[Declude.Virus] SoBig more prolific now?
Last night I got hammered with about 3,000 sobigs in the course of about 2 hours from one infected computer - it seems this particular computer had almost every address from my domain on it. This morning I got about 100 from another computer - the strange thing was that all 100 were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. When will people stop opening this attachment.? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig more prolific now?
There ain't no cure for stupidity. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS
I'd have to agree. I guess all of the letters after John's name have gone to his head. In my experience it's people with bloated egos who attempt to publically ridicule and chastise. Seems to me a friendly note directly to the admin would have been more appropriate. Mike Tindor -- Original Message -- From: Tim Collins [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 30 Aug 2003 07:55:41 -0500 John Tolmachoff, Personally, I have 2 months experience with my new ISP company and Declude. Not everyone is as smart as you. Maybe you should leave the List and start your own discussion group. The only stupid question is the one that is not asked. Often, there is more than one way to do something. Please keep your personal comments to yourself. Tim Collins -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, August 30, 2003 12:19 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS Importance: High After all this has been talked about, that Sobig forges the sender, this pisses me off. Do you not know how to add FORGINGVIRUS and SKIPIFVIRUSNAMEHAS to the config and e-mail files? Get your bleeping act together or forfeit your Declude software to someone who knows how to use it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: WARNING: YOU MAY HAVE A VIRUS The Declude Virus software on lcs.net has reported that you sent an E-mail to [EMAIL PROTECTED], containing the Unknown Virus virus in the Unknown File attachment. The subject of the E-mail was Your details. The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from ARNOLDS_ROOM [160.36.73.149] by lcs.net with ESMTP (SMTPD32-7.07) id A2A72C08013C; Fri, 29 Aug 2003 22:57:43 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your details Date: Fri, 29 Aug 2003 22:59:36 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_7E49D478 Message-Id: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Sent via the WebMail system at 1st.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Batch file from auto e-mail of virus from.
Some of us out here are not command line savvy. I am one. Thanks to Scott's posting of creating a file to find the from address of virus infected files, I have created a batch to run scheduled. Amazingly, it works. For those like me, here is the batch file for others to use. Please remember to change the paths to those relevant to your setup. This creates and e-mails the sorted file, then moves the existing .smd files to the hold subfolder of virus and clears all files out of the virus folder. NOTE: If you do not have a hold folder under virus, I would suggest creating it first, or move it where ever. The virusfrombody.txt has a single line: Yesterday's virus from report. @echo off cd f:\spool\virus f: find Received: D*.SMD file1.txt sort file1.txt file2.txt xcopy *.smd f:\spool\virus\hold del *.smd c:\imail\imail1.exe -f c:\batchfiles\virusfrombody.txt -s Virus From Report -t [EMAIL PROTECTED] -u [EMAIL PROTECTED] -a f:\spool\virus\file2.txt del file1.txt del file2.txt Now, you could also do this hourly or every 4 hours or what ever. Question, if done hourly or so, how would you include the time and or date either in the subject line or in the body? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Recipient's alert- Not sent..
Hi Scott: I was under the impression that if I put: SKIPIFVIRUSNAMEHAS Sobig In the recip.eml then the recipient of the virus will not be alerted if Sobig is the virus. This works fine for Sobig but I noticed that I am not receiving a virus notification for other viruses as well. So I tested the Eicar virus with the above in the recip.eml and without it. With that line in the recip.eml I do not get a notification for Eicar and without it I get a notification. Is this a feature, bug, or a misunderstaing on my part... Or possibly all of the above? :) Regards, Kami -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Saturday, September 06, 2003 12:33 PM To: [EMAIL PROTECTED] Subject: WARNING: YOU WERE SENT A VIRUS The Declude Virus software [Ver: 1.75i4] on durability.com has reported that you were sent an E-mail from [EMAIL PROTECTED], containing the : EICAR test file NOT a virus. virus in the eicar.com attachment. The subject of the E-mail was Test eicar.com file [eicarplain]. The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from www.declude.com [216.58.174.203] by foroosh.com (SMTPD32-8.02) id AC4015021C; Sat, 06 Sep 2003 12:33:04 -0400 X-Web-Originating-IP: 12.5.16.247 Message-Id: [EMAIL PROTECTED] X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 02 Nov 2000 20:23:17 -0500 From: WebMaster [EMAIL PROTECTED] To: User [EMAIL PROTECTED] Subject: Test eicar.com file [eicarplain] Mime-Version: 1.0 Content-Type: multipart/mixed; BounDary==_307115168==_ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Blocking senders of Vulnerabilities
Question, what do others do to block repeat offenders who send SPAM with vulnerabilities? I know to add the from IP address to the SMTP control access file, but I guess my question is more of do we see the same IP addresses? Would it be a good idea to share the IP addresses of the repeat offenders with others, or is it like viruses where everyone's experience is different? Maybe a shared file would be in order. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS
