Re: REVDNS:Re: [Declude.Virus] subscribe message
instead of notifying the postmaster, can you sent the notify to a group alias and setup more than one person to receive the postmaster message? That way more people will get the message to assist the person with the virus... just a thought... bob On Tuesday, August 7, 2001 5:02 PM, David Deza [EMAIL PROTECTED] wrote: Do you think it will be possible in near future ? I think it's an important feature to protect the prestige of the company and not only notify to a customer (out going messages) that our virus protection system has detected the virus and not send the e-mail, but to hide that the company have a virus in one of his computers. We can only notify to our postmaster, but the problem with this is that maybe the postmaster is out and the sender of the e-mail don't know that his e-mail has not been sended. Please advice. David - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 12:56 AM Subject: Re: REVDNS:Re: [Declude.Virus] subscribe message One simple question. I have just installed declude virus. If the sender is a user from my organization I only want to notify the sender, and not the recipient (I do not want that somebody out of my company knows that we have a virus), but when the virus is send by somebody out of my office I want to notifiy both the sender and the recipient. Is this possible ? That is not currently possible. You can have Declude not notify the recipient, but in that case it will never notify the recipient (whether the E-mail is incoming or outgoing). -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] BADWHOIS:using rules vs Declude
Hi, Just wondering, is there a way to have imail rules inacted before Declude does? The reason I ask is it would be nice to have the H a h a h a S e x y Fun virus not have e-mails sent to the sender or recipient, and just be trashed. Any ideas? bob This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
BADWHOIS:Re: [Declude.Virus] using rules vs Declude
so what about a change to declude so that certain viruses (or subjects, whatever) would get passed through to rules? On Wednesday, August 22, 2001 12:02 PM, R. Scott Perry [EMAIL PROTECTED] wrote: Just wondering, is there a way to have imail rules inacted before Declude does? The reason I ask is it would be nice to have the H a h a h a S e x y Fun virus not have e-mails sent to the sender or recipient, and just be trashed. I can't think of any way of doing that. IMail's rules run during the delivery procedure (the IMail SMTP process as opposed to the SMTPD process that receives them), and Declude always gets called before that. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] New W32/Goner-A virus
So if you use the banext, the mail is not delivered if the attachment matches the extension but there is no notification at all? example banext scr I get a message that has an scr attachment but not a virus. The message is not delivered and there is no notification as to the non-delivery? If this is the case, is there any way to just strip the attachment and send the message? thanks scott!!! bob On Tuesday, December 4, 2001 1:43 PM, R. Scott Perry [EMAIL PROTECTED] wrote: and will it scan first and if no virus isfound will it then ban it? thereby sending the notification if it is known to be infected? That is correct -- the E-mail will still be scanned, and the notifications will be sent out if it contains a virus. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.Virus] [IMail Forum] [Kinda OT... It's A Gloat] Declude And F-Prot - What Else...
I changed lists to declude as it's more relevant. the auto update is nice but IMO the scheduled bat file is nicer. I slightly modified the ftp script to include a dir list of the *.def files before and after getting the updated files. The info is e-mailed to me in the script. that way, I know in the morning if I have new def files from the prior night also I know that it worked as I get results in e-mail as well... bob On Friday, December 14, 2001 1:52 PM, T. Bradley Dean [EMAIL PROTECTED] wrote: It's Friday so I figured gloating would be allowed... Declude caught two virus attachments this morning! Both, as luck would have it, were sent to aliases that forward to a list of 6 Outlook (clueless) managers and cube dwellers. And the specific attachments were not ones that would have been caught by my old rules.ima file - which is what I used for virus protection up until earlier this week. Thanks go out to Declude, F-Prot, and (of course) to this list. One note: I decided to switch from F-Prot DOS to F-Prot Windows. It's twice the price but still dirt cheap, and as another list member said - the automatic updates make all the difference! ~Brad Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] bannotify.eml question
Is there a way in the BANnotify.eml file to add the body of the offending message to this eml file? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] bannotify.eml question
