RE: [sniffer] New virus...
No need to block zips, with Declude just add BANZIPEXTSON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New virus...
I suppose it depends on just deep the sniffer signature goes... Previous viruses including Sober.* have come in waves, with variants that skirt all but the most intrusive antivirus blocking schemes. I submitted a sample to the Norman Sandbox, which turned up different information than the McAfee, Trend Micro et al writeups. I googled the CLSIDs that turned up and didn't come up with much, but a fascinating thing was that they also hit on previous Norman Sandbox entry that Google happened to have in its cache from Sep-25-2005. Maybe the bad guys are testing their software there before release? Hmmm... So anyhow... If sniffer is *so* amazing that it could identify the CLSID within an executable within a zip file within a MIME segment of a message file, well, that would certainly be amazing, now wouldn't it? I figure the CLSID is unlikely to change as quick as the distribution method and packaging. Andrew 8) P.s. We'll see how well the shiny new Common Malware Enumeration scheme pans out. So far, the vendors' names for the malware are quite different. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, October 06, 2005 12:02 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add BANZIPEXTS ON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Declude.JunkMail] 3.05.5 issues
Dual processor Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, October 05, 2005 5:49 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues Single CPU or Dual Processor CPU? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Wednesday, October 05, 2005 05:28 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues And you also have sniffer working in persistent mode? Plus there is no spam leaking out? Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: Wednesday, October 05, 2005 5:09 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues I had the exact same problem. I increased the process threads for Declude, and it fixed the problem. I set it to 100 for the number of threads. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 1:46 PM To: Declude.JunkMail@declude.com Cc: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues I have got it down to 15 and tried to set sniffer back to persistent mode again However I find that with sniffer in persistent mode as David suggested, the proc directory starts back logging. which means the system is not keeping up with the flow of mail. Within 20 minutes I had 1400 files in the proc directory. I stopped the sniffer service and now it is gradually catching up. Any more suggestions as to what can get tuned? I appreciate the assistance Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Trial and error is best. Set it to some thing like 20 and watch what happens. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 9:27 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues thank you I was under the understanding given me by David from Declude that it was appropriate given the amount of power my hardware has. What would you recommend for my hardware? Thanks John, I always appreciate your active involvement in the list Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Your threads is way too high, and I suspect that there are time outs occurring and not all scanning is being done. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 6:17 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] 3.05.5 issues I find that since being on the new version that more spam is slipping through. We have imail v8.05, declude and sniffer on win 2000 server dual xeon 3.4Ghz with 2Gb ram. Threads are set to 50 with no other setting in declude.cfg Any advice you can give me to tighten it to where we had it before? I have had several clients complaining Other than changing from V2.06.16 to 3.05 nothing else has changed on the server thank you
[sniffer] 3.05.5 issues continued
Does anyone know the defaults for the declude.cfg settings below? WAITFORMAIL WAITFORTHREADS WAITBETWEENTHREADS I am still trying to tune my server. I have the max threads setting at 10 right now. It seems way to low for a dual processor 3.4Ghz Xeon machine. Yet any higher and more spam gets through that should have been caught. Possibly there are timeouts occurring. I also have sniffer but cannot keep it in persistent mode as mail gets backlogged. I am aware that there was some kind of issue with dual cpu's but am not sure exactly what it was or whether it has been solved yet or not. I am wondering whether experimenting with the decude.cfg settings will help me tune the machine. One more issue I have seen too is that there are a few Q files left stranded in the proc directory every day. What's that about? Hoping to get everything settled down so I can focus on other parts of my business and go back to maintenance mode with my mail server. Thanks for your feedback Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New virus...
