microsoft.com/kb/828263 The seriously strange thing is that I ran across this about a year ago and I had disabled EDNS0 on all of my production servers, and while the registry setting was still there showing it was disabled, reapplying the command to disable it, and restarting my DNS servers, caused the issue to go away. So it appears that some update or other unassociated config process caused EDNS0 to magically come back on with three of my boxes. Marc, the fact that your DNS service provider has issues with a default Windows 2003 setting would be good reason for you to insist that they change immediately, or move your DNS to another provider. When I ran into this a year ago it was an older version of BIND that was causing issues, but I have heard that old Cisco and SonicWall software can also block these packets. Matt Matt wrote: Marc, One other off-topic thing. For some reason, none of my Windows 2003 DNS servers will resolve any of your DNS records. I can however resolve through other servers running on both Mac's (BSD) and Linux, I can tracert to your DNS provider's IP space from my network, and I can query directly off of your DNS provider's servers using a query tool on my desktop. I tested 4 of my Windows 2003 DNS servers at two locations and two totally different networks though with timeouts on everything, and only for your domain and skynetweb.com. It seems that your provider is blocking or otherwise selectively not responding to queries made from Windows 2003 DNS (including nslookup running on those boxes). You might want to check into this because this is probably widespread. Matt Marc Catuogno wrote: Matt thanks again. I cant get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all I may venture into the 3s but I am still running IMAIL 8.15 Ive been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 Sorry for the rant, but I hate I far behind I feel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not I have been putting off upgrading till IMAIL and Declude are all at nice stable releases Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced
Re: [Declude.Virus] F-prot exit code 8 and body content
Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Encoded viruses...worried
Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
Re: [Declude.Virus] Blank folding vulnerablity help
ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not I have been putting off upgrading till IMAIL and Declude are all at nice stable releases Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, I'm using SmarterMail for hosted E-mail and 2.6 isn't quite where I would like to see it. I'm not sure what the new version will offer that 2.6 doesn't, but there will certainly be refinements for Declude such as support for WHITELIST AUTH and their port 587 support will enable us to lock it down to AUTH-only connections. On the other hand, some of the things that bother me somewhat are the proprietary format of the user's mail box files (there is a mix of binary and ASCII data and they can't be hand-edited). They also don't have tools available such as IMail's ExtractUsers.exe which outputs a file with all user information and their passwords. I also have some gripes about not being able to disable things like catch-all functionality and vacation messages, and I think that some of their default settings could be better thought out such as needing to check a box when entering a forwarding address or it will leave a copy of the messages on the server. On the flip side it does have some features that are nicer than IMail 8.15 such as a better Web interface and better performance. The interface is why I switched, but I still use IMail with Declude for doing all of my scanning. As far as IMail 2006 goes, I think they are doing a good job of listening, but naturally with such a big change to their Web interface one should wait a little bit for things to become fully vetted and stable. I think they are working fast to address all known issues. I also like the idea that IMail has opted for a very open Webmail implementation so that one can do a lot of tweaking to the Interface. I still haven't tried their Webmail, but if things turn out good, I might actually switch back from SmarterMail because for me it would be better to have just one platform to support, and I desire IMail's straightforward mailbox format and flexibility in tweaking Webmail. The way that SmarterMail works by showing messages on a totally different screen than the list of messages makes it impractical for doing spam review in capture accounts (unless you want to click back for every message). Maybe they will change to a framed format in 3.0, but until they do, I have no choice but to keep IMail. I'm sure that clears a lot of things up :) Matt Marc Catuogno wrote: Matt thanks again. I cant get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all I may venture into the 3s but I am still running IMAIL 8.15 Ive been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 Sorry for the rant, but I hate I far behind I feel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not I have been putting off upgrading till IMAIL and Declude are all at nice stable releases Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream
Re: [Declude.Virus] Blank folding vulnerablity help
Marc, One other off-topic thing. For some reason, none of my Windows 2003 DNS servers will resolve any of your DNS records. I can however resolve through other servers running on both Mac's (BSD) and Linux, I can tracert to your DNS provider's IP space from my network, and I can query directly off of your DNS provider's servers using a query tool on my desktop. I tested 4 of my Windows 2003 DNS servers at two locations and two totally different networks though with timeouts on everything, and only for your domain and skynetweb.com. It seems that your provider is blocking or otherwise selectively not responding to queries made from Windows 2003 DNS (including nslookup running on those boxes). You might want to check into this because this is probably widespread. Matt Marc Catuogno wrote: Matt thanks again. I cant get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all I may venture into the 3s but I am still running IMAIL 8.15 Ive been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 Sorry for the rant, but I hate I far behind I feel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not I have been putting off upgrading till IMAIL and Declude are all at nice stable releases Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
A quick update on this. I verified that when the virus scanner triggers using AVAFTERJM ON, the COPYFILE action will not trigger. This is good. It also means that people can ROUTETO a null account (auto-delete account), and use the COPYFILE action in place of HOLD and avoid having viruses stacking up in their held E-mail. The COPYFILE action also allows for adding JunkMail headers if you include the following command in your Global.cfg, which can be a further benefit. COPYFILEACTIONWITHHEADERS ON Apparently this is the default in SmarterMail...confusing. There is one caveat to turning this on that I should have mentioned earlier. Declude will modify the recipients in the Q* file if they were changed by a COPYTO or ROUTETO action whereas the HOLD action doesn't modify the Q* file. I did previously ask Declude to modify this behavior so that the original Q* file is copied before the changes are made. One good thing though is that the original recipients are still in that file, but not in a format that IMail will route to if they are requeued by just copying the file. You have to read and adjust the file with a script or manually if you wish to do this. For instance, the following would be an original Q* file: QF:\\Dffe0699801363abc.SMD Hmail.mailpure.com Iffe0699801363abc X1 WE:\mail.mailpure.com E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] R[EMAIL PROTECTED] After a ROUTETO action sends the message to [EMAIL PROTECTED] and the COPYFILE action is applied with this switch, the Q* file would look like the following: QF:\\Dffe0699801363abc.SMD Hmail.mailpure.com Iffe0699801363abc X1 WE:\mail.mailpure.com E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] R[EMAIL PROTECTED] As you can see, the "R" line is what IMail will actually deliver to, but you can read the file, delete the "R" lines and change the "NRCPT TO" lines to "R" lines and then requeue the message. And another note about this. If others prefer the original Q file instead of the modified one to be used with COPYFILE, please voice your opinions. I can't understand how the modified Q file is useful at all, so I believe the behavior should be changed entirely instead of adding a switch and further complicating the code. This essentially would make it just like HOLD, but not a final action, and with the ability to have JunkMail headers in the D* file. Matt Matt wrote: Let me try to summarize what seems to be the consensus here. With AVAFTERJM ON, only certain final actions will result in no virus scanning. Those apparently include the following: HOLD DELETE DELETE_RECIPIENT (for the deleted recipients) On the following final actions, virus scanning will occur: DELETE_RECIPIENT (for non-deleted recipients) ROUTETO COPYTO WARN SUBJECT HEADER FOOTER ALERT LOG BEEP The following final actions are unclear to me as to the behavior and I haven't seen a mention about them here: COPYFILE (for the file copied not the one delivered, might copy the virus) MAILBOX (maybe bypasses virus scanning, could use ROUTETO instead) ATTACH (not sure how this affects virus scanning, could bypass it in certain situations or all) BOUNCEONLYIFYOUMUST (might bypass virus scanning) It would seem that the only new issues under the most common configurations where spam is captured to accounts using ROUTETO would be that undetected viruses could land in these accounts. This is probably not that much E-mail on the typical day, though it could potentially include banned extensions that would create bounces with JunkMail running last. There would be an advantage to this in that it would help stop backscatter though. One could create a filter to segregate messages in these spam capture accounts that contained a common virus executable so that they could be handled differently, for instance, one could use the HEADER action or WARN action to tag the headers and then use IMail rules to move these messages into a special folder or delete them from the spam capture accounts if that was preferred. Would people agree that this is accurate? Matt Darrell ([EMAIL PROTECTED]) wrote: HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things lik
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic
I thought that AV false positives can occur with definitions for known virus names. In other words, if a message gets tagged as Bagle, it might be legit 0.1% of the time. So would this really be a complete solution? Matt Colbeck, Andrew wrote: Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as "suspicious" or "generic" But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Let me try to summarize what seems to be the consensus here. With AVAFTERJM ON, only certain final actions will result in no virus scanning. Those apparently include the following: HOLD DELETE DELETE_RECIPIENT (for the deleted recipients) On the following final actions, virus scanning will occur: DELETE_RECIPIENT (for non-deleted recipients) ROUTETO COPYTO WARN SUBJECT HEADER FOOTER ALERT LOG BEEP The following final actions are unclear to me as to the behavior and I haven't seen a mention about them here: COPYFILE (for the file copied not the one delivered, might copy the virus) MAILBOX (maybe bypasses virus scanning, could use ROUTETO instead) ATTACH (not sure how this affects virus scanning, could bypass it in certain situations or all) BOUNCEONLYIFYOUMUST (might bypass virus scanning) It would seem that the only new issues under the most common configurations where spam is captured to accounts using ROUTETO would be that undetected viruses could land in these accounts. This is probably not that much E-mail on the typical day, though it could potentially include banned extensions that would create bounces with JunkMail running last. There would be an advantage to this in that it would help stop backscatter though. One could create a filter to segregate messages in these spam capture accounts that contained a common virus executable so that they could be handled differently, for instance, one could use the HEADER action or WARN action to tag the headers and then use IMail rules to move these messages into a special folder or delete them from the spam capture accounts if that was preferred. Would people agree that this is accurate? Matt Darrell ([EMAIL PROTECTED]) wrote: HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declud
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Dan, You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem. Matt Dan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overf
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Correction. COPYFILE wouldn't work with HOLD, so you would need to ROUTETO null. Matt Matt wrote: Dan, You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem. Matt Dan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://
Re: [Declude.Virus] New Virus?
Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I should probably correct myself about this. postmaster.eml is fine, it's the otherpostmaster.eml and sender.eml that should be modified. Personally I would also remove them from the standard part of the manual and only include them as a footnote. Since recipient.eml and postmaster.eml are sent to local accounts, you can't make a good argument for changes there. Matt Colbeck, Andrew wrote: I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 17, 2006 3:36 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sober.z
These subjects pretty much ended on the 5th with only a few hitting on the 6th and none so far today. Curiously I was still running the b version, but it was detecting these. I'm not sure why I wasn't prompted for a download or notified before yesterday's E-mail from Frisk. Another good reason for using two scanners. Matt Colbeck, Andrew wrote: Easy way to check if your Declude Junkamil is catching your viruses. Check for the subject lines and see if you held those messages (or whatever you do with your spam). I just sorted out the subject lines for the sober.z only messages, and here are the ones I received: Paris Hilton Nicole Richie You visit illegal websites You_visit_illegal_websites Your IP was logged Your_IP_was_logged Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Friday, January 06, 2006 8:53 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.z I haven't checked today's results with fpcmd 3.16f, but here are yesterday's quick stats with fpcmd 3.16e 8 W32/[EMAIL PROTECTED] 3 W32/[EMAIL PROTECTED] 27 W32/[EMAIL PROTECTED] 1 W32/[EMAIL PROTECTED] 10 W32/[EMAIL PROTECTED] 9 W32/[EMAIL PROTECTED] 81 W32/[EMAIL PROTECTED] So, yes, Sober is detected by at least 3.16f ... and going the extra mile, I've just looked up a few samples from yesterday's log and scanned those manually with fpcmd, and sure enough, 3.16f also detects them and produces the same output. Perhaps you are not seeing Sober hits in Declude virus because you're using the AVAFTERJM setting and your Declude JunkMail is doing a fantastic job of catching them as spam before your Declude Virus would get called. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of J Porter Sent: Friday, January 06, 2006 7:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: "Bruce Loughlin" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z Has any one else noticed that sober.z just stopped today? I was getting hundreds a day and now I have 0. Wasn't this the day it was to morph? Bruce L. AFM --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG
I use Symantec Corporate for my real-time server scans. I like it because it is easy to manage, but my servers also don't have any users attached to them besides myself and some clients that FTP to their Web sites. I'm a proponent of mixing virus scanners on network servers and clients. Symantec Corporate is a killer desktop solution because of the manageability, and if you go that direction, I would put a different vendor on the servers just so you have the protection of two completely separate solutions. Matt Dean Lawrence wrote: Thanks Scott, So the Symantec product has worked well for you as your real-time scanner? Are you using the Symantec Antivirus Corporate Edition? Dean On 12/20/05, Scott Fisher [EMAIL PROTECTED] wrote: When I used AVG it was consistantly in the back of the pack for virus detections. It lagged so badly at the beginning of the encrypted zip days, that I had to swap it out with Clam. It had pretty good scanning times. I use FProt, Clam AV as a service and Mcafee VirusScan. From a cost perspective ClamAV is free, and if you can find someone to sell you the command line VirusScan, it should be under $30 a year. I use a real-time Virus scanner of Symantec. I'd really recommend a different vendor as a real-time a/v to provide another level of security. - Original Message - From: Dean Lawrence To: declude.virus@declude.com Sent: Tuesday, December 20, 2005 7:29 AM Subject: [Declude.Virus] AVG I am looking for a new virus scanner for my Windows 2003 server and was wondering what all of thought about AVG. This is both a web server and my mail server (imail) and I would be looking at it to be both my full-time file scanner and act as a secondary Declude scanner (I already am running F-Prot). If you like it and would recommend it, which version do you use? Would it be the file server edition? Thanks, Dean -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists
Re: [Declude.Virus] AVG
Dean, I have done two sites where resumes were uploaded, and the number of infected documents was unreal, especially considering that both dealt with recruiting tech people. It is definitely wise to virus scan. I would use anything for the server that can be easily managed in terms of exclusions (directories and file extensions). I also like Symantec for it's ability to be configured to only scan on-change instead of on-access. The licensing isn't appropriate for a single machine though, you need at least 5 to make it practical. Symantec Corporate can also be installed as a stand-alone client. If you are looking for just one server, I would strongly consider another option with better licensing. AVG is probably up to the task, and F-Prot might be. The needs for a Web server scanner are not big when it comes to timely detection, so focus on configuration options and price. Matt Dean Lawrence wrote: Thanks Matt, I'm in a similar situation where this server is not part of my internal network so the only people who would connect to it would be myself and a couple of clients via FTP. I do have a couple of web apps for recruiting clients where their candidates can upload resumes via a web form, so I want to make sure that these docs are scanned as they hit the server. Interesting point though that you make about mixed scanners on servers and clients. It sounds like you like Symantec for you server scanner, but you like it even more as a client scanner. If you choose to use it for your client solutions, what would you recommend for your server in that particular scenario? Thanks, Dean On 12/20/05, Matt [EMAIL PROTECTED] wrote: I use Symantec Corporate for my real-time server scans. I like it because it is easy to manage, but my servers also don't have any users attached to them besides myself and some clients that FTP to their Web sites. I'm a proponent of mixing virus scanners on network servers and clients. Symantec Corporate is a killer desktop solution because of the manageability, and if you go that direction, I would put a different vendor on the servers just so you have the protection of two completely separate solutions. Matt Dean Lawrence wrote: Thanks Scott, So the Symantec product has worked well for you as your real-time scanner? Are you using the Symantec Antivirus Corporate Edition? Dean On 12/20/05, Scott Fisher [EMAIL PROTECTED] wrote: When I used AVG it was consistantly in the back of the pack for virus detections. It lagged so badly at the beginning of the encrypted zip days, that I had to swap it out with Clam. It had pretty good scanning times. I use FProt, Clam AV as a service and Mcafee VirusScan. From a cost perspective ClamAV is free, and if you can find someone to sell you the command line VirusScan, it should be under $30 a year. I use a real-time Virus scanner of Symantec. I'd really recommend a different vendor as a real-time a/v to provide another level of security. - Original Message - From: Dean Lawrence To: declude.virus@declude.com Sent: Tuesday, December 20, 2005 7:29 AM Subject: [Declude.Virus] AVG I am looking for a new virus scanner for my Windows 2003 server and was wondering what all of thought about AVG. This is both a web server and my mail server (imail) and I would be looking at it to be both my full-time file scanner and act as a secondary Declude scanner (I already am running F-Prot). If you like it and would recommend it, which version do you use? Would it be the file server edition? Thanks, Dean -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Brian, Software firewalls can have some big issues and often alert you on things that are inaccurate or normal circumstances that don't pose any threat. If you want to protect this server better, I would strongly suggest using hardware for your firewall. Any router out there that can block access by port should be enough to give you outstanding protection. With an IMail server, you don't need to open up but a handful of ports. For my entire network which does both hosting and E-mail, I only have about 10 ports open to the entire world. This greatly limits the chances of being hacked, and if you keep patched, you are almost perfectly safe. I do have an SMTPWIN string in my registry for my root account, but not others. I'm not sure what created those other strings for you. ICMP packets are things like pings, and I have no clue what that alert you are seeing is about. I'm thinking that it might be inaccurate. I don't know though, but the best solution if you are concerned about security is to install a hardware based firewall which could be a device that calls itself a firewall or just a router that can block ports as described above. Good luck, Matt Crejob.com wrote: Hi, Matt Thanks for your help, I've rename the sender.eml before, now follow your suggestion, I've just renamed the receip.eml. FYI, after last time I remove the SMTPWIN string in the registry, my firewall prompt me Imail1.exe is changed, and also try to response to a Indonesian IP with Protocol ICMP, I manually block it, then the same IP tried another program cross.exe use the same ICMP protocol, I block it again. Regards Brian - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 13, 2005 2:09 PM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. I am not aware of any exploits for 8.15 HF2 and your executable is the same as mine. I'll have to take back my suggestion that you were hacked. I can't explain the issues with orphaned accounts on your system, and considering what you indicated, I'm not convinced it is related to IMail1.exe and the pop-up windows. Declude does use IMail1.exe to send out virus notifications if you have them configured. You can verify this by copying down the addresses that you see in the window and then checking your logs for other such messages from or to the same addresses. I suspect that you might find that these are all notifications from viruses. If these are all virus bounces, I would suggest maybe reviewing and reconfiguring your use of notifications. The only notification that I use is the BANNotify.eml file which is used when a banned extension or file name is found and the message turns up clean after being virus scanned. You may want to consider removing the recip.eml if you have that in your Declude directory. That file is used to notify the recipients of a blocked virus, but it is pretty much useless and confusing for your users/customers. If you have a sender.eml or otherpostmaster.eml in your Declude directory, I would definitely remove both of them. Over 99% of viruses are forging viruses and by bouncing messages to forged senders or postmasters, you would be creating backscatter which is a very problematic relative of spam. It is almost completely safe to just block the detected viruses and not let anyone know about them. Even if entering the recommended SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will definitely happen again and again unless you stay on top of this on a daily basis. It's just not worth it. At the same time, you might want to check what the current recommended command line should be for your virus scanner(s) since there have been some changes in the last year that could result in missed viruses if you haven't updated your command line and/or definition downloads. Matt Crejob.com wrote: Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