As usual, thanks for the info Scott!!! I like the sounds of a %MESSAGETEXT% variable... On Wednesday, February 20, 2002 4:15 PM, R. Scott Perry [EMAIL PROTECTED] wrote: Isn't the bannotify only for exception extensions, not necessarily viruses? Yes, but the reason that the banned file extensions were added to Declude Virus was to help prevent the spread of viruses. So it is assumed that if a file is banned because of the extension, there's a decent chance that it contains a virus. Also, just looking for getting the main text, not any attachments. If you forwarded, or in my case returned to the sender, the original text of the message it would let them know which message to resend... The subject should be enough to know for sure. But we do want to add a variable that will allow you to insert the text portion of the E-mail, which sounds like what you are looking for. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Another virus to skip notify
I thought on the magistr virus every 5th address was possibly not altered? Are all the return addresses bad? I have chosen not to skip this one to the sender as 20% of the time it reaches the infected sender. Maybe not exactly 20% but some success anyway... On Thursday, April 25, 2002 7:18 AM, R. Scott Perry [EMAIL PROTECTED] wrote: Now I don't know which address (nmiller or mmiller) Declude sends it's you sent a virus message to. Maybe Scott can answer that, but if it is the wrong address then sending that message to the sender could be skipped. Declude Virus sends to the return address (from the SMTP envelope), which in the case of Magistr is the altered address. So skipping the sender notification (adding SKIPIFVIRUSNAMEHAS Magistr to the sender.eml file) would be a good idea. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] REMOTEIP question
ok, but my imail box is no longer listed in the MX records. On Friday, May 17, 2002 10:49 AM, R. Scott Perry [EMAIL PROTECTED] wrote: We have an IMGate box setting in front of our IMail box and I am noticing that the %REMOTEIP% variable is sometimes filled in with the IP of the Postfix box and sometimes with an external (not ours) IP address. Is this typical? Why would it be inconsistant in what it displays? That is typical, if your MX record has both the IMGate and IMail servers listed in it. Many spammers will intentionally send E-mail directly to a backup MX record, hoping that it will bypass any scanning. If you are using Declude JunkMail in a setup like this, you can use a line IPBYPASS 127.0.0.1 (replacing 127.0.0.1 with the IP address of your IMGate box) so that Declude can still scan the E-mail if it comes in directly to the IMail server. Declude Virus doesn't require any changes to scan the E-mail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] REMOTEIP question
I think you hit it on the head So for the next question: Can you add to declude virus so I could get the IP of the remote (external) server that delivered the mail in this case? Or at least add it to the proposed changes? Something like %2NDREMOTEIP%? On Friday, May 17, 2002 11:02 AM, R. Scott Perry [EMAIL PROTECTED] wrote: ok, but my imail box is no longer listed in the MX records. Most likely, there are some servers out there that still have the old DNS records cached, and are sending the E-mails directly. If that isn't the case, you can send me the headers from one of the E-mails where an IP other than the IMGate server is shown, and I can take a look to see whether or not the E-mail was sent directly to the IMail server. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] REMOTEIP question
yep, and that's where I'll look :-) thanks aton Scott again. On Friday, May 17, 2002 1:44 PM, R. Scott Perry [EMAIL PROTECTED] wrote: So for the next question: Can you add to declude virus so I could get the IP of the remote (external) server that delivered the mail in this case? Or at least add it to the proposed changes? Something like %2NDREMOTEIP%? There isn't any way to do that currently, but that is something we'll look into. In the meantime, note that the %HEADERS% variable can be used to display the headers of the E-mail, which will have the remote IP in it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] banext issue
I recently added multiple banext commands to my config file. I send a message to sender and postmaster when the message is banned. This morning I had a postmaster message and the message listed no banned extension. so, I looked at the message in the virus folder and there were 4 attachments to the message, none of them had extensions. (all mac files) I also have no banext cr in my config file. I'm on version 1.53 Any ideas as to why this might have happened? bob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] banext issue
The catch here is that BinHex (Mac encoding) files have the filename within the encoded segment. So you can have a situation where the MIME filename is safefile.txt, but the BinHex segment says the filename is evilvirus.exe (which you won't see, because it is encoded). -Scott Here are the attachment headers from the message. I just want to make sure. --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=HOPE COVER Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=HOPE COVER --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=GFSD Handout Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=GFSD Handout --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=middle school scenario Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=middle school scenario --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=One Solution Syndrome Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=One Solution Syndrome --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] banext issue
