I'm running late catching up on my Declude lists today, so forgive me for jumping in here - not only late but in the middle of the thread.
Twice today I have been sitting at local users machines for unrelated tasks, and in both cases I noticed notifications in their local email inboxes warning about inbound sobig messages. I didn't give it a lot of notice at the time, I knew we got a zillion of them already. The problem is that I have had "SKIPIFVIRUSNAMEHAS Sobig" in both recip.eml and sender.eml for a long time now, long enough that several other entries are in there now under the Sobig lines. Something's wacky, but I haven't had a spare moment to do any log investigation yet. The only thing that's unusual here is I was also seeing something that others have mentioned: my f-prot is catching this and my mcafee was not, so I was only getting hits using my Scanner2, and not my Scanner1. I can't imagine what that might matter, but I do know that the "SKIPIF..." lines ordinarily work without fail. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff (Lists) Sent: Wednesday, 20 August 2003 10:11 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications Ah, but that is why in the virus.cfg file, you put a line in like this: FORGINGVIRUS sobig This way, the sender e-mail address is replaced with [Forged]. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS > Sent: Wednesday, August 20, 2003 6:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications > > Yes but ist not good marketing when then the receiver phones the sender which > are an innocent victim ant threats him with some less > nice things > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) > Sent: 20. august 2003 15:44 > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications > > > I put it in the sender.eml and otherpostmaster.eml. I still want the > recipient to get it. Good marketing. We are doing our job. Of course, I want > to see it. > > John Tolmachoff MCSE CSSA > Engineer/Consultant > eServices For You > www.eservicesforyou.com > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS > > Sent: Wednesday, August 20, 2003 6:31 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications > > > > you put it in every .eml file in the declude folder > > > > as the first line > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of Tim Collins > > Sent: 20. august 2003 15:08 > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications > > > > > > What configuration file do you put 'SKIPIFVIRUSNAMEHAS Sobig' in and > > what exactly does it do with the message. > > > > New ISP owner, > > > > Tim Collins > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS > > Sent: Wednesday, August 20, 2003 7:00 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications > > > > > > just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook > > Sent: 20. august 2003 14:45 > > To: Declude Virus Mailing list (E-mail) > > Subject: [Declude.Virus] Skipping Sobig.F virus notifications > > > > > > I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without > > success: > > > > SKIPIFVIRUSNAMEHAS W32/Sobig.F > > SKIPIFVIRUSNAMEHAS Sobig.F > > > > There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability. > > What is everyone else using? Also, for the next time, will the > > vulnerability name be what is reported by the %VIRUSNAME% variable or > > something else? > > > > Thanks, > > Steve > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
