I would add Mailpure's ANTI-AV filter to elinate these bounces. I've also seen that F-Prot does a slightly better job of catching the corrupted variants than Mcafee.
<<< [EMAIL PROTECTED] 6/12 4:22p >>> Beginning using the banned extension option with Declude (see virus.cfg). Then any attachment with a .SCR or whatever is blocked at the server level and the user doesn't see it. This is the way I have our server configured concerning banned file extensions and banned file names: BANEXT scr BANEXT pif BANEXT exe BANEXT com BANEXT EZIP BANEXT cpl BANEXT ad BANEXT adb BANEXT adp BANEXT asd BANEXT asp BANEXT BAS BANEXT BAT BANEXT cab BANEXT ceo BANEXT chm BANEXT CMD BANEXT COM BANEXT crt BANEXT data BANEXT dbx BANEXT dll BANEXT hlp BANEXT HTA BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT link BANEXT mch BANEXT mde BANEXT mdx BANEXT msc BANEXT MSI BANEXT MSP BANEXT MST BANEXT nch BANEXT nws BANEXT pcd BANEXT php BANEXT pl BANEXT pi BANEXT ocx BANEXT ods BANEXT REG BANEXT SCT BANEXT shb BANEXT shs BANEXT sht BANEXT sys BANEXT unk BANEXT uue BANEXT VB BANEXT VBE BANEXT VBS BANEXT vbx BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEXT wab BANEXT ws BANEXT WSC BANEXT WSF BANEXT WSH BANEXT xml BANNAME photo.zip BANNAME private.zip BANNAME report.zip BANNAME Wendy.zip BANNAME p_usb.zip BANNAME You_will_answer_to_me.zip BANNAME Attach.rar BANNAME Details.rar BANNAME details.rar BANNAME Document.rar BANNAME Encrypted.rar BANNAME first_part.rar BANNAME Gift.rar BANNAME Info.rar BANNAME Information.rar BANNAME Message.rar BANNAME MoreInfo.rar BANNAME pub_document.rar BANNAME Readme.rar BANNAME Text.rar BANNAME text_document.rar BANNAME TextDocument.rar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan Walters Sent: Saturday, June 12, 2004 2:50 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Getting hammered by [EMAIL PROTECTED] Hi, We're running Declude Virus Pro paired with McAfee NetShield v4.5 (the full version, so we can have the Command Line Scanner) with the latest signature files. We're also running Symantec Corporate Edition v8.0 on the desktop with the latest signature files. Lately we've experienced several infections where the [EMAIL PROTECTED] Virus has slipped past McAfee and landed in our Netscape v4.79 Inbox. As soon as somebody opens their Inbox, Symantec detects the virus and quarantines the whole Inbox (obviously including all the other non-infected emails)! I realize this is more likely a failure of McAfee and not Declude, however I'm wondering if Declude could possibly be not decoding the email properly and presenting it to the McAfee Command Line Scanner in such a way as to cause it to mis-detect the virus? What's really strange is the email appears to be one of those "friendly" informative bounces, attempting to tell me I sent them a virus. Firstly, I didn't and secondly - WTF would somebody return a "you have a virus" message WITH THE ACTUAL VIRUS STILL ATTACHED?!? Here's a copy of one of the infected emails (sans the actual virus) as it looks when viewed from the Inbox using NotePad: >From - Fri May 28 09:10:15 2004 Received: from redwing.mail.pas.earthlink.net [207.217.120.246] by roycemedical.com with ESMTP (SMTPD32-8.05) id AC33279B002A; Thu, 27 May 2004 20:04:19 -0700 Received: from exim by redwing.mail.pas.earthlink.net with local (Exim 3.36 #1) id 1BTXg8-0007cR-00 for [EMAIL PROTECTED]; Thu, 27 May 2004 20:05:04 -0700 X-Failed-Recipients: [EMAIL PROTECTED] From: Mail Delivery System <[EMAIL PROTECTED]> To: joe.parl --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