I am not aware of any exploits for 8.15 HF2 and your executable is the same as mine. I'll have to take back my suggestion that you were hacked. I can't explain the issues with orphaned accounts on your system, and considering what you indicated, I'm not convinced it is related to IMail1.exe and the pop-up windows. Declude does use IMail1.exe to send out virus notifications if you have them configured. You can verify this by copying down the addresses that you see in the window and then checking your logs for other such messages from or to the same addresses. I suspect that you might find that these are all notifications from viruses. If these are all virus bounces, I would suggest maybe reviewing and reconfiguring your use of notifications. The only notification that I use is the BANNotify.eml file which is used when a banned extension or file name is found and the message turns up clean after being virus scanned. You may want to consider removing the recip.eml if you have that in your Declude directory. That file is used to notify the recipients of a blocked virus, but it is pretty much useless and confusing for your users/customers. If you have a sender.eml or otherpostmaster.eml in your Declude directory, I would definitely remove both of them. Over 99% of viruses are forging viruses and by bouncing messages to forged senders or postmasters, you would be creating backscatter which is a very problematic relative of spam. It is almost completely safe to just block the detected viruses and not let anyone know about them. Even if entering the recommended SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will definitely happen again and again unless you stay on top of this on a daily basis. It's just not worth it. At the same time, you might want to check what the current recommended command line should be for your virus scanner(s) since there have been some changes in the last year that could result in missed viruses if you haven't updated your command line and/or definition downloads. Matt Crejob.com wrote: Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182
Re: [Declude.Virus] New Virus Strain Pounding my systems
McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
Oh, one quick follow up. AVG at some point after that test made some changes and ruined their results. This caused me to remove that scanner. I haven't revisited this testing since then so I am just assuming that AVG is slower than it showed there. Also, there was a follow up to that thread where Clam-AV in daemon mode was tested and found to be a very close second to F-Prot. Matt John Carter wrote: This raises a question(s): Has anyone done any real testing of which AVs (in relation to Declude) perform the best, use the least resources, what is the best scanning order, and how many to use (how many is too many and what is the point of diminishing returns)? I realize something like this could drive you drink, but the idea of having the most effective (most hits for least resources used)AV as one, then second best next, etc. (along with EXITSCANONVIRUSDETECT ON) is appealing. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hirthe, Alexander Sent: Friday, November 04, 2005 8:09 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I run both, AVG as second, Clam as third (and F-Prot as first) -Original Message- From: Kaj Sndergaard Laursen [mailto:[EMAIL PROTECTED]] Sent: Friday, November 04, 2005 2:51 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: 4. november 2005 07:22 To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I use AVG as the second scanner and am happy with the results. Me too... I have not tried the windows version of ClamAV - the cygwin version did not run well in my setup. Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blast of zips coming in
Confirmed on my end. 31 of these hit us in the last hour starting at 10:03 a.m. EST. 80% of these would have passed spam blocking without the extra filtering that we have in place for this sort of thing. It appears to not be seeding, but a real virus spreading in the wild based on the fact that these are mostly clean IP's and they come from all over the place. Matt John Carter wrote: We are currently getting hit with a blast of emails with ZIP attachments. They are showing clean, at least with F-Prot and ClamAV under Declude, plus a manual scan by Trend Micro. They fake our user as sender. Attachments are among others: info_price.zip, text_sms.zip, max.zip, Health_and_knowledge.zip, and others. John C --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
Since this appears to be the beginnings of a me too thread...me too! Matt Scott Fisher wrote: I would consider 3.0.5.10/11 interim releases... Scott would never have documented them. I too would like to see the release notes updated with each and every version... but it's a long long standing issue. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, October 22, 2005 7:36 AM Subject: Re: [Declude.Virus] 3.0.5.10 On that note, I would also like to reraise the need for documentation on reported/known issues with a particular release. A simple page with a quick note about each reported issue would be very beneficial. Also, I would think each release would be reported on the Declude Releases list like Scott used to do. Now we have to go check the website for new releases. Very inefficient. Darin. - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Sent: Saturday, October 22, 2005 12:27 AM Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New variant as of 15 minutes ago
Same servers, but this time it has a Regis.info.zip attachment and the subject is "Registration Confirmation". Basically I converted to blocking any zips below 200 KB that come from these providers with some filtering and it seems to be working. Matt
Re: [Declude.Virus] Possible new virus
This is scary. I verified the same pattern of the messages all being relayed through one of those two servers. The headers of the messages also show randomization in both the types of headers as well as the basic construct of things like message boundaries. This is very spammy, and it is a clear sign of this being a seeding event where machines that were previously compromised have been configured with spamware to carry out this coordinated mass-mailing. As far as this particular worm goes, it follows a pattern now over a year old. The neo-nazi's in Germany have used this virus to infect machines and then in turn they sent out massive amounts of propaganda. They did this twice so far, and before each event there was a similar outbreak of Sober. This shows a sophistication that I have not ever seen. The trick of relaying everything through a service provider really takes the cake. This virus was designed to not only get past virus scanners, but also spam blocking. I haven't seen any other viruses that have done anything to mask their true source like this one does. Matt Darin Cox wrote: We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] AVAFTERJM ?
David, You could write something to the message that Declude JunkMail was set to whitelist, and then copy the D*.smd file to the spool and the Q*.smd file to the overflow directory (or the proc directory in 3.0+). This would cause the message to be scanned by both JunkMail and Virus, however it would be whitelisted in JunkMail if you followed that procedure. Matt David Sullivan wrote: Thursday, September 22, 2005, 9:01:37 AM, you wrote: Dsic AVAFTERJM ON goes in the virus.cfg file and it makes AV run after JM as Dsic you suspected. Several of us run this mode for the reason you cited. The Dsic only deal you have to remember is if something is trapped by JM and you put Dsic it back in the queue it will not be virus scanned. This begs the follow up...if we have an automated release functionality whereby users can retrieve a held message, is there anyway to resubmit that to Declude and specify virus scanning only to be performed? This would keep users from releasing viruses to themselves. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Admin - Please unsubscribe me
Don and Jim, I believe this is an issue with IMail's listserv functionality. I believe that it desires a plain text response. Try sending the commands in a plain text message. Matt Don Duffy wrote: Jim, If you figure how to get off of this list, please let me know. I must have unsubscribed ten times with no success. Good luck! On 23 Sep 2005 at 8:55, Jim Smith wrote: Sorry to post to the list but I am hoping the admin of this list sees this. I want to unsubscribe and have followed the procedure 3 times to unsubscribe by sending email to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". I have sent them in plain text formatted emails and nothing is happening. I still am on the list. Please remove me if you do not mind Thank You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses] - Don Duffy Manager, Technical Services Office 330-684-5103 Fax 330-684-5122 www.orrutilities.com --- [This E-mail was scanned for viruses] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM ?
David, The one issue with calling declude.exe directly is that you don't want the Q*.smd file to be in the spool, otherwise IMail's Queue Manager can steal it, though that would only cause an error in this case and the message would be delivered. I would recommend moving the D*.smd file back into the spool and then calling the Q*.smd file from where ever you were storing it (using the COPYFILE operative I presume). Matt David Sullivan wrote: Friday, September 23, 2005, 12:17:32 PM, you wrote: M You could write something to the message that Declude JunkMail was set M to whitelist, and then copy the D*.smd file to the spool and the Q*.smd That's a great idea. Something innocuous in the headers as a whitelist key. Rather than just putting it in /overflow though, couldn't I call declude.exe with the Q file name for immediate processing? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM ?
