RE: [Declude.Virus] Problem in Config
Scott, thanks for the download but it is still getting caught. What am I missing? I replaced the exe and ran the exe and see the new version in the email output. Ideas? CA Could that be the MIME segment in MIME preamble vulnerability (which it turns out would get caught even with the BANCRVIRUSES OFF setting)? We have an interim release at http://www.declude.com/release/165i/declude.exe that will take care of that. -Scott --- [This Email scanned for viruses by Declude Virus provided by http://www.enSYNC-Corp.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Interesting X-Header
Was just curious what this meant. Have never seen this before. X-Spam-Tests-Failed: MONKEYFORMMAIL --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Problem in Config
thanks for the download but it is still getting caught. What am I missing? I replaced the exe and ran the exe and see the new version in the email output. Ideas? What is the *exact* name of the vulnerability that is getting caught? If you type \IMail\Declude -diag (*EXACTLY* like that) from a command prompt, does it show that you are running v1.65i5? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Interesting X-Header
This is just one of the many IP4R tests that you have activated. Take a look at this for detail: http://www.declude.com/junkmail/support/ip4r.htm They are all listed above. MONKEYFORMMAIL Lists servers running formmail, which can be used to send spam. Zone transfers required for large organizations (100,000+ queries/day). Has TXT records. Hope this helps.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Maze - Hostmaster Sent: Friday, December 20, 2002 10:18 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Interesting X-Header Was just curious what this meant. Have never seen this before. X-Spam-Tests-Failed: MONKEYFORMMAIL --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Interesting X-Header
Was just curious what this meant. Have never seen this before. X-Spam-Tests-Failed: MONKEYFORMMAIL The X-Spam-Test-Failed: line shows a list of the spam tests that the E-mail failed. In this case, the E-mail failed the MONKEYFORMMAIL test. You can go to http://www.declude.com/junkmail/support/ip4r.htm for a list of public spam tests, which also has URLs for more details about the tests. I believe this one lists IPs of webservers that have form mail scripts that can be abused by spammers. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Monitoring of Declude Virus
Title: Monitoring of Declude Virus I have downloaded and installed/tested the Virus Log Analyzer to take a look at what is being caught in the way of viruses. However, I wanted to see what others are using to 'real' time monitor the virus logs. Outside of using WinTail to watch the log files, I didn't know if others are using some program to query activity within the logs, i.e. scanner failures, and other such events. Since we virtual host email for our customers, I needed to ensure that it is always running properly. Thanks for any suggestions. -Keith
[Declude.Virus] Issues running the fpcmd.exe scanner
Title: Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express. 12/20/2002 12:59:44 Q5a90002f0078444b Declude Virus Pro Registered 12/20/2002 12:59:44 Q5a90002f0078444b Starting locality check 12/20/2002 12:59:44 Q5a90002f0078444b CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local domain1 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local main domain 12/20/2002 12:59:44 Q5a90002f0078444b Local host = ntad.com 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] Offset=9 Flags=1 12/20/2002 12:59:44 Q5a90002f0078444b Msgid: 000901c2a851$93ec27e0$[EMAIL PROTECTED] 12/20/2002 12:59:44 Q5a90002f0078444b Subject: testing virus10 12/20/2002 12:59:44 Q5a90002f0078444b C:\IMail\spool\Q5a90002f0078444b.SMD 12/20/2002 12:59:44 Q5a90002f0078444b Starting virus scanning section... 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER=0 12/20/2002 12:59:44 Q5a90002f0078444b Exclude Default=1 12/20/2002 12:59:44 Q5a90002f0078444b Exclude Domain=0 12/20/2002 12:59:44 Q5a90002f0078444b Exclude peruser=-1 12/20/2002 12:59:44 Q5a90002f0078444b DoAv( C:\IMail\spool\D5a90002f0078444b.SMD ); 12/20/2002 12:59:44 Q5a90002f0078444b avtempdir=C:\IMail\spool 12/20/2002 12:59:44 Q5a90002f0078444b Temp dir set to: C:\IMail\spool\D5a90002f0078444b.vir\ 12/20/2002 12:59:44 Q5a90002f0078444b fp=444d40 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/mixed;boundary==_NextPart_000_0 12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_000_0005_01C2A827.AB057E10. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/mixed NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/alternative;boundary==_NextPart 12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_001_0006_01C2A827.AB057E10. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/alternative NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/plain;charset=iso-8859-1 12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/plain NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10]. 12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/] 12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64 12/20/2002 12:59:44 Q5a90002f0078444b Hit new boundary (fseek) 12/20/2002 12:59:44 Q5a90002f0078444b curpos=920 12/20/2002 12:59:44 Q5a90002f0078444b Deleting (1) plaintext segment C:\IMail\spool\D5a90002f0078444b.vir\0.. 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER-- 12/20/2002 12:59:44 Q5a90002f0078444b Done Recursing... 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 1 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/html;charset=iso-8859-1 12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/html NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10]. 12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/htm] 12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64 12/20/2002 12:59:44
RE: [Declude.Virus] Problem in Config
Scott Gotcha..sorry I have been working off-site so I am using many diff ways to send email to you and take care of this problem. The latest one worked great..appreciate the attention to my problem. Thanks CA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Friday, December 20, 2002 10:59 AM To: [EMAIL PROTECTED] Subject:RE: [Declude.Virus] Problem in Config What is the *exact* name of the vulnerability that is getting caught? Outlook 'MIME segment in MIME Preamble' Vulnerability First, it's time to learn how to quote -- it takes people a lot longer to go through an E-mail and try to figure out or guess which parts are parts they wrong, and which are parts you wrote. Sometimes, it may require looking at the original E-mail, which some people may not keep. :) There is now a v1.65i6 interim release (at the same URL) that will take care of this. -Scott --- [This Email scanned for viruses by Declude Virus provided by http://www.enSYNC-Corp.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues running the fpcmd.exe scanner
Title: Issues running the fpcmd.exe scanner I ran into the same problem. Leave off the /nofloppy I found it easiest to just copy Scott's setup from the online manual then change the drive/directory for your setup. Actually, fpcmd appears to be slightly more efficient on our system running WinNT4 workstation. ~Joe - Original Message - From: Keith Johnson To: [EMAIL PROTECTED] Sent: Friday, December 20, 2002 12:14 PM Subject: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express.
RE: [Declude.Virus] Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues running the fpcmd.exe scanner
Scott, Thank you for your wisdom, you are awesome. -Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 2:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.