Shayne: I haven't heard anything from anyone else. To the existing SKIPIFFORGING, I have added the following to sender, recip, and postmaster eml's. I know it is just covering up the underlying problem, but a cure is a cure. Will let you know if it helps.
SKIPIFVIRUSNAMEHAS Mytob John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry Sent: Friday, April 15, 2005 11:53 AM To: [email protected] Subject: RE: [Declude.Virus] Skipifforging not working on Mytob I have also been experiencing this, for over a week. I'm only using F-Prot, but have added the appropriate lines to eml and virus.cfg files as John has. The only other difference is that I'm using SmarterMail. Shayne > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Carter > Sent: Friday, April 15, 2005 10:48 AM > To: [email protected] > Subject: [Declude.Virus] Skipifforging not working on Mytob > > > Shortly after adding ClamAV to the Imail Server a few days ago, my > system started sending virus notices on Mytob (and so far, only Mytob) > even though I have SKIPIFFORGING in the sender.eml, recip.eml and > postmaster.eml, plus I have Mytob in the list of forging viruses in > the virus.cfg. In the virus log lines below, scanner 1 is F-Prot and > scanner 2 is ClamAV. > The timing to the addition to ClamAV may be only a coincidence. > > Any ideas about what's happening? > > Thanks, > John > > Notice lines: > ================================================================== > Declude Virus 2.0.5 caught a incoming virus > > Subject: hello > From: [Forged] > To: [EMAIL PROTECTED] > Msg ID: <[EMAIL PROTECTED]> > Queue#: D74590703010e25a9.SMD > Remote IP: 63.197.109.187 > Virus Name/File: W32/[EMAIL PROTECTED] data.zip > > postmaster.eml > ================================================================== > SKIPIFFORGING > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: E-mail virus notice > > Declude Virus %VERSION% caught a %INOROUT% virus > > Subject: %SUBJECT% > From: %MAILFROM% > To: %ALLRECIPS% > Msg ID: %MSGID% > Queue#: %QUEUENAME% > Remote IP: %REMOTEIP% > Virus Name/File: %VIRUSNAME% %VIRUSFILE% > > Headers: > %HEADERS% > > Virus log lines: > ==================================================================== > 04/15/2005 02:59:36 Q74590703010e25a9 Banning .ZIP file with exe > extension. 04/15/2005 02:59:36 Q74590703010e25a9 Scanner > 1: Virus=W32/[EMAIL PROTECTED] Attachment=data.zip [36] I > 04/15/2005 02:59:37 Q74590703010e25a9 Scanner 2: Virus= > Worm.Mytob.T-2 Attachment=data.zip [36] I 04/15/2005 02:59:37 > Q74590703010e25a9 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 1] > 04/15/2005 02:59:37 Q74590703010e25a9 Deleting file with virus > 04/15/2005 02:59:37 Q74590703010e25a9 Deleting E-mail with virus! > 04/15/2005 02:59:37 Q74590703010e25a9 Scanned: > CONTAINS A VIRUS [MIME: 2 58859] 04/15/2005 02:59:37 > Q74590703010e25a9 From: [Forged] To: [EMAIL PROTECTED] [incoming > from 63.197.109.187] 04/15/2005 02:59:37 > Q74590703010e25a9 Subject: hello > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