David, I believe so. The Q* file contains the path to the D* file, and that is always under the spool unless you have changed the Q* file to point elsewhere. Also, the best way to embed something in the headers that can't be forged would be to do it above the Received lines and then code a custom filter that whitelists with a HEADERS WHITELIST STARTSWITH X-Reprocess: Reprocessed Matt David Sullivan wrote: Matt, Is it possible to call declude.exe with the path to another folder containing the Q/D? M The one issue with calling declude.exe directly is that you don't want M the Q*.smd file to be in the spool, otherwise IMail's Queue Manager can M steal it, though that would only cause an error in this case and the M message would be delivered. I would recommend moving the D*.smd file M back into the spool and then calling the Q*.smd file from where ever you M were storing it (using the COPYFILE operative I presume). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
I can confirm that F-Prot was again missing the Bagle zips this morning, however McAfee seems to have caught every one of them with a generic Bagle definition unlike yesterday. As of 2 p.m., F-Prot was still missing these Bagles. Matt Colbeck, Andrew wrote: FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
Re: [Declude.Virus] Seemingly bad virus this morning
Oops, McAfee just slipped. Since 1:09 p.m. EST on my system we received 52 undetected zips (just over an hour). We caught these all with a custom filter. Matt Colbeck, Andrew wrote: FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
Re: [Declude.Virus] blocking eml and msg attachemtns
vhFDfgU7d8zx11RzJ6AC8KQMaAOWg6/YqVNQroOqRHuHeLba7IQNEkj0bueeVFE2NPBa66aJc3QtWdQi8KD6vwSGsD2ppnQDtcO4ONHWNjUgYEAcUDY56FEBNsXgHUtrN8VmHiw/dQNX5wcJDZFiLO5zNm5qVCHWVwih5haxt8f5KECJhf9zDB1xUDvzhIccFc0HV8iHWfHrjB8uCHHggSZDHFrUUqEe+njcS04iRBxZttMNxgjkoOCLsw14TQw9FPWJFGcFgwYuKGVQOGd2dKtWYwZTUR+EhO07O5zbY9QsG+2TJ2MdIWXUAKmq8K81lH68CLId8s+RjqAWBWp2a90Efo9dWeSjfkXgo32BPw0WXu96J4N/OyGBfxSWETmuKG/UxEI5XdQQLSFIjRr6bpypndz8NRmDeBOBeAoOhwfDlKMEYyhkIHGOJQgl/EE/zPYwW+h16Alr463v2RQIYApVYXwQDG5EM7Dx9gHfREJiZr4 TaMwGWSYwE4V6J99XETIeOE7K91SgB4UqUMB2KpUL1RB0HvAwHkjnWBxSjktz5AAx9+FI0pt2FCYVCyxgqPwuQgRDvin+9z0HIrTTxghW65eDDJIBe1hVdTpXjPtmzx10flMzfpxQXybsZCfrZjl0VjVItdi+wflODDvEBIwXsI0c4OxQRiKEsAY/MQXHuRnIeExqF8NZUWFIjkO+S3TDjEMLpDBx+KEZie4IihtKBBGpVha7xVZwGGhhlOwlOhw4Jg+VwGa2ig uCzQFmYQNDD9SG/QbEd1OglEaoQ7wXXBjNHwFccFtJcJfrhi4yCxsA1kMW2+DWcC8v8W+y5yWRdji1X0AVX4jUwwBIpv8cT2BKiAoPgg0saAPwoDXy/xdQQMBBQk+4jBi/gCm4P2EAPIZALuywSV2Gw/EIoAPBozrjwNw7nbX7u1R/8TWipJOcRzGCHu325LvzhIBoMIAutexgcNR0TsvLnZ63PLK9T/agHQtdBNBgoJRyL0zRfctkJBHvacHxOKRf8XKCzxd0aLC0eIRDEF9DtHDNy2Fy+Aff9jBRYK6yN+jmeVsZQt2DIZdAQ6ajv3d7+SD4KhchB71+gaXXTzBpLkAogGK0ZY6LZF6viu+OuBJQQMS3g3AEjy6zrQYDhX8gkQdrX5X1hG0dY7/nYIO/gPgnj3x2/cVOPgVcKD4gOUCHIpvx38Usr/JJW4HsfHuhyD6eWt0NQEcmYDRheF0B26p2tuHo3IkAdM4BMM8YW26wgwAyPRn1GKRgGIZWtua+gFAlYIWcZbdpKxx1zMjUkrJUmeZRkBAgKmA/m6s5AjRiFHP4yapum6rwacA5SMhHzp/q9pdGy/RI7kiUSP5Afopmmapujs7PDwmqZpmvT0+Pj8/CH8gQ01jSsD8AP4CYPXdN//8NAD3PARjDawt3BeX16QnQv5JAQXbBGjDaAtDDMKK8kxZ/aSQdj3/H8kDf3jtQyf3fx3UCD32WXffE4m4e+P+StYHzNd94sskGgLiAOwbfm6W2EDOm8DTlhPVraXMOwtSx+j7rIB+W4C7wIpjJAnK1sS3iSrLQOu7sLMxptaWwQGmqZpugwDFBwkLDTTNCNsRyCXHBwYTdM0TRgUFBAQDDRN0zQMCAgEBLruhIUfYAVoA3jBuSVsjCCXt7WH2EKYLQ+DE+BFQhi3q/BW6X8nhfZ0WqHkw1GLA3UWGnxvfv8vIVZ0NlALTFIFF2itvhoIJo1HgN+tpwP8UCI5hjkRU NDNN0IR/BLd6w9Wbs2W20E14E4rTF5oU1XNE/guWHwkFDs9j4YAxwaC3MCL946D5h+YaneJWUwpaVdNPtT2trXHJjyD/xAm/34WagIWWx5rKLToH1k7xRwrwIRsPVlQo1CLoL2NdXftHVpYWYBkWQJPYFk87VVk6xV0gMQjrFBdWx842GCB+qiGGe1s0f4Dk2aBZgz3+zoTBoVZBxuKCI1eKkMQwH0SIhKIWREvKPQPXLiT9kYNQG0GrcGTLT8RtyK5uH+boQQYUzsMM9tXaa1EC1qaWAnnv4ltiTdzCPIxZ4s+K/iF//5+CfB+JldQXTvHdQ6YgHQOGGATrWWa6wcjvZ1wC/T/MAWYX4vDHJoVDGQmjtX4ht9a1WMz/zk1wJV+TaGos5uJGz79sL04i0hm4zDZcIuFg54QMQ9QeBHobVt6Hx1D6xoVtRMhAmwKxf5lGnUCC/hGO0zxhwqwxThwdKDaFv9OA4hT0F4QqIJd/bYzyPPr1xajqBB0Jf6xF9sETggk/svFixRYOkjCZQxH7/Xebn9YdiKB/uilZnQIBwimQtHcgKZ+U4pAIQe84IBgkfAvV3RkBLftIDCNSDkOWBhJ1OEVvhxOBH4QPDM6EK19wVQtM4P7/4Swy5Fjsc74kwSFBMi4NhqXPvZA2HQNa8VTuFE3DKlZin+ICC6sqdAvVANfUjmNQ6ENn1/chPtE6ENNWSVl6whER+2zOv0UgewU3cXmUuH0UzsNBJMGeQGLSKzkwYvx8JETLQymV7eMANkeLDYC8CgVsqihDOg2SHZXUaC1xreA1lffWVXBkxBBfbi8Iz7ihufv7EZN/CtNceuaaD/8KQr/H4oJbI23tm8KVAnwxgCh30DeEf9ug42VKSvKgfnJfMyL+GexMMw7VxcNVzZCHBYWVOVDcnajRIuroJp8CwnbblG2ZEU+coq5ixO01MzC+ouRRV90SRcuCFg5IXVMb6NvwaTvf9Ovtc/rx41 cNgnaTfTbCWQLuKyLztGJCKcsnKVZT7NR0T0/araLFoYMAdr8zf6r2+c5oXUcPesWn/BvgkUWSuiLNRixS9BkgELEnom/Xdwu/QstBzxhdBo8csk8d9MiAS58M7y5AQPqIMmDzgHxuQle4I2PP844AVqKY0c6w0ufsdt/41c70+sPvsA8VNby9rd/PmCD6Ct0RQQZdDYOwMHWzsJIIKxhCKMZ2/g+DfwBj8lPtxSOodJCA6GijhmxseltfQlA65iYdXPE/k/9+LY+/A8Cgc6AeoK4K4UWenv4yHVZC8hZ+2VidEiiLgKl3t4HC3QSBAZ1QFQmYPQW+zuAzUAeY/h1Ls2CTFb4geb/vzIWFxtdrNxZAEAWOnSG0sgd2WILQYBopCTwu57w+4tAR8vEEDvLfQRhqRY0Yxqh/RRMtm2wtIlwLljiGAQIAtcRYokaSOGLFUi/q4CDIqymwDvVV35dqvQ/1osdovuLDzvNdBX2QUjG/xfalUA1BDvCfOzrP4s0g+skmG8pPvhqIMHnEUMkDS8Sf1ariRraPAc7/XRv7VYr9/c79e+EB24EAmCJtpUMdi4Ej8bwv+tw4eeoGFe/IAWTGTk+dPFNjUmXUkhmdB+Dfo1uNLr/dG/kOHVpts0FeohWmgxVGuZWgf+/bB4MUIE4Y3Nt4HUsOXgUdidKt1qKW1pJCC8doVUk4DHbtlIuIAIcOMm22S1Yw9FH6x8XGiQXuF1AVxg6HUWwWU6I5hiAQAh9Cd4wdOrwfAj/O0EEfIO9sZqp4rt/wh5LtB4bKT+B8sVWlBtd+zl+FHVRCr1LyZyvze02GqCGGx6hoAxngT+4qVbrxkXsI0QWWU/PIL/ZVUX5ABALRpDLIh3btWi9ls/RfhTIdJ7sxka2HuhX4hjUB/VW69qi79gTOxvwzfV/rAc7f3w7ewR/d4tDotINbISLQ0TGfr4cWPi1b+oMjXgEJRH4fil2PRbPWCY3UhqJbXUa/ 7vdOloqBzkef+EK9INAWWj8ahCHf8IQVOyT4GKdelM0gF9WcZdbdkEbmiyk9oPDFMLQMNy2GQqA3FcLvRej7OUfD44Uvj08ku1JRvAZ4cTVwBHH2j8f6CmDPZ9ny4Ztz3QhNDG8BmRZaJbMHHMjHPgb/5EJ8PhzTzs+fEM7e39s/MaJPkG7weAEA8FZ9M3etndWBoB5CJomr4PA8GpfbGUNaVBu6ebGbBFq7RTrqdPSfExHYKl2E6FKgHhERwgutQIVuTJgUsF0+sjHF0LBCFFSCWwi9gYCROuoXQ72BySzJJtW2W7utg4ECagXCXMRYoyn1wOsw4cTRYaQ+Azst1bhUnN+deQCF650VcUwvhFDfgU7d8zx11RzJ6AC8KQMaAOWg6/YqVNQroOqRHuHeLba7IQNEkj0bueeVFE2NPBa66aJc3QtWdQi8KD6vwSGsD2ppnQDtcO4ONHWNjUgYEAcUDY56FEBNsXgHUtrN8VmHiw/dQNX5wcJDZFiLO5zNm5qVCHWVwih5haxt8f5KECJhf9zDB1xUDvzhIccFc0HV8iHWfHrjB8uCHHggSZDHFrUUqEe+njcS04iRBxZttMNxgjkoOCLsw14TQw9FPWJFGcFgwYuKGVQOGd2dKtWYwZTUR+EhO07O5zbY9QsG+2TJ2MdIWXUAKmq8K81lH68CLId8s+RjqAWBWp2a90Efo9dWeSjfkXgo32BPw0WXu96J4N/OyGBfxSWETmuKG/UxEI5XdQQLSFIjRr6bpypndz8NRmDeBOBeAoOhwfDlKMEYyhkIHGOJQgl/EE/zPYwW+h16Alr463v2RQIYApVYXwQDG5EM7Dx9gHfREJiZr4TaMwGWSYwE4V6J99XETIeOE7K91SgB4UqUMB2KpUL1RB0HvAwHkjnWBxSjktz5AAx9+FI0pt2FCYVCyxgqPwuQgRDvin+9z0HIrTTxghW65eDDJIBe1hVdTpXjPtmzx10flMzfpx QXybsZCfrZjl0VjVItdi+wflODDvEBIwXsI0c4OxQRiKEsAY/MQXHuRnIeExqF8NZUWFIjkO+S3TDjEMLpDBx+KEZie4IihtKBBGpVha7xVZwGGhhlOwlOhw4Jg+VwGa2ig Matt Darin Cox wrote: With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separate
Re: [Declude.Virus] blocking eml and msg attachments
Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text. It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape). Matt Darin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
Thunderbird just simply works. My only complaint is that the spell checker sucks and has serious problems if you are off by more than one letter. For the type of work that we do, it is definitely a better application. The E-mail is stored in plain text files so you can search it that way, and there's none of that magic stuff that hides important things from you the way that Outlook does. And of course hardly any known vulnerabilities for auto-execution. Matt Darin Cox wrote: Plain text would be my preference as well, to see headers and message at once. Hmmm...may have to try Thunderbird again. It seemed to be missing some features I liked in OE the last time I tried it. I would use Outlook, but it still experiences too manyfailures incommunicating with the TCP/IP stack, and is too slow and bloated for my taste...and preview doesn't seem to work as well as OE. If MS would combine the best features of OE and Outlook, they'd have a better mail client. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:46 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text. It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape). Matt Darin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
