RE: [Declude.Virus] BanNotify email not being sent
John, Using Declude 4.3.30 Here are the log snippets IMail Log 04:30 15:20 SMTPD(417801bbe648) [10.0.136.32] connect 208.74.87.254 port 3607 04:30 15:20 SMTPD(417801bbe648) [208.74.87.254] EHLO hradt 04:30 15:20 SMTPD(417801bbe648) Authenticated [EMAIL PROTECTED], session treated as local. 04:30 15:20 SMTPD(417801bbe648) [208.74.87.254] MAIL FROM: [EMAIL PROTECTED] 04:30 15:20 SMTPD(417801bbe648) [208.74.87.254] RCPT TO: [EMAIL PROTECTED] 04:30 15:20 SMTPD(417801bbe648) [x] looking up globalweb.net in HOSTS 04:30 15:20 SMTPD(417801bbe648) [208.74.87.254] \spool\D417801bbe648.SMD 4858785 Declude Log 04/30/2007 15:21:22.593 q417801bbe648.smd Skipping E-mail from authenticated user [EMAIL PROTECTED]@imail.globalweb.net; whitelisted. 04/30/2007 15:21:27.953 q417801bbe648.smd LAST ACTION: Moving file to virus hold directory: e:\spool\virus Virus Log 04/30/2007 15:21:22.796 q417801bbe648.smd Vulnerability flags = 256 04/30/2007 15:21:26.406 q417801bbe648.smd Scanned: Banned file extension. [MIME: 2 3550162] From: John T \(lists\) [EMAIL PROTECTED] Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. From: John T \(lists\) [EMAIL PROTECTED] Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
John, I should have known to go to DEBUG mode first Here's what is showing there: 05/02/2007 17:27:31.265 q0225028073d8.smd Not sending .eml file since AUTOFORGING detected a forging virus. I sent a regular .exe program install file in the test. The question now is - why is this being picked up as a forging virus? Randy A. From: John T \(lists\) [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 12:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent 1) Put your virus log into debug and then try sending a banned extension attachement. 2) Post your bannotify.eml file as a text attachment John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 5:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. From : John T \(lists\) [EMAIL PROTECTED] Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. BANnotify.txt Description: Binary data
RE: [Declude.Virus] BanNotify email not being sent
q0225028073d8.smd Comparing |exe| to SKIPEXTs and BANEXTs 05/02/2007 17:27:29.000 q0225028073d8.smd Banning file with exe extension [application/x-msdownload]. 05/02/2007 17:27:29.000 q0225028073d8.smd NOT PLAINTEXT: application/x-msdownload. 05/02/2007 17:27:29.000 q0225028073d8.smd MIMELAYER-- 05/02/2007 17:27:29.000 q0225028073d8.smd Done Recursing... 05/02/2007 17:27:29.000 q0225028073d8.smd Hit end of layer 05/02/2007 17:27:29.000 q0225028073d8.smd MIMELAYER layer-- 05/02/2007 17:27:29.000 q0225028073d8.smd 0 - aspupload.exe 05/02/2007 17:27:29.000 q0225028073d8.smd Scanning files (0 scanners) 05/02/2007 17:27:31.187 q0225028073d8.smd AVG Reports No Virus 05/02/2007 17:27:31.203 q0225028073d8.smd 0: 05/02/2007 17:27:31.203 q0225028073d8.smd Starting EXT check . 05/02/2007 17:27:31.203 q0225028073d8.smd 1: aspupload.exe MZP 05/02/2007 17:27:31.203 q0225028073d8.smd Found an EXE file 05/02/2007 17:27:31.203 q0225028073d8.smd Starting EXT check exe. 05/02/2007 17:27:31.203 q0225028073d8.smd e:\spool\proc\work\D0225028073d8.vir\*.* 05/02/2007 17:27:31.203 q0225028073d8.smd 0.exe 05/02/2007 17:27:31.265 q0225028073d8.smd Deleted e:\spool\proc\work\D0225028073d8.vir\0.exe. 05/02/2007 17:27:31.265 q0225028073d8.smd han=13da30 b=False 05/02/2007 17:27:31.265 q0225028073d8.smd High code=20. 05/02/2007 17:27:31.265 q0225028073d8.smd AV returned 20 05/02/2007 17:27:31.265 q0225028073d8.smd Scanned: Banned file extension. [MIME: 2 790128] 05/02/2007 17:27:31.265 q0225028073d8.smd C:\IMail\Declude\BANnotify.eml 05/02/2007 17:27:31.265 q0225028073d8.smd Starting E-mail file C:\IMail\Declude\BANnotify.eml 05/02/2007 17:27:31.265 q0225028073d8.smd Not sending .eml file since AUTOFORGING detected a forging virus. 05/02/2007 17:27:31.265 q0225028073d8.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 208.74.87.254] 05/02/2007 17:27:31.265 q0225028073d8.smd Subject: Test exe 05/02/2007 17:27:31.359 q0225028073d8.smd feof=16, ferr=0 05/02/2007 17:27:31.500 q0225028073d8.smd Moving file to virus hold directory: e:\spool\virus From: John T \(lists\) [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 7:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent Sorry to bother, but please post the rest of the lines from the debug log for that message. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 2:36 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent John, I should have known to go to DEBUG mode first Here's what is showing there: 05/02/2007 17:27:31.265 q0225028073d8.smd Not sending .eml file since AUTOFORGING detected a forging virus. I sent a regular .exe program install file in the test. The question now is - why is this being picked up as a forging virus? Randy A. From : John T \(lists\) [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 12:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent Put your virus log into debug and then try sending a banned extension attachement. Post your bannotify.eml file as a text attachment John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 5:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. From