ok, so next question... if declude caught the attachment why did it not list with the %BANEXT% variable? That variable was blank. How would I determine what file extension was caught. I'm just trying to understand... On Friday, August 9, 2002 9:17 AM, R. Scott Perry [EMAIL PROTECTED] wrote: Those headers won't affect whether or not Declude bans the files -- the *real* filename is one you won't see, becaues it is encoded. You can send a copy of the E-mail file to [EMAIL PROTECTED] , and I can test it here to see what the real extensions are. -Scott At 11:11 AM 8/9/2002, you wrote: The catch here is that BinHex (Mac encoding) files have the filename within the encoded segment. So you can have a situation where the MIME filename is safefile.txt, but the BinHex segment says the filename is evilvirus.exe (which you won't see, because it is encoded). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] banext issue
I did not catch that you wanted the message How do I go about taking something from the virus folder, change the recipient to [EMAIL PROTECTED]? just copy and change the sender in both files? On Friday, August 9, 2002 9:54 AM, John Tolmachoff [EMAIL PROTECTED] wrote: Scott, please post, (although I know you will) what your findings are as we also have clients with MAC users. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Friday, August 09, 2002 8:18 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] banext issue Those headers won't affect whether or not Declude bans the files -- the *real* filename is one you won't see, becaues it is encoded. You can send a copy of the E-mail file to [EMAIL PROTECTED] , and I can test it here to see what the real extensions are. -Scott At 11:11 AM 8/9/2002, you wrote: The catch here is that BinHex (Mac encoding) files have the filename within the encoded segment. So you can have a situation where the MIME filename is safefile.txt, but the BinHex segment says the filename is evilvirus.exe (which you won't see, because it is encoded). -Scott Here are the attachment headers from the message. I just want to make sure. --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=HOPE COVER Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=HOPE COVER --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=GFSD Handout Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=GFSD Handout --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=middle school scenario Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=middle school scenario --WBE1028896920052e2aec2af3c9e93cad6a0ff23d4e75 Content-Type: application/x-macbinary; name=One Solution Syndrome Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=One Solution Syndrome --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] banext issue
ok scott, I'll get the latest thanks for looking into it. Insidently, I see that all the time with mac files... spaces at the end pain in the _ss On Friday, August 9, 2002 11:18 AM, R. Scott Perry [EMAIL PROTECTED] wrote: so, I looked at the message in the virus folder and there were 4 attachments to the message, none of them had extensions. (all mac files) Actually, it turns out that this isn't related to the BinHex files -- the problem has to do with the attachments not having extensions (and having spaces in them). If you upgrade to the latest beta, it will take care of the problem. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Virus v1.61 (beta) released
I'm getting them as well and am on version 1.58. On Monday, September 23, 2002 3:00 PM, Dan Shadix [EMAIL PROTECTED] wrote: I can't be sure that this is related, but since I've installed 1.61 I started getting some messages from Amazon.com being caught by BANEXT com when they don't appear to have an attachment with a .com extension. Dan [EMAIL PROTECTED] wrote: FWIW, installed 1.61 about six hours ago. No problems. Jack At 08:47 AM 9/23/2002, you wrote: We have just released Declude Virus v1.61 (beta). See http://www.declude.com/virus/manual.htm . Changes include: o Adds detection of numerous new vulnerabilities. --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] banned files
on this issue, anyone know of a link that explains the riks of URL types? We ban alot of these and I'm wondering what the risk is with the URL shortcut... anyone know??? On Friday, September 27, 2002 3:03 PM, Sheldon Koehler [EMAIL PROTECTED] wrote: http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx Is this what you are looking for? Yes, thanks! I had it once before and used it to make my banned file list from at someone else's recommendation on this list. I figured it was an easy way to have some Authority behind the file extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] banned files
yep, I'm wondering about the .url extension On Friday, September 27, 2002 4:51 PM, David Stavert [EMAIL PROTECTED] wrote: When Microsofts own website lists the LNK shortcut as a risky extension then it is a risky. The link can be a shortcut to a local file or program. While probably not a good example it could be format c: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bob McGregor Sent: Friday, September 27, 2002 4:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] banned files on this issue, anyone know of a link that explains the riks of URL types? We ban alot of these and I'm wondering what the risk is with the URL shortcut... anyone know??? On Friday, September 27, 2002 3:03 PM, Sheldon Koehler [EMAIL PROTECTED] wrote: http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx Is this what you are looking for? Yes, thanks! I had it once before and used it to make my banned file list from at someone else's recommendation on this list. I figured it was an easy way to have some Authority behind the file extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Banned Extension List