That's only in Virus Pro, right? I don't think BANZIPEXTS is available in Standard or Lite. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, October 06, 2005 3:01 AM Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add BANZIPEXTS ON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] 3.05.5 issues continued
The default values you are looking for are: WAITFORMAIL3 WAITFORTHREADS 1500 WAITBETWEENTHREADS 1 Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Thursday, October 06, 2005 7:28 AM To: sniffer@SortMonster.com Subject: [sniffer] 3.05.5 issues continued Does anyone know the defaults for the declude.cfg settings below? WAITFORMAIL WAITFORTHREADS WAITBETWEENTHREADS I am still trying to tune my server. I have the max threads setting at 10 right now. It seems way to low for a dual processor 3.4Ghz Xeon machine. Yet any higher and more spam gets through that should have been caught. Possibly there are timeouts occurring. I also have sniffer but cannot keep it in persistent mode as mail gets backlogged. I am aware that there was some kind of issue with dual cpu's but am not sure exactly what it was or whether it has been solved yet or not. I am wondering whether experimenting with the decude.cfg settings will help me tune the machine. One more issue I have seen too is that there are a few Q files left stranded in the proc directory every day. What's that about? Hoping to get everything settled down so I can focus on other parts of my business and go back to maintenance mode with my mail server. Thanks for your feedback Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Declude.JunkMail] 3.05.5 issues
So this may be the known Declude problem with 3.x Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Thursday, October 06, 2005 07:13 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues Dual processor Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, October 05, 2005 5:49 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues Single CPU or Dual Processor CPU? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Wednesday, October 05, 2005 05:28 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues And you also have sniffer working in persistent mode? Plus there is no spam leaking out? Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: Wednesday, October 05, 2005 5:09 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues I had the exact same problem. I increased the process threads for Declude, and it fixed the problem. I set it to 100 for the number of threads. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 1:46 PM To: Declude.JunkMail@declude.com Cc: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues I have got it down to 15 and tried to set sniffer back to persistent mode again However I find that with sniffer in persistent mode as David suggested, the proc directory starts back logging. which means the system is not keeping up with the flow of mail. Within 20 minutes I had 1400 files in the proc directory. I stopped the sniffer service and now it is gradually catching up. Any more suggestions as to what can get tuned? I appreciate the assistance Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Trial and error is best. Set it to some thing like 20 and watch what happens. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 9:27 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues thank you I was under the understanding given me by David from Declude that it was appropriate given the amount of power my hardware has. What would you recommend for my hardware? Thanks John, I always appreciate your active involvement in the list Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Your threads is way too high, and I suspect that there are time outs occurring and not all scanning is being done. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 6:17 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] 3.05.5 issues I find that since being on the new version that more spam is slipping through. We have imail v8.05, declude and sniffer on win 2000 server dual xeon 3.4Ghz with 2Gb ram. Threads are set to 50 with no other setting in
Re: [sniffer] [Declude.Virus] Possible new virus
Another possible variant overnight at 4:30AM ET. Same routing as the new Sober variant from yesterday, but different attachment: screen_photo.zip Darin. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [sniffer] New virus...
If you are running your mail server only for yourself feel free to ban .exe's and .zip's. If you are providing mail services to others I STRONGLY suggest you consult an attorney that specializes in Internet related matters. There have been a couple of recent cases where ISP's have been held responsible for non-delivery of messages. I asked two for an opinion on the matter and was told that we should not block or hold any messages unless we believe them to be a specific threat to our systems. After the smoke cleared we came to the conclusion that it's OK to block known viruses and threats, but they had to be known. We no longer hold or delete any known SPAM. We let the users or domain admins determine via rules what they want to block. I also checked with our errors and omissions insurance provider and was told that we would not be covered for non-delivery issues if it was a deliberate act on our part to block them. This has become a hot issue that few want to discuss. It's nearly impossible to find an attorney well versed in the field. As more become aware of the issue I suspect it will become a popular point to litigate (has your ISP caused you damage by failing to deliver important information?, etc.). The bottom line is that if you block items like all .exe's or all .zip's you are taking the responsibility for non-delivery. In the two cases I found one had a disclaimer, and the other a written TOS. It didn't help either in court. Just be very careful. -Joe - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, October 06, 2005 2:01 AM Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add BANZIPEXTS ON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
