Re: [Declude.Virus] gokar
>Anyone seen this gokar worm yet? > >We haven't but have seen quite a bit of traffic on incidents list. > >I see it is included in the Mcaffee (NEA) 4176 Dat. It was not in my >NAV list until just a few minutes ago at about 4:30 cst. In f-prot I >see gokar.a only so I'm not sure bout the other variants. We received a report from Sophos this morning (before they had received any copies from customers), but haven't heard anything anywhere else. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] gokar
Anyone seen this gokar worm yet? We haven't but have seen quite a bit of traffic on incidents list. I see it is included in the Mcaffee (NEA) 4176 Dat. It was not in my NAV list until just a few minutes ago at about 4:30 cst. In f-prot I see gokar.a only so I'm not sure bout the other variants. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
>With PRESCAN it runs without a hitch (have only had to restart and >clean up once). With PRESCAN off, then we have a problem coping >with the load. I'm ranging about 0.7% of messages infected >compared to some higher figures I have seen by others - Perhaps >the prescanning feature cuts down on the number of detections >(which would make sense if it does). The prescanning shouldn't cut down on the number of detections. Although viruses spread through HTML in E-mail are rare, there are a few that work that way (such as the Kak/Worm virus). The prescanning is designed to check the HTML to see if there is any potentially dangerous code in it (such as scripts), and if so, it will pass it on to the scanner. But since most HTML E-mails don't contain scripts or other potentially dangerous code, most of the E-mails don't need to be scanned. We're not aware of any viruses that can get past the prescanning, although it could be possible. If anyone does know of a virus that bypasses the prescanning, we would want to know about it, so we can update it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
- # of message per day: 150,000-200,000 - non-local mail delivered to sendmail servers for further delivery - scanning both incoming and outgoing mail - using Declude 1.28 - using F-PROT - PRESCAN set in config With PRESCAN it runs without a hitch (have only had to restart and clean up once). With PRESCAN off, then we have a problem coping with the load. I'm ranging about 0.7% of messages infected compared to some higher figures I have seen by others - Perhaps the prescanning feature cuts down on the number of detections (which would make sense if it does). I'm as happy as I can be with it - i wouldn't expect _anything_ else to work any better running on NT and running on the same system. Mike Tindor -- Original Message -- From: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Thu, 13 Dec 2001 17:09:10 +0100 >Hi all, > >Is there someone who has tried to run IMAIL & DECLUDE with a load of >over 50.000 msg./day? >The server should act only as SMTP-Gateway, no POP3 or IMAP-load. > >There is a ISP having a lot of trouble since the last "virus- wave" in >the last two weeks. > >Markus > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". You can E-mail >[EMAIL PROTECTED] for assistance. You can visit our web >site at http://www.declude.com . > 1st.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: MISSING_REVERSE_DNS:RE: [Declude.Virus] Troubleshooting Imail/declude log parser v1.1 (usage.cmd)
This script looks at Imail *and* Declude logs, hence the name "Imail/Declude log parser." DOMLIST.EXE shows a summary of incoming and outgoing mail by domain. I have configured my Imail server to record POP3 and SMTP logs to the SYSLOG service which uses log.txt rather than to a file(sys.txt). Change all of the places in your usage USAGE.CMD to reflect the setting you chose when you configured these services. Only the "Log Server" or "SYSMMDD.TXT" settings work with this script. To view these settings in the Imail Administrator program look under [localhost] [services] [POP3] POP3 tab > Log to: [SMTP] SMTP tab > Log to: This line of code you mention runs DOMLIST.EXE to create a mail usage summary and filters the output so that the listings of incoming/outgoing mail by domain are listed minus the DOMLIST.EXE advertising blurb below Domain Lister - (C) Copyright 2001 Computerized Horizons - www.declude.com Please consider using our anti-virus and anti-spam software for IMail servers. Here's an example of the email message that shows up in my inbox every morning at 2:30am. From: Mail Admin [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 13, 2001 2:30 AM To: [EMAIL PROTECTED] Subject: Thu 12-12-2001 Mail usage/Virus report Report created 2:30a 2001-12-13 by Usage(v1.1) on Imail server (for 2001-12-12) Domain # In # OutBytes In Bytes Out -- pcesystems.com 372136678032592262220 needaparts.com89 19 2327162 732767 ford.com 0139 0 282015 [postmaster] 0 5 0 11228 fordmss.com1 11740 1993 adminfslc.org 34 2412046444 51939 visteon.com0 1 0 1170 wcspcesystems.com 8 7 43296 32907 pcesystems.net 1 0 4201409 0 bounce.em5000.net 0 1 0 5006 -- Total: 505333864233103381245 Virus Detections: 0 Viruses detected for 12-12-2001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul W. Lucido Sent: Thursday, December 13, 2001 11:20 AM To: [EMAIL PROTECTED] Subject: MISSING_REVERSE_DNS:RE: [Declude.Virus] Troubleshooting Imail/declude log parser v1.1 (usage.cmd) I guess my question is, what log file are you scanning for viruses? Looking at the following command: %spl%DOMLIST %spl%log%mm%%yd%.txt | find /V "Domain Lister - (C) Copyright 2001" | find /V "Please consider using our" >>%log%%mm%%yd%usage.log this performs a domlist.exe on log1212.txt. What viruses are found in the log.txt file? I only have log.txt