here is the one I reference: http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx On Tuesday, January 14, 2003 11:28 AM, [EMAIL PROTECTED] wrote: Can someone please furnish me the link to the Microsoft page listing the extensions that should be banned? Thanks, Doug McKee --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question on Yaha virus
is that the option now then? Only use frisk's updater and not a batch scheduled job? I like the batch proccess as I get an e-mail that I can check to see new definition files and for success of transfer and install. Maybe the updated does that now too although I like what I get from my batch process. Does anyone still schedule the batch updater and successfullly receive the fpcmd.exe? On Thursday, January 16, 2003 2:27 PM, John Tolmachoff [EMAIL PROTECTED] wrote: Doesn't the Windows version of F-Prot, which is where the fpcmd.exe is from, have it's own updater? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question on Yaha virus
Thanks all for the help. I decided to just go to the frisk web site and download the new version which indeed updated the fpcmd.exe. I guess I'll change to scheduling the updater.exe for definitions and just check with frisk for new releases. I appreciate all the help and suggestions. Now I'll wait and see if yaha gets caught correctly... bob On Thursday, January 16, 2003 4:56 PM, R. Scott Perry [EMAIL PROTECTED] wrote: Scott, can I still just use f-prot.exe for scanning or do I have to use fpcmd.exe? F-Prot.exe will work fine for virus scanning. There are a *few* servers that have problems with 16-bit programs that cause performance issues under heavy volume (that fpcmd.exe fixes), but if you were not experiencing any problems with F-Prot.exe, F-Prot.exe should be fine. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Missing Manual Stuff (WAS Template options)
a good idea (at least I think so) is to add the %VERSION% variable to the postmaster.eml sent to your postmaster. That way you always can check what version you have by looking at one of your postmaster emails. example: Declude %VERSION% caught a virus. bob On Monday, January 20, 2003 2:54 PM, Trent M. Davenport [EMAIL PROTECTED] wrote: Scott, I was looking through the manual the other day for the command line option to see which version I have and could not find it. I tried every - / and ? help info combination I could think of and couldn't find it. Did I just miss it? Trent --- Trent M. Davenport - Systems Administrator Northern Television Systems Ltd - WHTV 203-4103 4th Avenue, Whitehorse, YT Y1A 1H6 (867) 393-2225 X204, (867) 393-2224 FAX www.whtvcable.com http://www.whtvcable.com ( [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: January 20, 2003 1:23 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Template options I hope you understand when I say.. its hard for me to concieve of renewing a support agreement when your product isn't even fully documented.. The manual ( http://www.declude.com/virus/manual.htm ) has been updated to include all the commands that can be used in the E-mail notification files. We are not aware of any options that are available but not covered in the manual; if anyone knows of any, please let me know. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Lentin.H virus
ok, thanks for the info I'll add it to the skipif list... bob On Tuesday, January 28, 2003 2:17 PM, John Tolmachoff [EMAIL PROTECTED] wrote: Just want to make sure on this... does this virus forge the sending address? If so, is it an address taken from the infected address book like K L E Z? Yes and not sure. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question on banned attachemnt
I just check the D*.SMD file and it appears to have an atatchment content-type=application/x-msdwonload;name=qnlc.exe followed by attachment info. On Friday, September 19, 2003 11:18 AM, John Tolmachoff [EMAIL PROTECTED] wrote: I have seen a couple of those. If you look at the body, the attachment is not actually there, although the mime header for it is. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Friday, September 19, 2003 10:01 AM To: Declude-List Subject: [Declude.Virus] Question on banned attachemnt I am receiving Swen to my e-mail address this morning as well as some messages that are being banned due to e x e attachments. The subject has similar names as the what Swen is catching. I am wondering if others are seeing this behavior as well? bob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] deleting certain virus files
thanks scott, is it on the enhancement request screen or does it not make sense? On Friday, September 26, 2003 10:11 AM, R. Scott Perry [EMAIL PROTECTED] wrote: Is there a way with declude virus to delete only specific received viruses? No, there is not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] some benefit of my doom??
