Re: [Clamav-users] RE: Report infected mail to the user
On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote: Anyway, amavisd-new lists a dozen or so examples: # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i, ); This list is pretty much incomplete (at least sober, somefool and mydoom are missing, to name a few). And having this makes you follow the latest virus definitions scanning for possible new virus strands that fake their sender. I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. This is probably a better regex: $viruses_that_dont_fake_sender_re = qr{ ^( Joke | Eicar | OF97 | WM(97)? | W(97)?M | (Word)?Macro )(\b|_) }xi; Anyone got any comment or suggestions about this list? (You can of course include all oldfashioned .com and .exe infectors, and it would be wise to do so for any still in the wild, but I don't know if there are any.) Unfortunately the information available from various virus scanners never includes a field virus has its own SMTP engine and fakes sender addresses, or this would be a lot easier. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Jan Pieter Cornet wrote: I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. I just check for a small list (Mimail, Sober, etc.), plus anything that starts with Worm. or contains @mm. @MM is used by Norton, McAfee and others to indicate a worm that does its own mass mailing. Yeah, the criteria are slightly different -- it's looking for self-mailers and worms rather than specifically self-mailers that forge the sender -- but it does the job here. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
At 06:51 AM 1/10/2006, Jan Pieter Cornet wrote: On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote: Anyway, amavisd-new lists a dozen or so examples: # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i, ); This list is pretty much incomplete (at least sober, somefool and mydoom are missing, to name a few). And having this makes you follow the latest virus definitions scanning for possible new virus strands that fake their sender. I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. For the last couple years amavisd-new assumes the sender is fake but for a few exceptions by default. The above list is from a much older version which required manual updating. -- Noel Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Hello Christopher, This way my users' mailboxes aren't cluttered with notices, but if a message they were expecting just doesn't show up, they can search the DB of what was thrown out to see if what they were waiting for was junked. FWIW amavisnewsql does a similar thing (http://freshmeat.net/projects/amavisnewsql/). Best regards -- Luca Gibelli (luca at clamav.net) - ClamAV, a GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/luca.gpg ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
From: Michael [EMAIL PROTECTED] Ok, your massages convinced me only to report the sender. I don't want only blackhole the message and nothing else, because i think one of the both, the sender or the recipient should get informed. If you do that please only inform your local users and *non* of the internet users. And hope that you don't receive any major virus/spam attack because my users wouldn't appriciate it if I send them 45546752 messages because of a virus run and I want to tell them how good I am at stopping the virus. Maurice Lucas ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Le Fri 6/01/2006, Michael disait Ok, your massages convinced me only to report the sender. I don't want only blackhole the message and nothing else, because i think one of the both, the sender or the recipient should get informed. But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... -- Erwan David == Trusted Logic Tel: +33 1 30 97 25 03 5 rue du BailliageStd: +33 1 30 97 25 00 78000 Versailles Fax: +33 1 30 97 25 19 France ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Michael Neurohr ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Le Fri 6/01/2006, Michael disait But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Too many for people who receive the kind of notification you want to send. -- Erwan David == Trusted Logic Tel: +33 1 30 97 25 03 5 rue du BailliageStd: +33 1 30 97 25 00 78000 Versailles Fax: +33 1 30 97 25 19 France ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
From: Michael [EMAIL PROTECTED] If you do that please only inform your local users and *non* of the internet users. I only want to send a message back to the sender, that he knows about the rejected mail. Why do you mean that there may come about so many mails? Because a lot of virusses fake a sender address. Don't trust the AV name of a virus, don't trust a virus for correct sender information, don't trust anybody except yourself (and the signature makers from clamav ;) ) I could simple send you a message comming from [EMAIL PROTECTED] with a virus would you send a you have a virus warning back? Everybody runs a virus scanner these days (otherwise shoot them). I receive thousands of messages these days that I or my customers have a virus. None of them are real and all of them are faked mesages. Inject the following in your smtp server and enjoy your own system telnet neurohr.at 25 helo neurohr.at mail From: Michael [EMAIL PROTECTED] rcpt to: Michael [EMAIL PROTECTED] data INSERT EICAR VIRUS HERE . see the bounce message in your own inbox that you have a virus ;) Maurice Lucas ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: Report infected mail to the user
