[Declude.Virus] AVAFTERJM
When scanning for viruses after JunkMail through use of the above directive, the following rule applies: All email will continue to be scanned for viruses EXCEPT those emails having a final JunkMail action of: HOLD DELETE David Franco-Rocha Declude Technical / Engineering --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM
Thanks for the clarificaiton. Matt David Franco-Rocha [ Declude ] wrote: When scanning for viruses after JunkMail through use of the above directive, the following rule applies: All email will continue to be scanned for viruses EXCEPT those emails having a final JunkMail action of: HOLD DELETE David Franco-Rocha Declude Technical / Engineering --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] AVAFTERJM ?
Thursday, September 22, 2005, 9:01:37 AM, you wrote: Dsic AVAFTERJM ON goes in the virus.cfg file and it makes AV run after JM as Dsic you suspected. Several of us run this mode for the reason you cited. The Dsic only deal you have to remember is if something is trapped by JM and you put Dsic it back in the queue it will not be virus scanned. This begs the follow up...if we have an automated release functionality whereby users can retrieve a held message, is there anyway to resubmit that to Declude and specify virus scanning only to be performed? This would keep users from releasing viruses to themselves. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM ?
David, You could write something to the message that Declude JunkMail was set to whitelist, and then copy the D*.smd file to the spool and the Q*.smd file to the overflow directory (or the proc directory in 3.0+). This would cause the message to be scanned by both JunkMail and Virus, however it would be whitelisted in JunkMail if you followed that procedure. Matt David Sullivan wrote: Thursday, September 22, 2005, 9:01:37 AM, you wrote: Dsic AVAFTERJM ON goes in the virus.cfg file and it makes AV run after JM as Dsic you suspected. Several of us run this mode for the reason you cited. The Dsic only deal you have to remember is if something is trapped by JM and you put Dsic it back in the queue it will not be virus scanned. This begs the follow up...if we have an automated release functionality whereby users can retrieve a held message, is there anyway to resubmit that to Declude and specify virus scanning only to be performed? This would keep users from releasing viruses to themselves. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] AVAFTERJM ?
Friday, September 23, 2005, 12:17:32 PM, you wrote: M You could write something to the message that Declude JunkMail was set M to whitelist, and then copy the D*.smd file to the spool and the Q*.smd That's a great idea. Something innocuous in the headers as a whitelist key. Rather than just putting it in /overflow though, couldn't I call declude.exe with the Q file name for immediate processing? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM ?
David, The one issue with calling declude.exe directly is that you don't want the Q*.smd file to be in the spool, otherwise IMail's Queue Manager can steal it, though that would only cause an error in this case and the message would be delivered. I would recommend moving the D*.smd file back into the spool and then calling the Q*.smd file from where ever you were storing it (using the COPYFILE operative I presume). Matt David Sullivan wrote: Friday, September 23, 2005, 12:17:32 PM, you wrote: M You could write something to the message that Declude JunkMail was set M to whitelist, and then copy the D*.smd file to the spool and the Q*.smd That's a great idea. Something innocuous in the headers as a whitelist key. Rather than just putting it in /overflow though, couldn't I call declude.exe with the Q file name for immediate processing? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] AVAFTERJM ?
Matt, Is it possible to call declude.exe with the path to another folder containing the Q/D? M The one issue with calling declude.exe directly is that you don't want M the Q*.smd file to be in the spool, otherwise IMail's Queue Manager can M steal it, though that would only cause an error in this case and the M message would be delivered. I would recommend moving the D*.smd file M back into the spool and then calling the Q*.smd file from where ever you M were storing it (using the COPYFILE operative I presume). -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVAFTERJM ?
David, I believe so. The Q* file contains the path to the D* file, and that is always under the spool unless you have changed the Q* file to point elsewhere. Also, the best way to embed something in the headers that can't be forged would be to do it above the Received lines and then code a custom filter that whitelists with a HEADERS WHITELIST STARTSWITH X-Reprocess: Reprocessed Matt David Sullivan wrote: Matt, Is it possible to call declude.exe with the path to another folder containing the Q/D? M The one issue with calling declude.exe directly is that you don't want M the Q*.smd file to be in the spool, otherwise IMail's Queue Manager can M steal it, though that would only cause an error in this case and the M message would be delivered. I would recommend moving the D*.smd file M back into the spool and then calling the Q*.smd file from where ever you M were storing it (using the COPYFILE operative I presume). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVAFTERJM ?
Title: AVAFTERJM ? Hello all, We make use of the latest Declude version (spam+virus) Pro. What does the AVAFTERJM option do? Antivirus scanning after Junkmail I suppose? What is the default? First scanning viruses followed by scanning for spam? Due to the large amounts of spam I would suggest first filtering out spam followed by possible viruses? Is that correct? Regards, Marcel
Re: [Declude.Virus] AVAFTERJM ?
Marcel, AVAFTERJM ON goes in the virus.cfg file and it makes AV run after JM as you suspected. Several of us run this mode for the reason you cited. The only deal you have to remember is if something is trapped by JM and you put it back in the queue it will not be virus scanned. Darrell invURIBL - Intelligent URI filtering plug-in for Declude. Try it today http://www.invariantsystems.com Marcel Sangers writes: Hello all, We make use of the latest Declude version (spam+virus) Pro. What does the AVAFTERJM option do? Antivirus scanning after Junkmail I suppose? What is the default? First scanning viruses followed by scanning for spam? Due to the large amounts of spam I would suggest first filtering out spam followed by possible viruses? Is that correct? Regards, Marcel --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVAFTERJM ?
