[Declude.Virus] Vulnerabilities explained
Hi Scott, Is there a information page where you explain the different vulnerabilities and what are tipical causes of this? We have here a lot of hold messages with: Outlook 'Blank Folding' Vulnerability Outlook 'CR' Vulnerability Outlook 'Boundary Space Gap' Vulnerability Outlook 'MIME segment in MIME Postamble' Vulnerability Part of this mails are Spam. Most of them are auto-generated email messages. We keep the vulnerability blocking set to on because we see this function very important for new fast spreading viruses. If we want to explain to the programmers what they make wrong by generating their mail messages we need some info's... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Allrecips ... Singlerecip?
Hi Scott, Is there a certain reason why there is no variable containing the single recipient of the message? I've created a ASP-Script to requeue a spoolfile hold by an vulnerability. Now there is the following problem: A send a message with a vulnerability to B and C B is a user on our server, C is a user on another server and we have nothing to do with it. If I create a eml-file that is send only for vulnerability-warnings and the recipient is set to ALLRECIPS then the warning with the ASP-link to requeue the spool file reaches not only my customer B but also C. If C clicks on this link the hold file is requeued for B Is there no variable containing the SMTP-Recipient like Junkmails XSENDER option? What if we set AVAFTERJM on ? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Allrecips ... Singlerecip?
Is there a certain reason why there is no variable containing the single recipient of the message? Yes -- because there is no single recipient (unless there is only a single recipient, in which case %ALLRECIPS% will display that recipient). :) Is there no variable containing the SMTP-Recipient like Junkmails XSENDER option? The problem is that while there is always only a single sender, there are often multiple recipients. So for the E-mail with a vulnerability sent to B and C, and there was a variable to produce a single recipient, would you want it to be B or C? Therein lies the problem. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
The problem is that while there is always only a single sender, there are often multiple recipients. So for the E-mail with a vulnerability sent to B and C, and there was a variable to produce a single recipient, would you want it to be B or C? Therein lies the problem. From where JM gathers the X-RCPT-TO value? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
From where JM gathers the X-RCPT-TO value? That is added by IMail, when the E-mail is being delivered. At that point, IMail has the single E-mail with multiple recipients, and it goes through each recipient and stores a copy of the E-mail in their mailbox. Since it has access to the individual mailbox at that time, it is able to add the X-RCPT-TO: header. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
That is added by IMail, when the E-mail is being delivered. At that point, IMail has the single E-mail with multiple recipients, and it goes through each recipient and stores a copy of the E-mail in their mailbox. Since it has access to the individual mailbox at that time, it is able to add the X-RCPT-TO: header. I understand. Is there a way to add a new SKIPIFMULTIPLERECIPS criteria? So we can send vulnerability warnings at least to single recipients. I mean sending the warning back to the sender so that he can force sending is not a good solution. A.) a lot of autogenerated mails have no valid sender adress B.) replies to spam senders are not good C.) only the recipient should decide if he want to recieve the message Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
Is there a way to add a new SKIPIFMULTIPLERECIPS criteria? So we can send vulnerability warnings at least to single recipients. Perhaps, but: I mean sending the warning back to the sender so that he can force sending is not a good solution. %ALLRECIPS% will only include the sender if the sender sent a copy to himself, through your mailserver. If you are not running an open relay, that means that the %ALLRECIPS% notification would only go to the sender if the sender was a user of yours. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
%ALLRECIPS% will only include the sender if the sender sent a copy to himself, through your mailserver. If you are not running an open relay, that means that the %ALLRECIPS% notification would only go to the sender if the sender was a user of yours. I intended to send the warning to %MAILFROM% ... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
%ALLRECIPS% will only include the sender if the sender sent a copy to himself, through your mailserver. If you are not running an open relay, that means that the %ALLRECIPS% notification would only go to the sender if the sender was a user of yours. I intended to send the warning to %MAILFROM% ... Then that warning would go to the *sender* of the E-mail. I'm guessing you would want the link to go to the recipient, rather than the sender (since the sender will obviously want the E-mail to go through if he intended for the vulnerability to be there). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Allrecips ... Singlerecip?