But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Michael Neurohr Many viruses harvest email addresses from the infected PC user's address book and inbox etc and use these as the From: address. And I can verify that this is the case from the number of virus bounces we get from clueless sites which still insist on sending the (spoofed) senders virus warnings. Incidentally, 5 minutes on Google would have told you the answer. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Original Message From: Randal, Phil [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Friday, January 06, 2006 12:23 PM Subject: RE: [Clamav-users] RE: Report infected mail to the user But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Michael Neurohr Many viruses harvest email addresses from the infected PC user's address book and inbox etc and use these as the From: address. And I can verify that this is the case from the number of virus bounces we get from clueless sites which still insist on sending the (spoofed) senders virus warnings. What you can (in most cases) see is the ip of the infected machine. I trapped a virus which appearently originated at the ip of the firewall of a company I know. As I know they have no mailserver inside of their firewall (it's in the DMZ), I called them and told they were infected. Leif ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Michael said: Ok, your massages convinced me only to report the sender. I don't want only blackhole the message and nothing else, because i think one of the both, the sender or the recipient should get informed. Since there is no way to know who the sender is, and since the recipient is not likely interested in messages telling them they didn't get a message because it had a virus, why not send the rejection message to Cindy Sheehan who seems to crave attention. Or better yet, just don't send anything at all. There is no point. If you cannot reject it before the final .crlfcrlf then you keep it. It's dead. Pinin' for the fjords, bleeding demised, an ex-message, shuffled off it's mortal coil, lovely plumage and all. dp... with thanks to Monty Python ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Fri, 6 Jan 2006, Dennis Peterson wrote: If you cannot reject it before the final .crlfcrlf then you keep it. It's dead. Pinin' for the fjords, bleeding demised, an ex-message, shuffled off it's mortal coil, lovely plumage and all. I will submit one other possibility: I use --postmaster-only to send the notices to a specific address, then have procmail pipe those to a script that parses it and adds specific information to an SQL database -- (From To Subject Date/Time and what Virus). This way my users' mailboxes aren't cluttered with notices, but if a message they were expecting just doesn't show up, they can search the DB of what was thrown out to see if what they were waiting for was junked. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: Report infected mail to the user
Leif Neland wrote: Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Michael Neurohr Many viruses harvest email addresses from the infected PC user's address book and inbox etc and use these as the From: address. And I can verify that this is the case from the number of virus bounces we get from clueless sites which still insist on sending the (spoofed) senders virus warnings. What you can (in most cases) see is the ip of the infected machine. Bingo. I'd have a little more respect for AV programs if, instead of reporting to the envelope-sender, they did a WHOIS lookup on the sending IP and emailed the virus notification to the responsible party for the narrowest containing subnet. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: Report infected mail to the user
I will submit one other possibility: I use --postmaster-only to send the notices to a specific address, then have procmail pipe those to a script that parses it and adds specific information to an SQL database -- (From To Subject Date/Time and what Virus). This way my users' mailboxes aren't cluttered with notices, but if a message they were expecting just doesn't show up, they can search the DB of what was thrown out to see if what they were waiting for was junked. Chris this sounds like an excellent solution can you share how you did this? Brian -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.14/222 - Release Date: 1/5/2006 ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: Report infected mail to the user