Title: AVAFTERJM ? If using the AVAFTERJM option in Declude Virus, Declude Virus will run after Declude JunkMail. this is the Processing Order for Imail (taken form the manual). the default is that Declude Virus runs before Declude JunkMail Both IMail and Declude have a number of different tests that they run on E-mail. The order used is as follows: 1. IMails Control Access file (to block IPs) 2. IMails Kill List (to block return addresses) 3. IMail v8 anti-spam (most tests) 4. Declude Virus 5. Declude Hijack 6. Declude JunkMail 7. IMail's filters and extra IMail v8 anti-spam tests Luis Arango From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcel SangersSent: Jueves, 22 de Septiembre de 2005 03:16 a.m.To: Declude.Virus@declude.comSubject: [Declude.Virus] AVAFTERJM ? Hello all, We make use of the latest Declude version (spam+virus) Pro. What does the AVAFTERJM option do? Antivirus scanning after Junkmail I suppose? What is the default? First scanning viruses followed by scanning for spam? Due to the large amounts of spam I would suggest first filtering out spam followed by possible viruses? Is that correct? Regards, Marcel
[Declude.Virus] AVAFTERJM not working
I've been working with Darrell from Invariant systems using their log utility. We've been running AVAFTERJM based on the following logic: We delete about 50% of email as spam via Junkmail(gateway system only). If we delete 50% of the email then we can reduce the load on Declude/FProt AV by 50% as long as the AV messages are scanned after JM. So, we put AVAFTERJM in the virus.cfg per the instructions. Darrell looked at our logs and found the following: Opened upour DEC and VIR1217.LOG. In the VIRloghefound the message Q67df4aae4237 which has a virus. Then he went to the DEC1217.LOG and searched for the message and did not find it. So, it would seem that AVAFTERJM isn't working properly Thoughts?
RE: [Declude.Virus] AVAFTERJM not working
Title: Message I think I ran into this too; for my part, it was a thinko. The correct usage is: AVAFTERJM ON but with all the talk on this forum about "AVAFTERJM", that's all I used (that is, I left out the "ON" part). Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark E. SmithSent: Monday, December 20, 2004 8:37 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] AVAFTERJM not working I've been working with Darrell from Invariant systems using their log utility. We've been running AVAFTERJM based on the following logic: We delete about 50% of email as spam via Junkmail(gateway system only). If we delete 50% of the email then we can reduce the load on Declude/FProt AV by 50% as long as the AV messages are scanned after JM. So, we put AVAFTERJM in the virus.cfg per the instructions. Darrell looked at our logs and found the following: Opened upour DEC and VIR1217.LOG. In the VIRloghefound the message Q67df4aae4237 which has a virus. Then he went to the DEC1217.LOG and searched for the message and did not find it. So, it would seem that AVAFTERJM isn't working properly Thoughts? The information contained in this email is intended solely for the addressee. This message may contain confidential and/or privileged material and access to this email by anyone else is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Les informations transmises par la prsente sont destines uniquement au(x) destinataires(s) sousmentionn(s). Le message peut contenir des informations confidentielles. L'accs ce message par toute autre personne que celle(s) nommment dsigne(s) en est donc interdit et la confidentialit du message doit tre sauvegarde. Toute rfrence aux informations qui y figurent, toute retransmission, dissmination ou utilisation de celles-ci par quiconque qui n'en a pas l'autorisation est strictement dfendu. Si vous avec reu cette communication par erreur, veuillez nous en aviser immdiatement et dtruire l'original.
RE: [Declude.Virus] AVAFTERJM not working
Title: Message Ah ha! Note to Declude staff -- update the documentation. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, December 20, 2004 12:17 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] AVAFTERJM not working I think I ran into this too; for my part, it was a thinko. The correct usage is: AVAFTERJM ON but with all the talk on this forum about "AVAFTERJM", that's all I used (that is, I left out the "ON" part). Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark E. SmithSent: Monday, December 20, 2004 8:37 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] AVAFTERJM not working I've been working with Darrell from Invariant systems using their log utility. We've been running AVAFTERJM based on the following logic: We delete about 50% of email as spam via Junkmail(gateway system only). If we delete 50% of the email then we can reduce the load on Declude/FProt AV by 50% as long as the AV messages are scanned after JM. So, we put AVAFTERJM in the virus.cfg per the instructions. Darrell looked at our logs and found the following: Opened upour DEC and VIR1217.LOG. In the VIRloghefound the message Q67df4aae4237 which has a virus. Then he went to the DEC1217.LOG and searched for the message and did not find it. So, it would seem that AVAFTERJM isn't working properly Thoughts? The information contained in this email is intended solely for the addressee. This message may contain confidential and/or privileged material and access to this email by anyone else is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Les informations transmises par la présente sont destinées uniquement au(x) destinataires(s) sousmentionné(s). Le message peut contenir des informations confidentielles. L'accès à ce message par toute autre personne que celle(s) nommément désignée(s) en est donc interdit et la confidentialité du message doit être sauvegardée. Toute référence aux informations qui y figurent, toute retransmission, dissémination ou utilisation de celles-ci par quiconque qui n'en a pas l'autorisation est strictement défendu. Si vous avec reçu cette communication par erreur, veuillez nous en aviser immédiatement et détruire l'original.
Re: [Declude.Virus] AVAFTERJM switch
When this switch is used in the virus.cfg file, should JM not write its results to the headers and then send it on to AV? The headers are added to the E-mail after all the Declude programs are done handling the E-mail (so that the file only needs to be updated once), so the Declude JunkMail headers will not actually be in the E-mail as it is scanned by Declude Virus in this situation. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
