RE: [Declude.JunkMail] EXE files, again!
Anyone have good links? From http://www.sophos.com/virusinfo/whitepapers/prevention.html Block receiving/sending of executable code There is very little need for executable code to be received or sent. In most instances it is also illegal, usually breaching the software copyright. Some people are fond of using self-extracting ZIP files to send compressed data files: for security reasons using statically compressed ZIPs (which need PKUNZIP to be decompressed) is a much better solution. The blocking of executable code transfer is often best achieved on the internet gateway. Unfortunately, it is impossible to detect executable code with 100% certainty by analysing either the file content or the file extension. However, blocking files with executable extensions such as EXE, VBS, SHS etc. contributes to overall anti-virus measures. User education also plays a significant part in preventing infections by executable code received by email: the temptation to install a cute screensaver can be very, very high for a PC user who is not security aware. From http://www.sophos.com/virusinfo/articles/safehex.html Block any unwanted file types at the email gateway. Viruses often use file types such as VBS, SHS, EXE, SCR, CHM and BAT to spread. It is unlikely that your organisation will ever need to receive files of these types from the outside. If this is the case Sophos recommends blocking all of them at the email gateway - whether they are virus infected or not. HTH -B --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A line in one of my filter text filesdidn 't fire 't fire 't fire 't fire
I'll include the whole spam message in an attachment here. This actually does turn out to be an issue with Declude JunkMail, where it wasn't scanning as far into the E-mail as it should. This will be fixed in the next release (an interim release is available if anyone needs the fix right away). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] EXE files, again!
Anyone have good links? From http://www.sophos.com/virusinfo/whitepapers/prevention.html From http://www.sophos.com/virusinfo/articles/safehex.html Thanks Bill. I plan on making another web page to go along with this one: http://www.tenforward.com/support/viruspage.php Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Contact at Spamcop
One of our users sent a mass email to customers of his (hiding nothing and legit headers, subject and so on) and was reported to Spamcop. Does anyone have an email address for them that goes to a real human so I can clear this up? And what do people charge for mail list hosting? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Contact at Spamcop
One of our users sent a mass email to customers of his (hiding nothing and legit headers, subject and so on) and was reported to Spamcop. Does anyone have an email address for them that goes to a real human so I can clear this up? If only a single person reported him, the IP should be removed very quickly (I believe within 30-60 minutes). Although there is an address that will reach someone at Spamcop, I don't believe they manually remove entries. Hopefully, they will start including the ratio of spam-to-legitimate-mail in their TXT records, which would prevent problems such as this. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Admin Web for Declude
We are pleased to announce our Admin Web for Declude. This is an add-on for Declude products, including JunkMail, Virus and Hijack. This allows an administrator or someone he/she designates to be able to view and edit the Declude configurations through a web interface. Currently, this can be viewed on our lab server located at http://64.171.65.24/WebAdmin. The user name is declude and the password is declude. If you need to use a domain, use 64.171.65.24. This is a temporary site and will be moved within the next few days to a test server. Also, the log views have not yet been completed. We intend to have a beta ready by Monday. Please e-mail me off list with any specific comments, questions or suggestions. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer 211 E. Imperial Hwy, Suite 106 Fullerton, CA 92835 562-694-4800, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com
RE: [Declude.JunkMail] Copyall_account
Scott, the copyall_account is still showing up in the logs OK. although else where it is showing up as [EMAIL PROTECTED] Where is it showing up as [EMAIL PROTECTED]? How can I get it to not scan twice if it is still showing copyall_account? The E-mail will only be scanned once, and no actions should be taken based on the copyall account (see below, though). However, you will see the log file entries for the copyall account, as it is one of the recipients of the E-mail. Kind of like user aliases and host aliases, it can get a bit confusing keeping track of all the possibilities. (I do have a ruleprocess.junkmail file in a reliance.net folder under Declude. But the log shows it is still using the global one.) With the next interim release, no actions will be taken for the copyall account. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Copyall_account
although else where it is showing up as [EMAIL PROTECTED] Where is it showing up as [EMAIL PROTECTED]? In the virus notifications: Declude Virus v1.65i15 caught the : W32/Lentin.H@mm virus in love.scr from [Forged] to: [EMAIL PROTECTED], [EMAIL PROTECTED] The E-mail will only be scanned once, and no actions should be taken based on the copyall account (see below, though). However, you will see the log file entries for the copyall account, as it is one of the recipients of the E-mail. Kind of like user aliases and host aliases, it can get a bit confusing keeping track of all the possibilities. OK. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EXE files, again!