ok not really, but I think is comical. I get the following as an unsubcribe message fromm a list I never subscribed to... funny. Look at the body, it definately was from the doom... it did have the z i p attached with the message sent to me informing me of the unsubscribe bob On Thursday, January 29, 2004 5:39 PM, Subscription Services [EMAIL PROTECTED] wrote: We have removed the email address [EMAIL PROTECTED] from mailing list gamestreet. Thank you for using our service. The original message sent was: From [EMAIL PROTECTED] Thu Jan 29 16:39:35 2004 Received: from gfps.k12.mt.us ([216.201.206.97]) by i.pm0.net (8.12.10/8.11.6) with ESMTP id i0U0dXmk044894 for [EMAIL PROTECTED]; Thu, 29 Jan 2004 16:39:34 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: mnvskvcccmo Date: Thu, 29 Jan 2004 18:39:15 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0012_5400182A.DB9DC5C5 X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. --=_NextPart_000_0012_5400182A.DB9DC5C5 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7bit The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. --=_NextPart_000_0012_5400182A.DB9DC5C5 Content-Type: application/octet-stream; name=document.z i p Content-Transfer-Encoding: base64 Content-Disposition: attachment; --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus counts?
thanks greg, if you are using unxutils, would you mind sharing how you put the incoming/outgoing together? We have very few infections (so far) from within our school distrcit but when they do occur, it would be nice to know it I t's a great add! bob On Tuesday, April 27, 2004 12:23 PM, Greg Little [EMAIL PROTECTED] wrote: Hopefully Greg H will answer your question for counts but, if you want to do it for notification e-mails. (using a % variable) You can set a rule in your e-mail to route ones with this phrase to a place where you will see them. We've had very few of these, but in this case one of the customers we host stacy-insurance.com sent a few Netsky's. So we contacted them and the viruses quit coming. (For spoofing viruses, which is almost all now days, you won't know the user name, but may be able to get the domain.) Greg Little Declude Virus Ver. 1.79 caught the the W32/[EMAIL PROTECTED] virus in document.pif from [Forged] to: [EMAIL PROTECTED] Date: 04/13/2004 10:19:27 Subject:Re: Re: Thanks! Spool File: Df6e7707601540904.SMD Remote IP: 64.108.112.144 In or Out: outgoing recipient host: yahoo.com Sender Host:bhfqh.com Headers: Received: from yahoo.com [64.108.112.144] by mail.stacy-insurance.com with ESMTP (SMTPD32-8.05) id A6E770760154; Tue, 13 Apr 2004 10:19:19 -0400 . . . Bob McGregor wrote: Greg, how are you defining the counts inbound/outbound? That would be nice so you know when it's one of your own sending out... --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus counts?
not sure if you can do this but I only allow smtp traffic(port 25) out of our network from our defined servers at the firewall... that way those that attempt with their own smtp engine go no where. however, we have had a couple infections that do use the known mail server. however with remoteip they are identified easily as it's from our internal 10.x network. On Tuesday, April 27, 2004 3:45 PM, Donn Bly [EMAIL PROTECTED] wrote: Since almost all modern virus carry their own SMTP engine, almost none will be flagged as outgoing and will be caught as incoming when they try to send their payload to other users on the system. I use the SENDONLYIFIP in a series of .eml files to catch messages originating from local IP subnets and direct them to a special email address. This way I even flagged viruses from customers who run their own mail servers as they try to infect our servers ;-) My only problem is that I seem to have run into a wall as to the number of .eml files I can have. Last week I added another one to flag a customer who uses us for email but doesn't reside on our IP range, and declude stopped sending out the postmaster.eml file, though it continued to process others. :-( Renaming the file I had just added made the mail flow again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Greg Little Sent: Tuesday, April 27, 2004 3:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Virus counts? I use a much more low tech technique for this. Declude E-Mails me (and a couple of other techs) every time it finds a virus, Vulnerability or Banned Ext. . This is around a 1,000 per day lately. (Most of which are just more Netsky or Vulnerability junk to ignore) In the body of the e-mail I dump a variable (as I recall it is in the standard templates), but I can get the detail if needed. That variable returns Incoming or Outgoing. Once you get that far, I recommend setting up rules within your e-mail program to route certain e-mail to a Folder that will get your attention. (also Banned Extensions should get the same treatment, because these may be normal user work that is getting trapped or a very new virus.) Let us know which part you need help with. (lots of folks can help) Greg Bob McGregor wrote: thanks greg, if you are using unxutils, would you mind sharing how you put the incoming/outgoing together? We have very few infections (so far) from within our school distrcit but when they do occur, it would be nice to know it I t's a great add! bob --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] f-prot /packed meaning