I'm guessing you would want the link to go to the recipient, rather than the sender (since the sender will obviously want the E-mail to go through if he intended for the vulnerability to be there). Yes. Exactly what I've said 2 mails before. (Probably my english is not good enough :-) I've searched in the postmaster-message I recieve for every vulnerability and have counted 5 mails with multiple recipients from 240. So the SKIPIFMULTIPLERECIPS is not to important but it would be nice to have it to be completely sure that nobody alse then the recipient can requeue the message. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus notification to IT department
A client of ours is asking if it is possible to send a notification to [EMAIL PROTECTED] as well as a notification to the user. Is it possible to do this for just one domain while leaving the others as is? Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus notification to IT department
A client of ours is asking if it is possible to send a notification to [EMAIL PROTECTED] as well as a notification to the user. Is it possible to do this for just one domain while leaving the others as is? Unfortunately, I can't think of any way to accomplish that for just one domain. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Vulnerabilities explained
Hello Markus, Thank you for your contribution. I'm releasing the hold messages using a program alias in IMail, so the recipients could just send an email to the alias address to unblock the email. Following is the little cmd script, as you can see it uses some of the GNU tools for Win32 that you could find at http://unxutils.sourceforge.net/ I found it very useful in cases that the end user has access to email but no the web. I know that it should have been better to write it in VB script, Perl or other language, but I don't have skills in those and besides it's working quite well as a batch file. :-) As you have discovered when multiple recipients are in place, if one of then sends the request, the message is released for all of them. In my opinion I consider it as a minor glitch. From now on all my vulnerabilities hold notifications will have both options, send an email to our program alias and the link to your asp code. Where are you from? I'm in Bolivia - South America. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net unblock_email.cmd @echo off setlocal rem Paths set holdpath=d:\imail\spool\virus set spoolpath=d:\imail\spool set imailpath=c:\imail rem The following lines get the sender's address to send the confirmation rem if the message has several from: it uses the one that is at the top (headers) grep -i from: %1|gawk {for (i=2;iNF+1;i++)print NR,$i}|grep @|grep 1 |cut -d -f 2-|cut -d -f 1 %1.1 for /f %%i in (%1.1) do set sender=%%i rem The following lines get the message's subject that is where the sender should send the spool name grep -i subject: %1|gawk {print NR,$0}|grep 1 |cut -d : -f 2-%1.1 for /f delims= %%i in (%1.1) do set subject=%%i rem The following lines get just the spool name without the leading D, needed to process the D* and the Q* files rem it also gets rid of any * or ? that a malicious user could have included (Does your ASP code has provision for that?) grep -i .smd %1.1|cut -d D -f 2-|grep -v *|grep -v ?%1 for /f %%i in (%1) do set message=%%i rem Deletes the file passed by IMail and the work file del %1 del %1.1 rem If the Subject doesn't have a valid spool name or if any of the files doesn't exist go to the error label if %message%== goto error if not exist %holdpath%\D%message% goto error if not exist %holdpath%\Q%message% goto error rem Move the files back to the queue move /Y %holdpath%\D%message% %spoolpath% move /Y %holdpath%\Q%message% %spoolpath% rem Send success confirmation. In unblock_email_success.txt write an small text confirming the unblock. %imailpath%\imail1 -f %imailpath%\unblock_email_success.txt -s E-mail unblocked:%subject% -t %sender% -u [EMAIL PROTECTED] goto end :error rem Send failure message. In unblock_email_error.txt write a text explaining what mistakes the user could have done %imailpath%\imail1 -f %imailpath%\unblock_email_error.txt -s Error while unblocking E-mail:%subject% -t %sender% -u [EMAIL PROTECTED] :end endlocal End -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, March 05, 2003 1:03 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Vulnerabilities explained BTW: I've attached to this mail a short ASP-Script that requeues a spoolfile from the virus folder. Simply set a link in your vulnerability.eml file to http://www.yourdomain.com/requeue.asp?id=%QUEUENAME% The recipient of the vuln.warning can simply click on this link to requeue the hold message. Note: the anonymous user of this web (IIS) must have read/write access to declude virus and Imail spoolfolder. Markus --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.