Darin, I'm confused. FireFox, the Web browser is at 1.5.1 beta, but Thunderbird, the E-mail client, is at 1.0.6. I'm also not clear on what you mean regarding speed. I am very happy, and it seems to me that an empty OE or Outlook is much slower to launch, and Thunderbird seems faster when there is a ton of E-mail in a folder. Thunderbird is meant to be a fairly lean application. It is also very stable, at least on my system. I have about 7 E-mail accounts going, and I over 2 GB of E-mail dispersed through them. You might be running into issues with indexing folders following an initial setup? Maybe you could be more specific about the speed issues. Matt Darin Cox wrote: Just loaded it (1.5.1 beta). Seems to be almost identical to OE for the way I use it...except slower. Speed is one of the reasons I use OE instead of Outlook. :( Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 3:07 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Thunderbird just simply works. My only complaint is that the spell checker sucks and has serious problems if you are off by more than one letter. For the type of work that we do, it is definitely a better application. The E-mail is stored in plain text files so you can search it that way, and there's none of that magic stuff that hides important things from you the way that Outlook does. And of course hardly any known vulnerabilities for auto-execution. Matt Darin Cox wrote: Plain text would be my preference as well, to see headers and message at once. Hmmm...may have to try Thunderbird again. It seemed to be missing some features I liked in OE the last time I tried it. I would use Outlook, but it still experiences too manyfailures incommunicating with the TCP/IP stack, and is too slow and bloated for my taste...and preview doesn't seem to work as well as OE. If MS would combine the best features of OE and Outlook, they'd have a better mail client. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:46 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text. It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape). Matt Darin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "
Re: [Declude.Virus] blocking eml and msg attachments
Darin, I would suggest maybe trying 1.0.6 instead of the beta. I have no measurable delay moving from one message to another; it's instantaneous. Even in the IMail Forum which I have messages going back to 1/1/2004, everything happens instantly. I am not on a laptop, and my system is only slightly faster as far as the stats go, but I don't think that makes a difference. Maybe the newer versions do things differently. I would doubt that the developers would accept a noticeable slowdown in a final version. Matt Darin Cox wrote: According to the Thunderbird web page and download filename, Thunderbird has a 1.5.1 beta 1. Check the website. However, when I installed it, it said it was installing 1.4. Startup speed for Thunderbird is way faster than OE at just a few seconds compared to 20-30seconds for OE, however I leave email open all day every day, so startup isn't much of an issue for me. What I am seeing much slower in Thunderbird is moving from one message to another in the preview window. In OE it's very snappy with ~1/2 second response, but in Thunderbird I'm seeing 1-3 seconds before I can read the message. Also, double-clicking to open the message is between 0.5 and 1 second in OE, but 3-4 seconds in Thunderbird. So, for reading mail quickly, it's much slower for me on a 3GHz P4 laptop with 1GB RAM. I haveabout 1GB of email in a couple hundred folders. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 3:47 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Darin, I'm confused. FireFox, the Web browser is at 1.5.1 beta, but Thunderbird, the E-mail client, is at 1.0.6. I'm also not clear on what you mean regarding speed. I am very happy, and it seems to me that an empty OE or Outlook is much slower to launch, and Thunderbird seems faster when there is a ton of E-mail in a folder. Thunderbird is meant to be a fairly lean application. It is also very stable, at least on my system. I have about 7 E-mail accounts going, and I over 2 GB of E-mail dispersed through them. You might be running into issues with indexing folders following an initial setup? Maybe you could be more specific about the speed issues. Matt Darin Cox wrote: Just loaded it (1.5.1 beta). Seems to be almost identical to OE for the way I use it...except slower. Speed is one of the reasons I use OE instead of Outlook. :( Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 3:07 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Thunderbird just simply works. My only complaint is that the spell checker sucks and has serious problems if you are off by more than one letter. For the type of work that we do, it is definitely a better application. The E-mail is stored in plain text files so you can search it that way, and there's none of that magic stuff that hides important things from you the way that Outlook does. And of course hardly any known vulnerabilities for auto-execution. Matt Darin Cox wrote: Plain text would be my preference as well, to see headers and message at once. Hmmm...may have to try Thunderbird again. It seemed to be missing some features I liked in OE the last time I tried it. I would use Outlook, but it still experiences too manyfailures incommunicating with the TCP/IP stack, and is too slow and bloated for my taste...and preview doesn't seem to work as well as OE. If MS would combine the best features of OE and Outlook, they'd have a better mail client. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:46 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text. It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape). Matt Darin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin
[Declude.Virus] Seemingly bad virus this morning
FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee DailyDAT download location change.
I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed. I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :) Thanks, Matt Scott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee DailyDAT download location change.
David, Information such as this is best 'pushed' rather than 'pulled'. Declude should have a notification list that sends announcements of important things concerning all products such as new interims/betas/releases, new and important bugs, updates on known issues and things that can broadly affect customers such as issues like this one. I wouldn't expect more than a few messages per month. There was an earlier list that was to be reserved for the absolute biggest issues that never got used, and the specificity of that list was it's downfall. I would create a list and opt all customers into it but give them an opt-out message for the first mailing. Most Declude customers will never hear about things like this issue with McAfee otherwise. The site doesn't work at all for timely things such as this. BTW, I believe there are probably scripts linked to or contained on the Declude site for McAfee updates. You will want to change those before anyone new adds it in to their system. Thanks, Matt David Barker wrote: I have been monitoring everything that has been said and I agree - there is a place I had setup on the front page for these kinds of alerts and currently working on the best way to provide this information to our customer base using that area on the website. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 3:58 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed. I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :) Thanks, Matt Scott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip&q
Re: [Declude.Virus] McAfee DailyDAT download location change.
The FTP site doesn't have the beta DAT's listed. It is the beta DAT's that contain the latest updates, and for an E-mail system, they are the best thing to use. Naturally they aren't as well tested as the other things, but they will block things more quickly and you have to weigh that against the possibility of losing E-mail. I would recommend the HTTP link that Scott provided unless the beta DAT's are available over FTP. Matt William Stillwell wrote: The Proper method to update the dat would be to pull the "ini" file http://download.nai.com/products/datfiles/4.x/nai/update.ini Then Parse this [zip] section [ZIP] EngineVersion=0 DATVersion=4579 FileName=dat-4579.zip FilePath=/pub/antivirus/datfiles/4.x/ FileSize=6448048 Checksum=2090,BED1 MD5=cc4e480fbc191a89354a5891ca4aa6dc to obtain the URI Filename then, verify the MD5 Checksum, then unzip it.. then notify you of the download, unzip, and send the DatVersion to you. What happens if you download is corrupt? you now have successfully disabled your virus scanner.