what does the /packed parameter on the scanfile line in the config file do? Is it a switch that I want on? It's not mentioned in the manual for declude virus. thanks, bob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] f-prot /packed meaning
thanks Bill, f-prot was the scanner, sorry about that. I'll just leave it in then if it does not hurt... bob On Tuesday, June 8, 2004 10:33 PM, Bill Landry [EMAIL PROTECTED] wrote: - Original Message - From: Bob McGregor [EMAIL PROTECTED] what does the /packed parameter on the scanfile line in the config file do? Is it a switch that I want on? It's not mentioned in the manual for declude virus. Bob, you don't mention which virus scanner you're using, but I'm going to assume that it's F-Prot. Here is a description of the different switches that fpcmd supports: Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archiveScan inside .ZIP and .ARJ files. -auto Automatic virus removal. -collectScan a virus collection. -delete Delete infected files. -disinf Disinfect whenever possible. -dumb Do a dumb scan of all files. -extScan only files with default extensions. -follow Follow symbolic links. -help Display this list. -list List all files checked. -nobreakDo not abort scan if ESC is pressed. -noheur Disable heuristics. -nosub Do not scan subdirectories. -oldDo not complain when using outdated DEF files. -onlyheur Only use heuristics, not normal scanning. -packed Unpack compressed executables. -page Pause after each page. -rename Rename infected COM/EXE files to VOM/VXE. Press ENTER to continue to view the command-line options. -report=Send the output to a file. -server Activate mail filter heuristics. -silent Do not generate any screen output. -type Select files by type. (default) -verno Show version information. -virlistList the known viruses. -virno Count the known viruses. -wrap Wrap text so the report fits in 78 columns. Special macro virus options: -nomacroDo not scan for macro viruses. -onlymacro Only scan for macro viruses. -removeall Remove all macros from all documents. -removenew Remove new variants of macro viruses by removing all macros from infected documents. -saferemove Remove all macros from documents, if a known virus is found. I have used the packed switch with F-Prot for about a year now. Don't know if it has helped any, but it certainly has not hurt anything. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] strange zip file
It appears as though frisk is calling it Virus Name: : HTML/[EMAIL PROTECTED] On Monday, August 9, 2004 1:16 PM, Andy Schmidt [EMAIL PROTECTED] wrote: Hi: As far as I can tell, it's been discovered by McAfee for a few hours (as usually is the case, when I see these exchanges on this list)! 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanner 1: Virus= the W32/Bagle.aq!zip Attachment=price2.zip [17] O 08/09/2004 13:30:51 Qb4c66687008ebd6f Test3.3f3b3684.1.zip.5932.4.predef.declude.com the W32/Bagle.aq!zip price2.zip 08/09/2004 13:30:51 Qb4c66687008ebd6f File(s) are INFECTED [ the W32/Bagle.aq!zip: 13] 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanned: CONTAINS A VIRUS [MIME: 2 6058] 08/09/2004 13:30:51 Qb4c66687008ebd6f From: [Forged] To: [EMAIL PROTECTED] [outgoing from 65.118.130.2] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, August 09, 2004 02:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] strange zip file Have also received price.zip and price_08.zip. I've ended up blocking all zip files until defs are update (not running Declude Pro). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] More CPL Vulnerabilities
Since upgrading to 1.80 I am seeing many more Invalid CPL Vulnerabilities. Is this just timing or is there something different for these vulnerabilities? The interesting thing about these is that they are coming from spoofed senders multiple deliveries at a time. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More CPL Vulnerabilities
strange since I had the interim versions, many of them. I do not remember seeing this vulnerability especially being spoofed. I wonder though: I added a vulnerability.eml and have ONLYSENDIFVIRUSNAMEHAS JPEG Vulnerability I assumed that the virusname would have to have JPEG Vulnerability, both words, is this the case? On Friday, October 1, 2004 8:55 AM, R. Scott Perry [EMAIL PROTECTED] wrote: Since upgrading to 1.80 I am seeing many more Invalid CPL Vulnerabilities. Is this just timing or is there something different for these vulnerabilities? The interesting thing about these is that they are coming from spoofed senders multiple deliveries at a time. The Invalid CPL Vulnerability detection was added to v1.80 (it was in 1.79iXX interims as well). I do not believe any changes were made from when it was first implemented. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