Brian McDonald wrote: I will submit one other possibility: I use --postmaster-only to send the notices to a specific address, then have procmail pipe those to a script that parses it and adds specific information to an SQL database -- (From To Subject Date/Time and what Virus). This way my users' mailboxes aren't cluttered with notices, but if a message they were expecting just doesn't show up, they can search the DB of what was thrown out to see if what they were waiting for was junked. Chris this sounds like an excellent solution can you share how you did this? Brian Yes, please wikify it for posterity... http://wiki.clamav.net/ -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Michael said: But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? There are few that do not. The spam/virus industry is built around sloppy code running on trashed Windows robotic spam boxen. They have little intelligence or ability to harvest actual sender names. Nor do they need real names. Made up ones work just fine and are easy to create. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Michael wrote: But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? YES! All major email viruses do that these days. The virus makes a list of email addresses, whether from an address book, cached web pages, local documents, a Google search, etc. Many viruses just pick two of those addresses at random and use one for the sender and the other for the recipient. Others just pick the recipient and choose a likely admin address for their domain, like [EMAIL PROTECTED], [EMAIL PROTECTED], etc. -- and those often exist. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: Report infected mail to the user
On Fri, 6 Jan 2006, Brian McDonald wrote: Chris this sounds like an excellent solution can you share how you did this? Calling it a hack is an insult to hacks. :-) I'll try to take some time and make a version I can put out (remove our IP addresses, SQL passwords, etc) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Friday 06 January 2006 02:24, Michael wrote: Ok, your massages convinced me only to report the sender. I don't want only blackhole the message and nothing else, because i think one of the both, the sender or the recipient should get informed. no you should NEVER notify the sender. the sender 99.% of the time is NOT the real 'sender' of the message. you should simply BOUNCE (as in, reject the message at the door with a 5xx response) or bitbucket (accept it with 2xx, but throw it in the trash) the message. If you wish to annoy your users, you can also optionally send them a report, but they will probably get pissed off. At any rate, DO NOT SEND NOTIFICATIONS TO THE SENDER. -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpYxN7QcRzSd.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Friday 06 January 2006 03:13, Michael wrote: But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? yes, almost all modern viruses forge their envelope sender. -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpSsuhMx34YC.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Christopher X. Candreva said: On Fri, 6 Jan 2006, Dennis Peterson wrote: If you cannot reject it before the final .crlfcrlf then you keep it. It's dead. Pinin' for the fjords, bleeding demised, an ex-message, shuffled off it's mortal coil, lovely plumage and all. I will submit one other possibility: I use --postmaster-only to send the notices to a specific address, then have procmail pipe those to a script that parses it and adds specific information to an SQL database -- (From To Subject Date/Time and what Virus). This way my users' mailboxes aren't cluttered with notices, but if a message they were expecting just doesn't show up, they can search the DB of what was thrown out to see if what they were waiting for was junked. That's a friendly service and doesn't dirty up the Internet. Very nice. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Friday 06 January 2006 08:48, [EMAIL PROTECTED] wrote: Leif Neland wrote: Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Michael Neurohr Many viruses harvest email addresses from the infected PC user's address book and inbox etc and use these as the From: address. And I can verify that this is the case from the number of virus bounces we get from clueless sites which still insist on sending the (spoofed) senders virus warnings. What you can (in most cases) see is the ip of the infected machine. Bingo. I'd have a little more respect for AV programs if, instead of reporting to the envelope-sender, they did a WHOIS lookup on the sending IP and emailed the virus notification to the responsible party for the narrowest containing subnet. well, the problem with that is.. there's really no unified format for knowing where to send these reports from a machine point of view. I've considered doing stuff like this myself, but I realized after investigating it how stupid difficult it is to even start trying to do it. good idea, but the infrastructure is not in place in the backend to be able to make it possible. -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpunMbN17sXz.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Michael wrote: But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? I infer that you've never had one of your users or domains be used as a forged sender address? (You'd know the answer is yes, if you had. :-) Anyway, amavisd-new lists a dozen or so examples: # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i, ); ...and there will be more to come, no doubt. I still see Nimbda, Klez, and Sobig wandering by in the ~5 viral emails average per day that make it through other filtering like postgrey's greylisting. -- -Chuck ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Jeremy Kitchen wrote: On Friday 06 January 2006 02:24, Michael wrote: Ok, your massages convinced me only to report the sender. I don't want only blackhole the message and nothing else, because i think one of the both, the sender or the recipient should get informed. no you should NEVER notify the sender. I wouldn't