Re: [Declude.Virus] Seemingly bad virus this morning
Scott and Andrew, It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths): C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip Matt Scott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's. I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%" IF ERRORLEVEL 1 GOTO END C:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\ :END ENDLOCAL Matt Markus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Monday, September 12, 2005 10:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Monday, September 12, 2005 1:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Decl
Re: [Declude.Virus] Sudden Internet Slowdown
Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Here's what I turned off: ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYOLMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP This only works with 2.0.6.14+. There are more that are listed when you log into your account on declude.com and go to the page for 2.0.6.16. All of the above were producing repeated false positives from multiple sources, and ones like OLCR were especially problematic. Matt Don Brown wrote: Thursday, August 11, 2005, 10:50:32 PM, Matt [EMAIL PROTECTED] wrote: M David, M With 2.0.6.16, which is available from the Declude site, you can turn M off the Outlook CR Vulnerability. I have turned off all but a couple of M these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT - Server Room Temperature
Doug, Hard drives are probably the most sensitive components that you have in your servers, and I am not aware of any hard drives that should be run above 50C/122F. My server runs about 35F hotter for the system temp than the environment and about 40F hotter for the CPU's than the environment. Note that these readings are under normal load, but when the server redlines, the CPU's increase by about 15F and the system by about 5F. Considering that the hard drives create heat themselves and their much lower tolerance for heat in comparison to solid state components, it would seem that going over 30C/85F for the ambient temperature would be very dangerous as far as the hard drives go in an active server. Hard drives will likely go over their operating temperature long before the system or the processors unless you have a broken fan or bad connection with a heat sync. My system is spec'd at 15C/27F over the hard drive's tolerance, and my CPU's at 27C/50F over. IMO, 66F is the proper server room temperature, and it gives some leeway for adding more equipment and other issues that can crop up such as A/C failures. 72F would be the high end normal temp that I would want to see. If my colo was over 75F, I would definitely complain. The guy next to me with 25 TB's of 15,000 RPM SCSI drives would probably complain louder :) Matt Doug Traylor wrote: We just looked at the operating spec of our servers from the Manufacturer's (Dell) website. The max is listed as 95* F and we run around 80* F during the day on weekdays and up to 92* F on the weekends when they turn off the AC in the plant. We have our own AC which runs 24/7 in the computer room/closet. So far we have not had any noticeable system problems in the five years we have been operating this way. When we had a large IBM mainframe with all the dressing, we kept it in a large computer room that was kept at a chilly 66* F. I was a computer operator then and worked in there for 8-12 hours a day. I would wear two shirts and longs sleeves to work,even when it was 110* F outside - Texas. Doug - Original Message - From: Jeff To: Declude.Virus@declude.com Sent: Thursday, August 11, 2005 8:58 AM Subject: [Declude.Virus] OT - Server Room Temperature Can someone point me to a source of information regarding what temperaturea server room should be at ? Thank you.
Re: [Declude.Virus] OT - Server Room Temperature
Doug, It seems to be within normal conditions that you have a 20%/5 year failure rate, but the sample is way too small to make any sort of scientific determination. Certain types of drives are of course better than others, and drives can degrade substantially without actually failing. It's also hard to tell how long they might have lasted if it averaged 20F lower than it is now, or what affect raising the temperature on the weekends only might cause. The bottom line is would seem to be what the potential cost to the business is when a server completely goes down, either to be rebuilt, restored, due to multiple drive failures, or failure of some other component due to heat. You clearly aren't a banking institution, though depending on circumstances, your servers might be just as vital and therefore worth the extra ~$20/month that it costs to keep them cooler...or maybe not. Ever wonder why good backup software costs more than the OS? Matt Doug Traylor wrote: I agree that the room should be much cooler, I hatecoming in on the weekends here,but the management has an "if it ain't broke don't fix it" attitude and point out that we have had no significant problems over 5 years so why change things now. We have had a few drives (4 out of 20)fail over the years, some internal, some in a Powervault,but nothing that seems out of the ordinary for 5 year old 10k rpm drives that are always on. Since they are all raided, it has not caused us any trouble yet and we simply replace the drive under our sevice contract. I always look at it as an opportunity to get more drive space as they don't make drives that small anymore. Upgrading our drives one at a time. :o) 4 failures out of 20 drives over 5 years. Does that seem too high a failure rate or about average? If it could be proven that the high temps are causing drive failures the management might be a bit more interested in upgrading the AC system in the computer room. Doug - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, August 12, 2005 11:30 AM Subject: Re: [Declude.Virus] OT - Server Room Temperature Doug, Hard drives are probably the most sensitive components that you have in your servers, and I am not aware of any hard drives that should be run above 50C/122F. My server runs about 35F hotter for the system temp than the environment and about 40F hotter for the CPU's than the environment. Note that these readings are under normal load, but when the server redlines, the CPU's increase by about 15F and the system by about 5F. Considering that the hard drives create heat themselves and their much lower tolerance for heat in comparison to solid state components, it would seem that going over 30C/85F for the ambient temperature would be very dangerous as far as the hard drives go in an active server. Hard drives will likely go over their operating temperature long before the system or the processors unless you have a broken fan or bad connection with a heat sync. My system is spec'd at 15C/27F over the hard drive's tolerance, and my CPU's at 27C/50F over. IMO, 66F is the proper server room temperature, and it gives some leeway for adding more equipment and other issues that can crop up such as A/C failures. 72F would be the high end normal temp that I would want to see. If my colo was over 75F, I would definitely complain. The guy next to me with 25 TB's of 15,000 RPM SCSI drives would probably complain louder :) Matt Doug Traylor wrote: We just looked at the operating spec of our servers from the Manufacturer's (Dell) website. The max is listed as 95* F and we run around 80* F during the day on weekdays and up to 92* F on the weekends when they turn off the AC in the plant. We have our own AC which runs 24/7 in the computer room/closet. So far we have not had any noticeable system problems in the five years we have been operating this way. When we had a large IBM mainframe with all the dressing, we kept it in a large computer room that was kept at a chilly 66* F. I was a computer operator then and worked in there for 8-12 hours a day. I would wear two shirts and longs sleeves to work,even when it was 110* F outside - Texas. Doug - Original Message - From: Jeff To: Declude.Virus@declude.com Sent: Thursday, August 11, 2005 8:58 AM Subject: [Declude.Virus] OT - Server Room Temperature Can someone point me to a source of information regarding what temperaturea server room should be at ? Thank you.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
David, With 2.0.6.16, which is available from the Declude site, you can turn off the Outlook CR Vulnerability. I have turned off all but a couple of these because of numerous false positive issues. As far as this message goes, it is almost definitely their antivirus scanning product that munged the headers (X-AntiVirus: gadoyanvirus 0.3), but it could be something else that adds or rewrites headers. They certainly look strange to me, and possibly not RCF compliant outside of the CR issues. Thunderbird definitely has no issues with this, nor does almost every legitimate E-mail client out there, but people that script E-mail generation (especially PHP stuff) or use obscure products seem to have issues with this frequently enough that it is not worth the trouble. If there was ever an exploit spreading actively in the wild, I would rethink my position. I believe that Microsoft has long since patched the flaw, though it can certainly cause parsing issues in virus scanners that could lead to missing the payloads due to a message that was improperly formatted. Matt David Dodell wrote: Had email from a company today (Photodex) rejected due to the Outlook 'CR' Vulnerability but from the headers it looks like the email originated from Thunderbird as the email client ... see headers below ... Is it time to drop the Outlook vunerbility test?? David Received: from eman.photodex.com http://eman.photodex.com [64.132.190.157http://64.132.190.157] by drdodell.com http://drdodell.com (SMTPD32-8.05) id AB6E1D23028A; Thu, 11 Aug 2005 10:31:26 -0700 Received: (qmail 7712 invoked from network); 11 Aug 2005 17:31:26 - X-AntiVirus: gadoyanvirus 0.3 Received: from unknown (HELO ?10.10.0.149?) (10.10.0.149http://10.10.0.149 ) by eman.vpn.photodex.com http://eman.vpn.photodex.com with SMTP; 11 Aug 2005 17:31:26 - Message-ID: [EMAIL PROTECTED] X-Photodex-Original-Date: Thu, 11 Aug 2005 12:32:11 -0500 From: Photodex Corporation - Chris [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: Re: ProShow Gold Support Request References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 11 Aug 2005 12:31:26 -0500 David, X-Declude-Sender: [EMAIL PROTECTED] [64.132.190.157http://64.132.190.157 ]X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: This E-mail was sent from ([64.132.190.157 http://64.132.190.157 ]). X-Hello: X-Declude-Virus: Detected [ Outlook 'CR' Vulnerability]. - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: e-mail headers
Greg, I am going to guess that the headers: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 ...are wrong for a message that contains both a text part and a base64 encoded part. If there are in fact two parts, it would seem proper for something like the following to replace them in the headers: Content-Type: multipart/mixed; boundary=unique_boundary ...and then in the body the text and base64 code should be separated by the boundaries. Declude probably sees the Content-Type header as text/plain but then sees a base64 segment and tags the vulnerability. I believe that your headers would work if there was only a single base64 segment in the body and no plain text that wasn't encoded. Before jumping the gun, it would be nice to see the full source of the message. You can edit the text and screw up the base64 stuff if you wish since it's the formatting that really matters here. Matt System Administrator wrote: We are developing an ecommerce web site but we are having problems with the e-mail associated with the buying experience. The e-mail message contains a text part and a base64 part. Declude is catching the messages as a vulnerability. 20.2 Conflicting Encoding Vulnerability: This vulnerability occurs when the headers of an E-mail claim that two or more different encoding types are used. A MIME segment can only be encoded in one way, so if there are more than one encoding types listed, it is possible that the mail server virus scanner and the mail client will use different decoding methods on the E-mail. If this happens, a virus could bypass virus scanning on the mail server. I've been thrown into this project at this late date and was wondering if anyone could provide some help in solving this problem. I see the two encodings, but I don't know how to solve the problem. Here are part of the headers - Subject: Download New Song From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: PHP/4.3.8 Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 Thanks, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: e-mail headers
Greg, I think I figured it out. I looked at your headers again and found two sets of the same headers: Subject: Download New Song From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: PHP/4.3.8 Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: BASE64 It appears that the first set is wrong and should be removed if possible. Matt System Administrator wrote: on 8/4/05 2:29 PM, Matt wrote: Before jumping the gun, it would be nice to see the full source of the message. You can edit the text and screw up the base64 stuff if you wish since it's the formatting that really matters here. Matt, I'll send you the full source off list. Thanks, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Declude using CBL to block users sending mail?????
