RE: [Declude.Virus] MY Doom declude notification from @toplineus.com @toplineus.com
Could be an IP based domain on a Declude client using the %LOCALHOST% in the body. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, January 29, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MY Doom declude notification from @toplineus.com @toplineus.com Scott you said you wanted to know about this and I thought MAYBE if this guy checks the list he will see his domain name and do something about it. That's strange - I can't seem to find any record of that customer. I'll try to track them down, though. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mydoom.B
Has anyone been catching any of these? I updated F-Prot this morning and verified that .B was in the virus list but still none have shown up. We are getting blasted with .A though. We're seeing about 5,000 Mydoom.A's for every 1 Mydoom.B, so you probably just have been lucky enough not to have a copy sent your way yet. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
I think public humiliation is a good thing ;-) Greg R. Scott Perry wrote: Here's another, do you want these off list? Yes, off-list would be best (unless others on the list would like to see them -- if so, speak up). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MyDoom Virus got through!
Since this is the only one I have seen as all else has been caught, I do not know the real virus size The size of what came in here is 14K. One more question, everyone is talking about version 1.77ixx whereas when I do the diag I get the results below How do I find the exact version I have. I downloaded last a few days ago D:\IMaildeclude -diag Declude 1.77 (C) Copyright 2000-2003 Computerized Horizons. Diagnostics ON (Declude v1.77). Declude JunkMail: Config file found (D:\IMail\Declude\global.CFG). Declude Virus: Config file found (D:\IMail\Declude\Virus.CFG). Declude Hijack:Not installed (no D:\IMail\Declude\Hijack.CFG file). Declude Confirm: Not installed (no D:\IMail\Declude\Confirm.CFG file). Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, January 29, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom Virus got through! So although Norton caught this on my desktop you figure it really was not the virus? Exactly. If you check the size of the file, you'll see that it is smaller than a real copy. One person who reported this happening found the one that Norton caught was about 1K (smaller than any known PC virus). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MyDoom Virus got through!
Since this is the only one I have seen as all else has been caught, I do not know the real virus size The size of what came in here is 14K. The real Mydoom.A is around 22K, so the one you got was definitely a corrupt (truncated) copy. One more question, everyone is talking about version 1.77ixx whereas when I do the diag I get the results below How do I find the exact version I have. I downloaded last a few days ago D:\IMaildeclude -diag Declude 1.77 (C) Copyright 2000-2003 Computerized Horizons. You have version 1.77. :) The manual page has a link to the latest released version (1.75) and the latest beta (1.77). For people who want to run the latest interim release, and understand the drawbacks, there is a special URL ( http://www.declude.com/interim ). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
Include this link to the (ir)responsible postmasters: http://www.attrition.org/security/rant/av-spammers.html Here's another, do you want these off list? I have tried to e-mail this guy twice already: Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment data.zip, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject test. The Message-ID was: [EMAIL PROTECTED]. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OtherPostmaster notice
Is the name of the file otherpostmaster1.eml or otherpostmaster.eml? For some reason, I have it as otherpostmaster1.eml but I am now seeing it in the manual as otherpostmaster.eml. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OtherPostmaster notice
Is the name of the file otherpostmaster1.eml or otherpostmaster.eml? It can be whatever you want, but the default one is otherpostmaster.eml For some reason, I have it as otherpostmaster1.eml but I am now seeing it in the manual as otherpostmaster.eml. Either way will work fine -- Declude Virus sends out any \IMail\Declude\*.eml files that don't belong to Declude JunkMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, I am running Declude v1.77i24 and I am wondering why Declude Virus is using the file name from the second virus scanner instead of the first... This should only happen if the first virus scanner did not report the virus name, or if the virus name contains vulnerability in it (in which case a real virus name takes priority). F-Prot is the first virus and the log samples I provided show the F-Prot did report the virus name. In fact, the log and postmaster report both use the first scanners reported virus name (in this case F-Prot reported the virus as Mydoom) instead of the second scanner (TrendMicro, which reports the virus as WORM_MIMAIL.R). However, the report and log file show the seconds scanners file name, which is showing up missing the first letter in the file name in both, which is not missing in either as reported by the first scanner. The problem here is that the report file format is different for a .SMD file that is scanned versus an actual attachment (Declude Virus decodes the attachments). Could you send a sample file for scanning a directory with just a single eicar.com file in it? Here you go: C:\Program Files\Trend\SPROTECTvscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt L:\VirusTest 1 files have been checked. Found 1 files containing viruses. - C:\Program Files\Trend\SPROTECTcat report.txt Copyright (c) 1990 - 2002 Trend Micro Inc. Report Date : 1/29/2004 17:10:52 VSAPI Engine Version : 6.810-1005 VSCANTM Version : 1.0-1728 Virus Pattern Version : 749 (58124 Patterns) (2004/01/28) (174900) Command Line: vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt L:\VirusTest Found [ Eicar_test_file](1) in L:\VirusTest\eicar.com 1 files have been read. 1 files have been checked. 1 files have been scanned. 1 files have been scanned. (including files in archived) 1 files containing viruses. Found 1 viruses totally. Maybe 0 viruses totally. Stop At : 1/29/2004 17:10:530.00 seconds has elapsed. -*-*-*-*-*-*-*-- ---* Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
F-Prot is the first virus and the log samples I provided show the F-Prot did report the virus name. In fact, the log and postmaster report both use the first scanners reported virus name (in this case F-Prot reported the virus as Mydoom) instead of the second scanner (TrendMicro, which reports the virus as WORM_MIMAIL.R). However, the report and log file show the seconds scanners file name, which is showing up missing the first letter in the file name in both, which is not missing in either as reported by the first scanner. This is indeed due to an issue with Declude Virus -- it will be fixed in the next interim release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