say never. If you had authenticated SMTP set up you could always send the notification back to the sender using the username supplied during the SMTP authentication process. After authentication has succedeed of course. :) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Friday 06 January 2006 09:55, Steven Spence wrote: Jeremy Kitchen wrote: On Friday 06 January 2006 02:24, Michael wrote: Ok, your massages convinced me only to report the sender. I don't want only blackhole the message and nothing else, because i think one of the both, the sender or the recipient should get informed. no you should NEVER notify the sender. I wouldn't say never. If you had authenticated SMTP set up you could always send the notification back to the sender using the username supplied during the SMTP authentication process. After authentication has succedeed of course. :) rejecting the message should alert the user that something is wrong. Most MUAs will say hey! they didn't take my mail! and only outlook won't tell you why. 5xx Message rejected because of infection with Worm.YouSuck.Loser -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpRMpq2dZ7cu.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Jeremy Kitchen wrote: I wouldn't say never. If you had authenticated SMTP set up you could always send the notification back to the sender using the username supplied during the SMTP authentication process. After authentication has succedeed of course. :) rejecting the message should alert the user that something is wrong. Most MUAs will say hey! they didn't take my mail! and only outlook won't tell you why. 5xx Message rejected because of infection with Worm.YouSuck.Loser Well, rejecting a message does alert the user if the user is sitting behind their mail client that sent it. Most viruses have their own engines to send out copies of itself. While the 5xx response message is still sent back it never makes it to the person using the computer to make them aware of the rejection. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Friday 06 January 2006 10:35, Steven Spence wrote: Jeremy Kitchen wrote: I wouldn't say never. If you had authenticated SMTP set up you could always send the notification back to the sender using the username supplied during the SMTP authentication process. After authentication has succedeed of course. :) rejecting the message should alert the user that something is wrong. Most MUAs will say hey! they didn't take my mail! and only outlook won't tell you why. 5xx Message rejected because of infection with Worm.YouSuck.Loser Well, rejecting a message does alert the user if the user is sitting behind their mail client that sent it. Most viruses have their own engines to send out copies of itself. While the 5xx response message is still sent back it never makes it to the person using the computer to make them aware of the rejection. that's why you also have a log watcher on your SMTP logs that checks if one of your own users is attempting to send viruses. You then match up their IP address and the timestamp with the radius logs (assuming a dialup ISP) and pick up the telephone. -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpYgPhDRHlAM.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Steven Spence wrote: Jeremy Kitchen wrote: I wouldn't say never. If you had authenticated SMTP set up you could always send the notification back to the sender using the username supplied during the SMTP authentication process. After authentication has succedeed of course. :) rejecting the message should alert the user that something is wrong. Most MUAs will say hey! they didn't take my mail! and only outlook won't tell you why. 5xx Message rejected because of infection with Worm.YouSuck.Loser Well, rejecting a message does alert the user if the user is sitting behind their mail client that sent it. Most viruses have their own engines to send out copies of itself. While the 5xx response message is still sent back it never makes it to the person using the computer to make them aware of the rejection. Out of curiousity, has anyone (recently) experienced a situation where a real user was attempting to send out an email with an attachment that contained a virus? I can't say that I have. In any case, I'm quite certain that 99.999% of all virus email on the net today is generated by existing viruses and not legit users who accidently attach a virus. Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University -- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On 1/6/06 11:40 AM, Chuck Swiger [EMAIL PROTECTED] wrote: I agree with this almost entirely. You should absolutely try to 5xx refuse known-malicious email traffic, or if you have to accept it, silently file it away in a quarantine area for a knowledgeable human to review questionable cases, without generating additional email traffic. But you shouldn't discard a message you've 2xx accepted unless you are positive it is malicious. And the law under which the server is being operated matters too. Given a legal requirement to deliver all mail the server has accepted if it is technologically possible to do so, would delivery into a quarantine area accessible to the recipient count as delivery? I think it should, but I'm not a German prosecutor. --John (also not a non-German prosecutor) ___ http://lurker.clamav.net/list/clamav-users.html