Just a thought. I produce this list nightly with a batch file with unxtools. I really like the add I have to tell me if it's an inside machine or outside. Inside ones show the IP of the sending computer. See the EXE banned at the bottom. I'd be happy to share my bat file for this, it does require unxtools and certain values in the eml files and I send all items to a catchall user for parsing. bob 27 Virus Name: : W32/[EMAIL PROTECTED] outside 19 Virus Name: : HTML/[EMAIL PROTECTED] outside 16 Virus Name: : W32/[EMAIL PROTECTED] outside 9 Virus Name: : W32/[EMAIL PROTECTED] outside 8 Virus Name: : W32/[EMAIL PROTECTED] outside 4 Virus Name: : W32/[EMAIL PROTECTED] outside 2 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: [Outlook 'MIME segment in MIME Preamble' Vulnerability] outside 1 Virus Name: [Outlook 'Blank Folding' Vulnerability] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Banned Attachment: URL outside 1 Banned Attachment: JS outside 1 Banned Attachment: EXE In-District Attempt 10.13.1.77 On Wednesday, December 1, 2004 3:59 PM, John Dobbin [EMAIL PROTECTED] wrote: grep INFECTED virMMDD.log | gawk {print $8} | sort | uniq -ic | sort /reverse Gives a nice listing of catches: 50 HTML/[EMAIL PROTECTED]: 33 W32/[EMAIL PROTECTED]: 19 'CR' 18 W32/[EMAIL PROTECTED]: 3 W32/[EMAIL PROTECTED]: 2 Encoding 1 W32/Wurmark.A: 1 W32/[EMAIL PROTECTED]: 1 W32/[EMAIL PROTECTED]: 1 W32/[EMAIL PROTECTED]: 1 W32/[EMAIL PROTECTED]: 1 W32/[EMAIL PROTECTED]: 1 'Space 1 'MIME 1 'Blank John Dobbin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Wednesday, December 01, 2004 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] log file grepping Bill?.. or anyone :) Is there a way in a single line to use grep or a similar tool on a virus log file and have it return 2 values: total_scanned and viruses found? I have been able to do this in multiple lines with temp files but am stuck trying to do it on a single command line. The purpose here is to use mrtg to graph virus traffic - I can do it with one value but when I try to combine both I am lost. Thanks in advance - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] What's the IFrame vulnerability
Just wondering if someone can explain what the HTML / IFrame @ expl capture from f-prot is? is it a vulnerability or worse? thanks, bob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] the ebay spoof spam stuff
this is a bit off-topic but we had one of our servers last night have the ebay spoof page loaded on it. Anyone have info as to how this gets loaded and, more imporantly how to keep it from happening? The only things I found was the htm page that was referenced in the spam e-mail and a folder on the desktop named sign in_files with the images associated with the page. I want to keep it from happening again. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] junkmail settings especially SURBL
We recently moved from the 1.8x version of declude virus to the new 4.x version that contains it all. I have noticed the SURBL has a default weight of 5 and am wondering if it's effective in increasing this number. We never had junkmail before so am a bit gunshy of changing the defaults to limit false positives. So, any of you who have been using junkmail for awhile mind sharing your 'adjustments' to declude's defaults? just wondering... and thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] pay-pal phishing
Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] removing js/psyme
We have had quite a few people open the ecard messages and are now infected with this virus. Anyone know of a freebe that will remove this one? Currently, the only way we're able to remove it is safe mode and avg. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] removing js/psyme
thanks david, I got that to stop them from linda yesterday but now I'm wondering how to clean the ones that already visited the website and are infected... hoping someone knows of an easy way... bob On Tuesday, July 24, 2007 10:36 AM, David Barker [EMAIL PROTECTED] wrote: Just FYI the emails themselves do not contain a virus. Use the attached filter to detect these emails, using Declude JunkMail. You must be using at least Declude 4.3.46 to take use the regular expression filtering. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Tuesday, July 24, 2007 12:26 PM To: Declude-List Subject: [Declude.Virus] removing js/psyme We have had quite a few people open the ecard messages and are now infected with this virus. Anyone know of a freebe that will remove this one? Currently, the only way we're able to remove it is safe mode and avg. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.