Doug, IP's should not be in CBL unless they were found sending E-mail to a spam trap, and seemed to be residential in nature or lacked reverse DNS entries. So the primary issue that I see is that your IP was found to have sent E-mail to a spam trap. CBL allows for removal without confirmation, so if this problem is no longer there, removal should fix it. SmarterMail does not presently allow a method for Declude to verify what has successfully authenticated. This is probably the biggest shortcoming of a SmarterMail/Declude setup at this time. SmarterMail has indicated that they will likely provide a method for Declude to verify AUTH in their 3.0 release due in Q4. If your user's IP's aren't exclusive to your company, and aren't in a fixed range, then there is little that can be done about whitelisting authenticated users for the time being. CBL was correct in saying that you don't want to be looking up authenticated E-mail on such lists, but it is a common enough practice, and that fact alone didn't create the condition where your IP became listed. To work around this in the mean time, you might want drop the scores of tests that are fed from spamtraps like CBL and SpamCop. While CBL is very accurate, you don't want a such tests to be trapping your own users on legitimate E-mail, so being a little more conservative might help. Adding Sniffer would be a great way to allow you to drop scores of such tests, and the net result of this would be trapping more spam with fewer false positives if you weight things optimally. Matt Douglas Cohn wrote: My desktop IP was erroneously listed on CBL. It seems that declude is checking autheticated users sending mail for CBL and according to CBL this is wrong. SEE below Here is the header showing what went on with the actual Ips removed to proect the innocent (ME). But it sure seems that my desktop machine is the one being checked and shown as on CBL. Had 10 points been enough I would not have been able to send mail. The ONLY address within the below HEADER that was actually listed in the CBL is the HOST machine sending the email. NOT the MAIL servers but MY DESKTOP of which I am an authenticated sender. Why would declude check an authenticated sender on the CBL list? This all started because Smartermails SPAM does NOT check the authenticated senders and this is what confused me intially. IE I thought Smartermails SPAM was not working properly on another server where I do NOT have declude ANTISPAM installed. BUT as you see according to CBL it should NOT detect CBL on an autheticated senders IP. According to CBL this is not how the list is designed. Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005 Received: from forwardeddestinationmailserver [123.123.123.123] by forwardeddestinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:56 -0400 Received: from decludesmtpserver [456.456.456.456] by destinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:20 -0400 Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver with SMTP; Sun, 12 Jun 2005 18:34:59 -0400 From: douglas cohn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Test cbl Date: Sun, 12 Jun 2005 18:34:52 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP] X-Declude-Spoolname: 37296653.EML X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005 X-Declude-Fail: CBL, WEIGHT10 X-Country-Chain: UNITED STATES-destination X-SmarterMail-Spam: SPF_None X-Rcpt-To: [EMAIL PROTECTED] http://cbl.abuseat.org/ We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to. If you use the same hosts for incoming mail and smarthosting, then you should always ensure that you exempt authenticated clients from CBL checks, just as you would for dynamic/dialup blocklists. Another way of putting this is: Do not use the CBL to block your own users. --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can
Re: [Declude.Virus] Declude using CBL to block users sending mail?????
Andrew, Just to clear up any confusion, this message was sent by Doug through his own SmarterMail/Declude server, so his IP was the connecting hop and the DYNA/hop limiting tricks won't have an effect here. I think it might be valuable if people resisted the temptation of removing IP's from headers when shared because those that might help out would often benefit from this information. Sometimes it doesn't really matter of course, and Doug did give enough information to figure this out, but the three received headers were confusing without a careful read. Matt Colbeck, Andrew wrote: Doug, you're probably scoring on multiple hops by setting your HOPHIGH in global.cfg ... If you don't want RBLs to score on multiple hops, just comment out that HOPHIGH line. Alternatively, rename your CBL test to CBL-DYNA (don't forget to change the global.cfg definition plus the action line wherever it appears in your configuration files (e.g. CBL WARN to CBL-DYNA WARN). Andrew 8) p.s. Is your own machine's address on the Internet, or was CBL listing an internal, non-routable IP address like 192.168.1.1 ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Monday, June 13, 2005 5:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Declude using CBL to block users sending mail? My desktop IP was erroneously listed on CBL. It seems that declude is checking autheticated users sending mail for CBL and according to CBL this is wrong. SEE below Here is the header showing what went on with the actual Ips removed to proect the innocent (ME). But it sure seems that my desktop machine is the one being checked and shown as on CBL. Had 10 points been enough I would not have been able to send mail. The ONLY address within the below HEADER that was actually listed in the CBL is the HOST machine sending the email. NOT the MAIL servers but MY DESKTOP of which I am an authenticated sender. Why would declude check an authenticated sender on the CBL list? This all started because Smartermails SPAM does NOT check the authenticated senders and this is what confused me intially. IE I thought Smartermails SPAM was not working properly on another server where I do NOT have declude ANTISPAM installed. BUT as you see according to CBL it should NOT detect CBL on an autheticated senders IP. According to CBL this is not how the list is designed. Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005 Received: from forwardeddestinationmailserver [123.123.123.123] by forwardeddestinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:56 -0400 Received: from decludesmtpserver [456.456.456.456] by destinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:20 -0400 Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver with SMTP; Sun, 12 Jun 2005 18:34:59 -0400 From: douglas cohn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Test cbl Date: Sun, 12 Jun 2005 18:34:52 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP] X-Declude-Spoolname: 37296653.EML X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005 X-Declude-Fail: CBL, WEIGHT10 X-Country-Chain: UNITED STATES-destination X-SmarterMail-Spam: SPF_None X-Rcpt-To: [EMAIL PROTECTED] http://cbl.abuseat.org/ We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to. If you use the same hosts for incoming mail and smarthosting, then you should always ensure that you exempt authenticated clients from CBL checks, just as you would for dynamic/dialup blocklists. Another way of putting this is: Do not use the CBL to block your own users. --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http
Re: [Declude.Virus] Declude using CBL to block users sending mail?????