files for the days I stopped and started services. Is it supposed to point to a different file? Happy Holidays, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Pitoniak Sent: Thursday, December 13, 2001 9:22 AM To: Declude. Virus@declude. com Cc: Keith Yount Subject: [Declude.Virus] Troubleshooting Imail/declude log parser v1.1 (usage.cmd) If you are having problems with this command script, the following instructions allow you to see the output and errors of all of the commands involved. Open usage.cmd in a text editor (making sure that word wrap is not turned on) and add a colon to the 1st line of the script to disable hiding the output of the commands involved. For example: :@echo off When you run usage.cmd, direct the output into a file so you can review the results. For example: usage.cmd 1> use.log 2>&1 The 1> directs the normal output (called STDOUT or standard ouput) and the 2>&1 directs the error output (called STDERR or standard error output) to a file. Send me this logfile if you you don't understand what's wrong and I can help you figure out what's not working. Best regards, Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for v
RE: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
I use McAfee with a load of over 50,000 being received and usually around 12,000 being sent per day. Recently I have had to gdeliver to a sendmail box. Craig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Thursday, December 13, 2001 12:27 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience >Is there someone who has tried to run IMAIL & DECLUDE with a load of >over 50.000 msg./day? That is a heavy load, but we do have a number of customers using such a configuration. Which virus scanner are you using? Note that McAfee may have troubles dealing with such a volume. >There is a ISP having a lot of trouble since the last "virus-wave" in >the last two weeks. What kind of trouble? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
Sure did. I ran Version 1.2 on the MID level log file. >George how did you pull those stats together? Did you use the same log >analyser as mentioned in this list? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
George how did you pull those stats together? Did you use the same log analyser as mentioned in this list? Mark Chadwick IT Support Engineer Science International Bateman House 82-88 Hills Road Cambridge Cambs CB2 1LQ +44(0)1223 326500 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of George Peace Sent: 13 December 2001 17:07 To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience We're running 125,000 to 140,000 messages/day with around 30,000 mailboxen. Yes, there's trouble but there's no blame implied... Two things have happened. One is that we had to shut off incoming virus scanning to keep the imail box stable for more than a few hours at a time. The other, unexpectedly, is that we've been contacted by two spam/IP listing services and told we're their heaviest name server user. One politely asked us to make changes. The other is doing a hit/miss study on us. Over the last 10 days we've scanned (f-prot) 6,500 - 14,000 outbound messages a day with infection numbers ranging between 15% and 28%. Here's a sample stat for those of us who stare at numbers... Total Emails Scanned = 14,116 Total Emails Clean = 11,365 Total Emails Infected= 2,751 Percent of Emails Infected to Total Emails Scanned: 19.4885% Count= 1,092Virus Name= W32/Badtrans.B@mm Count= 798 Virus Name= W32/Hybris.worm.B Count= 695 Virus Name= W32/Sircam.worm@mm Count= 51 Virus Name= W32/Hybris.worm.D Count= 49 Virus Name= W32/Magistr.28672@mm Count= 47 Virus Name= W32/Magistr.32768@mm Count= 17 Virus Name= W32/Aliz.A Count= 1Virus Name= JS/Kak.A@m Count= 1Virus Name= W32/MTX.9244.worm.A >Is there someone who has tried to run IMAIL & DECLUDE with a load of >over 50.000 msg./day? >The server should act only as SMTP-Gateway, no POP3 or IMAP-load. > >There is a ISP having a lot of trouble since the last "virus-wave" in >the last two weeks. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
We're running 125,000 to 140,000 messages/day with around 30,000 mailboxen. Yes, there's trouble but there's no blame implied... Two things have happened. One is that we had to shut off incoming virus scanning to keep the imail box stable for more than a few hours at a time. The other, unexpectedly, is that we've been contacted by two spam/IP listing services and told we're their heaviest name server user. One politely asked us to make changes. The other is doing a hit/miss study on us. Over the last 10 days we've scanned (f-prot) 6,500 - 14,000 outbound messages a day with infection numbers ranging between 15% and 28%. Here's a sample stat for those of us who stare at numbers... Total Emails Scanned = 14,116 Total Emails Clean = 11,365 Total Emails Infected= 2,751 Percent of Emails Infected to Total Emails Scanned: 19.4885% Count= 1,092Virus Name= W32/Badtrans.B@mm Count= 798 Virus Name= W32/Hybris.worm.B Count= 695 Virus Name= W32/Sircam.worm@mm Count= 51 Virus Name= W32/Hybris.worm.D Count= 49 Virus Name= W32/Magistr.28672@mm Count= 47 Virus Name= W32/Magistr.32768@mm Count= 17 Virus Name= W32/Aliz.A Count= 1Virus Name= JS/Kak.A@m Count= 1Virus Name= W32/MTX.9244.worm.A >Is there someone who has tried to run IMAIL & DECLUDE with a load of >over 50.000 msg./day? >The server should act only as SMTP-Gateway, no POP3 or IMAP-load. > >There is a ISP having a lot of trouble since the last "virus-wave" in >the last two weeks. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: MISSING_REVERSE_DNS:RE: [Declude.Virus] Load experience