[Declude.Virus] Partial Vulnerability test failures on legitmate email
Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Partial Vulnerability test failures on legitmate email
Thanks for the response! Randy A. - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Thursday, October 11, 2007 5:14 PM Subject: RE: [Declude.Virus] Partial Vulnerability test failures on legitmate email Hi, Actually, the Partial/Fragmented Vulnerability is one that ideally should be left in place. I'm not certain that this test can be circumvented individually - at least it's not on this list: http://www.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp. Before HTML messages and picture attachments - and consequently support for messages that are many megabytes in size, there was a frequently used option (specially for NNTP newsgroups, if I recall correctly), where an email software would split a message into smaller fragments and then send each fragment was one email. The receiving software would look for the fragments and re-assemble them into a single message. Since it prevents virus detection at the server level, fragmented messages should no longer be accepted (and, with today's technology and size allowances, there really is no use for it). I have seen some devices (such as a Ricoh Sanner/Fax/Printer combination) still have the setting to create fragments after xx KB. And even Outlook Express can still generate fragments (see screenshot). However, I've never had trouble explaining to clients (and senders), why this option should remain off: Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Thursday, October 11, 2007 3:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] Partial Vulnerability test failures on legitmate email Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png
Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
The AOL Feedback loop creates alot of these false positives also...we deactivated this test in our Declude a while back --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net - Original Message - From: Matt [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 03, 2007 11:41 AM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Disable it and be done with it. There is no option to partially support the issue, and the issue is very likely not a threat. Just because something isn't RFC compliant doesn't mean that it is a threat. The vulnerability was from Outlook displaying attachments that were hidden by bad encoding, but that flaw was likely patched, or at least it has not been exploited in mass. Matt Mon Mariola - Rubén wrote: Matt, So far, the only case where I find this vulnerability is in the mail sent from the program Incredimail. If these lines are actually prohibited in RFC, it is safer to seek Incredimail technical support to solve your problem. But I fear that the explanation in Declude manual is false and that there is a section in RFC that says clearly that these lines are not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. - Original Message - From: Matt To: declude.virus@declude.com Sent: Monday, December 03, 2007 4:15 PM Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability Ruben, In your Virus.cfg file, add the following line: ALLOWVULNERABILITYOLBLANKFOLDING This will turn off this vulnerability detection. There have been no viruses that I know of that have exploited this flaw, and it is quite possible that this flaw no longer exists since it is around 5 years old now. You might also want to consider turning off other vulnerability detections due to the propensity of them hitting legitimate E-mail. Here's a list: BANPARTIALOFF ALLOWVULNERABILITYOLCR ALLOWVULNERABILITYOLSPACEGAP ALLOWVULNERABILITYOLMIMESEGMIMEPRE ALLOWVULNERABILITYMIMESEGMIMEPOST ALLOWVULNERABILITYOLLONGFILENAME ALLOWVULNERABILITYOLBLANKFOLDING ALLOWVULNERABILITYOBJECTDATA ALLOWVULNERABILITYOLBOUNDARYSPACEGAP ALLOWVULNERABILITYOLMIMEHEADER ALLOWVULNERABILITYOLLONGBOUNDARY Matt Mon Mariola - Rubén wrote: The program incredimail generates subjects, in certain cases, ended with 0D 0A 09 0D 0A. These messages are captured by Declude virus like Outlook 'Blank Folding' Vulnerability. I want to send a letter requesting to technical support solve this problem, but I really do not see the point 3.2.3 in RFC 822 indicating that this is not allowed. Thank you. Ruben Marti. Mon Mariola, S.L. From Declude manual: Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus (.exe) in a zip attachment?
We juat saw a new apparent virus/phishing threat come across trying to imposter as a failed UPS delivery notice. The file attached was called UPS_INVOICE_978172.zip and included a .exe file within. Is their anyway to catch these in the BanFile area of Declude? We do allow banned files within a zip in our current config. It would have to be set up as a wild card I imagine (assuming the numbers in the file name would change). We've only seen one of these so far, so do not have anything else to compare to to see if name is changing or not. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.