Is this BS really necessary? If you don't like someone, can't you keep it to yourself? A simple philosophy, don't be annoying and don't be easily annoyed. John may have a big ego...so what?! I haven't met a computer engineer yet worth a darn that doesn't have a big ego. It take a lot of moxy to be responsible for hundreds/thousands of users computers/accounts when the crap is flying all around and you are the one getting yelled at. I've been on/watching this list for a long time. I don't always like the answers I get, but the people here DO HELP ME. That is the bottom line, isn't it? Or is it about hurting egos? Personally, I don't think there is room for ego in the business world. I don't think any of us are here for the fun of it, but to make money, right? If I have to supress my ego to get the answers I need and to get the job done, SO BE IT. Come to think of it, we are usually guilty of what we accuse others of. In my experience it's people with bloated egos who attempt to publically ridicule and chastise. Mike Tindor I think it would be helpful to remember that John and others like him are NOT GETTING PAID to help with your issues or mine. This IS THE SPIRIT of the Internet, all of us helping each other, the best we can. That's my 2 cents worth. And I've been in this business a long time, 16 years, 8 of it running ISP's and being responsible for corporate networks. I don't have to like John's approach to *respect* him and his efforts on this list. Now, can we all be nice to each other in this sand box...PLEASE?! Andrew Thumpernet - Original Message - From: FIRST Internet Declude Virus Account [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 06, 2003 12:25 PM Subject: RE: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS I'd have to agree. I guess all of the letters after John's name have gone to his head. In my experience it's people with bloated egos who attempt to publically ridicule and chastise. Seems to me a friendly note directly to the admin would have been more appropriate. Mike Tindor -- Original Message -- From: Tim Collins [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 30 Aug 2003 07:55:41 -0500 John Tolmachoff, Personally, I have 2 months experience with my new ISP company and Declude. Not everyone is as smart as you. Maybe you should leave the List and start your own discussion group. The only stupid question is the one that is not asked. Often, there is more than one way to do something. Please keep your personal comments to yourself. Tim Collins -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, August 30, 2003 12:19 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS Importance: High After all this has been talked about, that Sobig forges the sender, this pisses me off. Do you not know how to add FORGINGVIRUS and SKIPIFVIRUSNAMEHAS to the config and e-mail files? Get your bleeping act together or forfeit your Declude software to someone who knows how to use it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: WARNING: YOU MAY HAVE A VIRUS The Declude Virus software on lcs.net has reported that you sent an E-mail to [EMAIL PROTECTED], containing the Unknown Virus virus in the Unknown File attachment. The subject of the E-mail was Your details. The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from ARNOLDS_ROOM [160.36.73.149] by lcs.net with ESMTP (SMTPD32-7.07) id A2A72C08013C; Fri, 29 Aug 2003 22:57:43 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your details Date: Fri, 29 Aug 2003 22:59:36 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_7E49D478 Message-Id: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
Re: [Declude.Virus] Recipient's alert- Not sent..
I was under the impression that if I put: SKIPIFVIRUSNAMEHAS Sobig In the recip.eml then the recipient of the virus will not be alerted if Sobig is the virus. Correct. This works fine for Sobig but I noticed that I am not receiving a virus notification for other viruses as well. So I tested the Eicar virus with the above in the recip.eml and without it. With that line in the recip.eml I do not get a notification for Eicar and without it I get a notification. Is this a feature, bug, or a misunderstaing on my part... Or possibly all of the above? :) That isn't the intended behavior. The debug mode should help here. To use it, change the LOGLEVEL LOW line in \IMail\Declude\virus.cfg to LOGLEVEL DEBUG. Then, send the test eicar.com file through (using our Test Virus Sender at http://www.declude.com/tools ), and then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me the \IMail\spool\vir.log file (as an attachment, NOT sent from web messaging), and I can take a look at it to see what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] W32.Neroma@mm virus in .jpg?
Now we have to worry about viruses in picture files? http://www.eweek.com/article2/0%2C4149%2C1247120%2C00.asp?kc=EWMS102049TX1K0 100487 http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] W32.Neroma@mm virus in .jpg?
Now we have to worry about viruses in picture files? Nope - it's a normal .EXE attachments (just disguised as 911.exe). It's an old trick - either using double extensions (e.g. .JPG.EXE) or using MIME headers that refer to it as a picture - but the system file type is .EXE. A good virus scanner would be detecting that style virus preventively since at least March 2003. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.