Unfortunately, failure to run AV programs at the client side (as well as at the mail server) has crippled the legitimate sending of .EXE files through email (which we commonly used to do -- our users are unsophisticated and have trouble extracting updates out of their email if zipped first). We violate absolutely zero licenses in our distributions (licensed zip program for creating self-extracting emails). Instead, we have to resort to posting the exe, sending out an email, then walking the user through the download and execution on the phone (sure, we had to talk to them before, but AFTER they downloaded the EXE across their crappy dial-up connection). Trying to explain ZIP files -- forget it, you have to walk them through finding a freeware ZIP program, installing it, possibly rebooting, then unzipping the download and extracting it -- this is why we started using EXE files long ago. I guess the next step in the progress of email is we'll go back to mailing out diskettes (which had the benefit of not having to explain that the EXE and the unzipped files did not BOTH fit on a diskette). Set up an area that your old lady customer can upload her cute EXE files (or document how to use one of the free sites) and set up clear documentation that any 50 year old can follow (not that a kid can follow) on how to link the file in an email. Explain the benefit of not worrying if the receiver's mailbox is full or having to wait when sending the cute file to all her friends for it to be uploaded once per receiver. K Oland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sheldon Koehler Sent: Wednesday, January 08, 2003 11:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] EXE files, again! Anyone have good links? From http://www.sophos.com/virusinfo/whitepapers/prevention.html From http://www.sophos.com/virusinfo/articles/safehex.html Thanks Bill. I plan on making another web page to go along with this one: http://www.tenforward.com/support/viruspage.php Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Copyall_account
Where is it showing up as [EMAIL PROTECTED]? In the virus notifications: Declude Virus v1.65i15 caught the : W32/Lentin.H@mm virus in love.scr from [Forged] to: [EMAIL PROTECTED], [EMAIL PROTECTED] That's the %ALLRECIPS% variable -- it will be fixed in the next release (neither [EMAIL PROTECTED] nor copyall_account will be shown, since the sender shouldn't know about the [EMAIL PROTECTED] address). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SMTP2
What does this line mean please? 01/08/2003 15:15:52 Passing to SMTP2: -qr John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS - WHY?
I had this piece of mail fail the helobogus test. I am wondering why? Here are the message headers. Received: from babel.avstarnews.com [12.24.201.132] by mail1.gannett-tv.com with ESMTP (SMTPD32-7.12) id A6A397880132; Wed, 08 Jan 2003 17:30:59 -0500 Received: by BABEL with Internet Mail Service (5.5.2653.19) id CRNNAKGW; Wed, 8 Jan 2003 16:29:30 -0600 Message-ID: 449249DE8813D711907B0090273F213704E08D@BABEL From: [EMAIL PROTECTED] To: x [EMAIL PROTECTED] Subject: Server Remirroring Procedure Date: Wed, 8 Jan 2003 16:29:26 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Darrell LaRock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP2
What does this line mean please? 01/08/2003 15:15:52 Passing to SMTP2: -qr It means that Declude has been called with just one parameter that starts with -, and is not a command that Declude recognizes as an internal command. This will be shown in the logs at LOGLEVEL HIGH when -qr is sent by IMail for a queue run. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Ipswitch Newsletter
Hello Michael, Looks like your giving mail that fail the spamheaders test a negative 1 in weight. Funny that ipswitch's newsletter fails this test.. At least it's not a message or newsletter from Scott now that would be really REALLY amusing consider the guys skills and knowledge ;) -Eje ML Either I am doing something wrong or this is worth a chuckle. ML Received: from newman.ipswitch.com [156.21.1.4] by ucopiannetworks.com with ML ESMTP ML (SMTPD32-6.05) id ACC42F4B00CA; Wed, 08 Jan 2003 21:21:56 -0500 ML Received: from CAMPAIGN [156.21.1.4] by newman.ipswitch.com ML (SMTPD32-7.12) id A2E2AE027A; Wed, 08 Jan 2003 13:50:10 -0500 ML From: Tamara Hart, Ipswitch [EMAIL PROTECTED] ML To: [EMAIL PROTECTED] ML Subject: Your Ipswitch Newsletter - January Edition ML Date: WED, 08 JAN 2003 13:50:10 -0400 ML MIME-Version: 1.0 ML Reply-To: [EMAIL PROTECTED] ML Content-Type: multipart/alternative; boundary=Boundary.. ML Message-Id: 200301081350968.SM00206@CAMPAIGN ML X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.4] ML X-Note: This E-mail was scanned by Ucopian JunkMail ML (www.ucopiannetworks.com) for spam. ML X-Spam-Tests-Failed: SPAMHEADERS [-1] ML X-RCPT-TO: [EMAIL PROTECTED] ML X-UIDL: 342055870 ML Status: U --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Pots Kettles in the Clair de Lune
All, A noteworthy encounter with the officious admin of a combination draconian/broken server. I think my state of mind will be picked up pretty quickly from the following snippet. IPs and hosts changed to protect the not-so-innocent--including us, since I did screw up, too, but STILL... ...our firewall does a reverse lookup. mail.clientco.com resolves as 1.1.1.1...Since these two IP addresses do not match, our firewall rejects the connection... This strict constraint is certainly not evident from the 421 message returned by your server. Moreover, your own mail servers do not meet this requirement! Your mail server at 2.2.2.2 uses EHLO text-- EHLO [3.3.3.3] --a violation of your own requirement, since the PTR, ptr.draco.com, does not even have an A record at all. If ClientCo employed your policy, *they* would reject *your* mail! This EHLO is also a violation of RFC 2821, which states that an address literal is only allowed if a host has no name (3.3.3.3 does have a PTR record, and therefore does have a name), and a violation of the common test to see if EHLO and PTR match (since a PTR cannot, by definition, resolve to an address literal). Though I appreciate the anti-spam utility of deeply verifying EHLO arguments, returning a 4xx code rather than a 5xx undermines any educational utility, wasting everybody's bandwidth and delaying issue resolution. And if you should have occasion to review this policy in the future, I do hope you consider that your own systems violate it. :) Sincerely yours, Sandy -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