> > Which virus scanner are you using? > > Note that McAfee may > > have troubles dealing with such a volume. > >At the moment there is no scan engine. OK, I thought that you were saying that the ISP was running Declude, and was having troubles. Now I understand -- the troubles they are having are with viruses, and they aren't using Declude. >Wich one is the fastest on your experience? Most are about the same speed, except for McAfee which can be faster -- but, it can also have problems when two scanner processes are started too closely to one another (it reports an error, and the E-mail has to be re-scanned, taking extra resources). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
MISSING_REVERSE_DNS:RE: [Declude.Virus] Load experience
> Which virus scanner are you using? > Note that McAfee may > have troubles dealing with such a volume. At the moment there is no scan engine. Wich one is the fastest on your experience? > >There is a ISP having a lot of trouble since the last "virus-wave" in > >the last two weeks. > What kind of trouble? Much more messages per day and a lot of customers with bad humor... The customers ask why this ISP doesn't filter this content. The ISP asked us what he can do... ;-) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
We've been using it for quite some time and have not noticed it impact the server unnecessarily. On heavy days we average 45K to 50K+, and we are using NIA's (Mcafee) Netshield. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Thursday, December 13, 2001 10:27 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience >Is there someone who has tried to run IMAIL & DECLUDE with a load of >over 50.000 msg./day? That is a heavy load, but we do have a number of customers using such a configuration. Which virus scanner are you using? Note that McAfee may have troubles dealing with such a volume. >There is a ISP having a lot of trouble since the last "virus-wave" in >the last two weeks. What kind of trouble? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] MISSING_REVERSE_DNS:Load experience
>Is there someone who has tried to run IMAIL & DECLUDE with a load of >over 50.000 msg./day? That is a heavy load, but we do have a number of customers using such a configuration. Which virus scanner are you using? Note that McAfee may have troubles dealing with such a volume. >There is a ISP having a lot of trouble since the last "virus-wave" in >the last two weeks. What kind of trouble? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
MISSING_REVERSE_DNS:RE: [Declude.Virus] Troubleshooting Imail/declude log parser v1.1 (usage.cmd)
I guess my question is, what log file are you scanning for viruses? Looking at the following command: %spl%DOMLIST %spl%log%mm%%yd%.txt | find /V "Domain Lister - (C) Copyright 2001" | find /V "Please consider using our" >>%log%%mm%%yd%usage.log this performs a domlist.exe on log1212.txt. What viruses are found in the log.txt file? I only have log.txt files for the days I stopped and started services. Is it supposed to point to a different file? Happy Holidays, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Pitoniak Sent: Thursday, December 13, 2001 9:22 AM To: Declude. Virus@declude. com Cc: Keith Yount Subject: [Declude.Virus] Troubleshooting Imail/declude log parser v1.1 (usage.cmd) If you are having problems with this command script, the following instructions allow you to see the output and errors of all of the commands involved. Open usage.cmd in a text editor (making sure that word wrap is not turned on) and add a colon to the 1st line of the script to disable hiding the output of the commands involved. For example: :@echo off When you run usage.cmd, direct the output into a file so you can review the results. For example: usage.cmd 1> use.log 2>&1 The 1> directs the normal output (called STDOUT or standard ouput) and the 2>&1 directs the error output (called STDERR or standard error output) to a file. Send me this logfile if you you don't understand what's wrong and I can help you figure out what's not working. Best regards, Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] MISSING_REVERSE_DNS:Load experience
Hi all, Is there someone who has tried to run IMAIL & DECLUDE with a load of over 50.000 msg./day? The server should act only as SMTP-Gateway, no POP3 or IMAP-load. There is a ISP having a lot of trouble since the last "virus-wave" in the last two weeks. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Troubleshooting Imail/declude log parser v1.1 (usage.cmd)
If you are having problems with this command script, the following instructions allow you to see the output and errors of all of the commands involved. Open usage.cmd in a text editor (making sure that word wrap is not turned on) and add a colon to the 1st line of the script to disable hiding the output of the commands involved. For example: :@echo off When you run usage.cmd, direct the output into a file so you can review the results. For example: usage.cmd 1> use.log 2>&1 The 1> directs the normal output (called STDOUT or standard ouput) and the 2>&1 directs the error output (called STDERR or standard error output) to a file. Send me this logfile if you you don't understand what's wrong and I can help you figure out what's not working. Best regards, Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Test
Sorry, just checking to see if MISSING_REVERSE_DNS stopped showing in the subject of my posts as I finally got around to reverse dns after a major network infrastructure re-engineering project we just finished. Regards, Jeff -- "If your only tool is a hammer, pretty soon everything starts to look like a nail."-Dr. William Learner, Chiropractor Jeff Pitoniak - Network Administration & Security Consultant - PCE Systems, Inc. email: [EMAIL PROTECTED] Ph:(248)223-4888 ext.138 Fax:(248)223-4889