I was hoping that someone would correct my mistakes on this instead of me needing to do another famous reply to my own post :) In this case you are correct, but there is a little problem in the details. Adding DUL, DYNA or DUHL to the name of any dnsbl test in Declude will result in not only restricting the test to the last hop only, but it will also disable the test for any E-mail that contains a local Mail From address, regardless of AUTH. This would include both legitimate users as well as zombies that forge local addresses when sending spam. This was originally a trick that Scott used before WHITELIST AUTH existed that protected local users from getting tagged by dnsbl's, but it also would result in some leaked spam from forging zombies. If this was IMail/Declude, adding DUL, DYNA or DUHL to the test name for CBL would definitely prevent CBL from hitting local users when WHITELIST AUTH wasn't available. I can't however vouch for this working with SmarterMail installations. So it would be possibly useful in this case, but again, solving the issue that created the CBL listing is the most direct route, and less dependency on any particular test by adding something like Sniffer and reducing weights on such things I think is still the best overall solution. Matt Colbeck, Andrew wrote: That's a good point, Matt. I glossed over analyzing the hops, but wouldn't Declude skip running any test with DYNA in the name if the message was received via AUTH? I remember that you wrote a Master's Thesis on this over in the Declude.Support mailing list. Naturally, this would only count with Declude running on IMail, and not on SmarterMail. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, June 13, 2005 6:14 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude using CBL to block users sending mail? Andrew, Just to clear up any confusion, this message was sent by Doug through his own SmarterMail/Declude server, so his IP was the connecting hop and the DYNA/hop limiting tricks won't have an effect here. I think it might be valuable if people resisted the temptation of removing IP's from headers when shared because those that might help out would often benefit from this information. Sometimes it doesn't really matter of course, and Doug did give enough information to figure this out, but the three received headers were confusing without a careful read. Matt Colbeck, Andrew wrote: Doug, you're probably scoring on multiple hops by setting your HOPHIGH in global.cfg ... If you don't want RBLs to score on multiple hops, just comment out that HOPHIGH line. Alternatively, rename your CBL test to CBL-DYNA (don't forget to change the global.cfg definition plus the action line wherever it appears in your configuration files (e.g. CBL WARN to CBL-DYNA WARN). Andrew 8) p.s. Is your own machine's address on the Internet, or was CBL listing an internal, non-routable IP address like 192.168.1.1 ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Douglas Cohn Sent: Monday, June 13, 2005 5:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Declude using CBL to block users sending mail? My desktop IP was erroneously listed on CBL. It seems that declude is checking autheticated users sending mail for CBL and according to CBL this is wrong. SEE below Here is the header showing what went on with the actual Ips removed to proect the innocent (ME). But it sure seems that my desktop machine is the one being checked and shown as on CBL. Had 10 points been enough I would not have been able to send mail. The ONLY address within the below HEADER that was actually listed in the CBL is the HOST machine sending the email. NOT the MAIL servers but MY DESKTOP of which I am an authenticated sender. Why would declude check an authenticated sender on the CBL list? This all started because Smartermails SPAM does NOT check the authenticated senders and this is what confused me intially. IE I thought Smartermails SPAM was not working properly on another server where I do NOT have declude ANTISPAM installed. BUT as you see according to CBL it should NOT detect CBL on an autheticated senders IP. According to CBL this is not how the list is designed. Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005 Received: from forwardeddestinationmailserver [123.123.123.123] by forwardeddestinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:56 -0400 Received: from decludesmtpserver [456.456.456.456] by destinationmailserver with SMTP; Sun, 12 Jun 2005 18:35:20 -0400 Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver with SMTP; Sun, 12 Jun 2005 18:34:59 -0400 From: "douglas cohn" [EMAIL PROTECTED] To: [EMAIL
Re: [Declude.Virus] viruses getting through
If you restart your server without first stopping IMail SMTP service, it will leak messages for several seconds. Also, if you restart the IMail Queue Manager service it will steal messages from Declude. Both situations can lead to messages being passed without headers. Matt Daniel Ivey wrote: Yes, I do have AVAFTERJM ON in the virus.cfg file. One clarification too, when I mentioned that the headers for Declude Virus were not there, there was also no headers for Declude Junkmail either, with I know those are working. I have attached the virus log file for so far today. We have them set to only write on error. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 08, 2005 4:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] viruses getting through Declude Virus has no definitions to update. Are you using AFTERJM ON? Logs, what do the logs say? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Ivey Sent: Wednesday, June 08, 2005 12:54 PM To: 'Declude.Virus@declude.com' Subject: [Declude.Virus] viruses getting through Greetings, Over the past 2 days, I have had some viruses get through my Declude Virus, with updated definitions. Has anyone else seen this? Also, when I receive an email and look at the headers of the email, I am not seeing where Declude Virus scanned the message. Does anyone have any suggestions? I am running version 1.82. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Banned Extensions Still Getting Through?
It looks like the file name is in the MIME segment headers in quoted-printable format (=?ISO-8859-1?Q?). I am going to assume that Declude isn't parsing quoted printable in the file names based on your log line. I would report this to Declude support as this would definitely be a shortcoming. All encoding of file names should be decoded before any checks for extensions are made. Matt Paul Crouch wrote: Need some help for a part time sys admin! Declude Virus/Junkmail Standard 2.0.6.16/F-prot. We have very limited bandwidth so have expanded the banned extensions list in virus.cfg to include .mpg, .mpeg, .wmv, etc. This works well but there seems to be some that are still slipping through? The only thing I have noticed is that in every instance the banned extension is not the only attachment and it has some extra characters in the file extension as reported by Declude. The attachment appears as normal in the email client. Example shown below- When it does work (in every test that I do) Declude inserts MM/DD/2005 HH:MM:SS Q1BA800E400B8C964 Banning file with mpg extension [video/mpg] before the virus scanner line. Any ideas as to why Declude is trapping some and not others? vir0606.log 06/06/2005 10:00:54 Q109E001900B2AC5A Vulnerability flags = 0 06/06/2005 10:00:54 Q109E001900B2AC5A MIME file: pic09894.jpg [base64; Length=1577 Checksum=178405] 06/06/2005 10:00:55 Q109E001900B2AC5A MIME file: =?ISO-8859-1?Q?POWERLEAGUE_HAMSTER=2Empg?= [base64; Length=1435545 Checksum=172528633] 06/06/2005 10:00:55 Q109E001900B2AC5A Virus scanner 1 reports exit code of 0 06/06/2005 10:00:55 Q109E001900B2AC5A Scanned: Virus Free [MIME: 3 1438701] dec0606.log 06/06/2005 10:01:13 Q109E001900B2AC5A CMDSPACE:8 . Total weight = 8. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=IGNORE[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A R1 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [copyall_account] = IGNORE [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=WARN[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A L2 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [[EMAIL PROTECTED]] = IGNORE WARN [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Cumulative action(s) taken on this email = IGNORE WARN [LAST ACTION=""> Paul Crouch Technical Manager Marble Building Products Ltd Tel: 01759 373352 Fax: 01759 373394 Email: [EMAIL PROTECTED] -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Second Scanner
McAfee isn't a CPU hog, it's just that F-Prot is miles ahead of any other command line scanner in terms of performance. The only thing that touches the performance of F-Prot is running ClamAV in daemon mode, but it's understandable that running a virus scanner as a service would be more efficient. Running ClamAV as a command line/launched scanner will net even worse results than McAfee. In my testing I found that McAfee was actually the third fastest option behind F-Prot and ClamAV in daemon mode. All of the other scanners that I tested were slower and required more CPU. McAfee is also generally much more reliable than F-Prot and ClamAV, and in my experience it is also more reliable than AVG, but I can't speak for the others. The only strike against ClamAV in my book is that it isn't operated by a large corporation and likely lacks the same degree of testing prior to launching new definitions as has been evidenced a couple of times, and of course it was developed originally for Linux. Matt Douglas Cohn wrote: Mcafee is a CPU HOG. Uses double the CPU of Fprot. I have a low powered machine and cannot even run Mcafee but fprot is no problem. Both is unreal. This is the mcafee command line scanner. The declude archive includes a Wget updater that works fine. I use a 4NT update script but the Wget is probably better I have just been too lazy to change it back. Of course you will not that the Website clearly states you are required to have a license to mcafee before you use this code which is readily available to all. You can also download the daily dats which are considered BETA quality but that's fine with me. Unluckily I do not use the with declude because smartermail and mcafee are just more than the measly server I have this one can handle. Luckily Smartermail and fprot are working just fine with declude and I have nothing to complain about (ESPECIALLY SINCE I GOT RID OF THAT IMAIL --- Blech). Here is a mcafee command line scanner. ftp://ftp.nai.com/CommonUpdater/ Download the latest superdat (sdat.exe) file from the Network Associates ftp site. Now you must unpack it using the "/e" parameter. From the mcafee folder, run sdat.exe /e (where is the version number, for example sdat4290.exe). When unpacking you don't see anything happen for about 20 seconds, just wait for it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Thursday, June 02, 2005 6:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Second Scanner Matt posted speed comparison's I'd say about a year ago. I use F-Prot ClamAV and McAfee - Original Message - From: "David Sullivan" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 4:50 PM Subject: [Declude.Virus] Second Scanner I know this comes up every now and then, but the last thread I can find is from May 2004. I was interested in what folks were using as a second scanner aside from F-Prot. I've heard AVG is good but slow, Kaspersky fast with updates but expensive, MacAfee good but hard to get a command line. I thought someone had posted some stats about this but can't find them. Any suggestions? -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] MS05-16 Exploit
This is the one that Andy pointed out: Microsoft Windows Shell Remote Code Execution Vulnerability http://www.securityfocus.com/bid/13132/discussion/ Microsoft Windows is prone to a vulnerability that may allow remote attackers to execute code through the Windows Shell. The cause of the vulnerability is related to how the operating system handles unregistered file types. The specific issue is that files with an unknown extension may be opened with the application specified in the embedded CLSID. The victim of the attack would be required to open a malicious file, possibly hosted on a Web site or sent through email. Social engineering would generally be required to entice the victim into opening the file. I can't say whether or not it is a broad enough threat to be exploited in a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure what Declude considers to be good to ban with this switch. Andrew previously indicated that he had never seen it triggered. Anyway, these things pop up about once a month and most are never exploited in E-mail viruses, so there is probably no reason to not treat all of them the same. I see no reason why virus scanners wouldn't detect the infected attachments once they were updated with definitions for known threats. Matt John Tolmachoff (Lists) wrote: Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Schmidt Sent: Tuesday, May 31, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] MS05-16 Exploit Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of "vulnerability" of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than "isolate" them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary="[...]" [...] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name="agreement.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="agreement.zip" encoded ZIP file data There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the "agreement.zip" attachment held only one file, apparently called "agreement.txt", but on closer inspection it turned out the file was called "agreement.txt " where the apparent trailing space was actually a 0xFF character. This "pseudo-TXT" file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/application/poi/display?id=231type=vulns This "pseudo-TXT" file