[Declude.Virus] Questions on SKIPIFFORGING
Scott: Using SKIPIFFORGING means we don't have to keep adding SKIPIFVIRUSNAMEHAS to the eml's for each new forging virus, right??? Can we then remove the SKIPIFVIRUSNAMEHAS lines? What specifically do we put in virus.cfg and/or the individual eml's? (Manual doesn't address it yet and archive messages on it didn't help.) Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Questions on SKIPIFFORGING
Using SKIPIFFORGING means we don't have to keep adding SKIPIFVIRUSNAMEHAS to the eml's for each new forging virus, right??? Can we then remove the SKIPIFVIRUSNAMEHAS lines? Correct -- *if* you are running the latest beta. What specifically do we put in virus.cfg and/or the individual eml's? Just a line SKIPIFFORGING at the top of the \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files is all that is necessary. You can put them in the other .eml files if you like, as well, but the sender.eml and otherpostmaster.eml are the important ones. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
Is there a quick way that I can suppress the notifications being sent to the sender... and the sender's postmaster The options are: [1] Upgrade to v1.77, which automatically supresses them, or [2] Delete the \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files, or [3] Manually update those two files by adding a line SKIPIFVIRUSNAMEHAS Mydoom (exactly like that, with no extra spaces/tabs) to the top of those files. ... the recipient ... from our postmaster that the MyDoom virus has been blocked by our mail system? This is handled in exactly the same way (but a bit less important, as they are accurate notifications). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] FW: Your mail server sent us a virus
Scott - did you ever find these guys? They still don't get it... -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment document.bat, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject . The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If this virus did originate from one of your users, you may want to consider adding virus protection to your mailserver. You can check the headers below to verify that the virus originated from your mailserver. The headers from the E-mail are: Received: from prudentialrand.com [65.160.6.2] by mail.toplineus.com with ESMTP (SMTPD32-7.07) id A36A225A007C; Fri, 30 Jan 2004 10:08:26 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Fri, 30 Jan 2004 10:16:03 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0008_E3290E97.E7FC4C52 X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Multi-scanner Question
Scott, Are multiple scanners run in series or concurrently? Thanks, Chuck Frolick ArgoLink.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
Scott, Am I correct that if we don't have a current service agreement then we can't upgrade to any version above 1.75? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:39 AM Subject: Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications Is there a quick way that I can suppress the notifications being sent to the sender... and the sender's postmaster The options are: [1] Upgrade to v1.77, which automatically supresses them, or [2] Delete the \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files, or [3] Manually update those two files by adding a line SKIPIFVIRUSNAMEHAS Mydoom (exactly like that, with no extra spaces/tabs) to the top of those files. ... the recipient ... from our postmaster that the MyDoom virus has been blocked by our mail system? This is handled in exactly the same way (but a bit less important, as they are accurate notifications). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] some benefit of my doom??
ok not really, but I think is comical. I get the following as an unsubcribe message fromm a list I never subscribed to... funny. Look at the body, it definately was from the doom... it did have the z i p attached with the message sent to me informing me of the unsubscribe bob On Thursday, January 29, 2004 5:39 PM, Subscription Services [EMAIL PROTECTED] wrote: We have removed the email address [EMAIL PROTECTED] from mailing list gamestreet. Thank you for using our service. The original message sent was: From [EMAIL PROTECTED] Thu Jan 29 16:39:35 2004 Received: from gfps.k12.mt.us ([216.201.206.97]) by i.pm0.net (8.12.10/8.11.6) with ESMTP id i0U0dXmk044894 for [EMAIL PROTECTED]; Thu, 29 Jan 2004 16:39:34 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: mnvskvcccmo Date: Thu, 29 Jan 2004 18:39:15 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0012_5400182A.DB9DC5C5 X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. --=_NextPart_000_0012_5400182A.DB9DC5C5 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7bit The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. --=_NextPart_000_0012_5400182A.DB9DC5C5 Content-Type: application/octet-stream; name=document.z i p Content-Transfer-Encoding: base64 Content-Disposition: attachment; --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
Am I correct that if we don't have a current service agreement then we can't upgrade to any version above 1.75? It depends on when the Service Agreement expired. You are entitled to run any version that is released while your Service Agreement is active. Although we prefer that people run the release versions, it's OK to run a beta or interim release that was released while still under your Service Agreement. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Multi-scanner Question
Are multiple scanners run in series or concurrently? They are run in series. Since the virus scanners typically use up as close to 100% of the CPU time that they are given, if we switched to running them in parallel, an improvement would only be shown on servers with multiple processors. However, it typically takes a virus scanner less than a second to scan all the attachments, so even on a multi-processor server, the increased delivery speed would probably not be noticed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
Scott - did you ever find these guys? They still don't get it... Received: from prudentialrand.com [65.160.6.2] by mail.toplineus.com with ESMTP (SMTPD32-7.07) id A36A225A007C; Fri, 30 Jan 2004 10:08:26 -0500 We're still trying to track them the toplineus.com people. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
Scott, The current version number that we are running is 1.75. Our service agreement expired on 12/31/03. What is the highest version number we can upgrade to? Thanks, Much! Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 12:12 PM Subject: Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications Am I correct that if we don't have a current service agreement then we can't upgrade to any version above 1.75? It depends on when the Service Agreement expired. You are entitled to run any version that is released while your Service Agreement is active. Although we prefer that people run the release versions, it's OK to run a beta or interim release that was released while still under your Service Agreement. -Scott --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
The current version number that we are running is 1.75. Our service agreement expired on 12/31/03. What is the highest version number we can upgrade to? The latest beta, v1.77, was released in December so you are entitled to run that version if you wish. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Multi-scanner Question
If they are run in series, then wouldn't it be best to run the next scanner only if the previous scanner passed? In other words why scan the email again if it already failed one of the scanners? Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, January 30, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Multi-scanner Question Are multiple scanners run in series or concurrently? They are run in series. Since the virus scanners typically use up as close to 100% of the CPU time that they are given, if we switched to running them in parallel, an improvement would only be shown on servers with multiple processors. However, it typically takes a virus scanner less than a second to scan all the attachments, so even on a multi-processor server, the increased delivery speed would probably not be noticed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Multi-scanner Question
If they are run in series, then wouldn't it be best to run the next scanner only if the previous scanner passed? In other words why scan the email again if it already failed one of the scanners? The logic behind that is the only a small fraction of E-mail contains a virus. Since the majority of E-mail has to go through both scanners, having the viruses go through both doesn't take much extra resources. The benefit is that you can tell from the log files if both scanners are detecting viruses, and if one is not able to report the virus/file name, the information from the other can be used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Multi-scanner Question
Scott, I have had at times, with both scanners (up to date sig files, both catching mydoom) taking a pounding (we are getting mydoom.a in 1 every second), when Scanner1 (f-prot) would pick up the virus and Scanner2 (InoculateIT) would not show anything, and at other times Scanner1 would not pick it up, but Scanner2 would, as well as both Scanners picking it up. I figured it was due to the volume we are receiving on this and the Scanners could not keep up. Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 1:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Multi-scanner Question If they are run in series, then wouldn't it be best to run the next scanner only if the previous scanner passed? In other words why scan the email again if it already failed one of the scanners? The logic behind that is the only a small fraction of E-mail contains a virus. Since the majority of E-mail has to go through both scanners, having the viruses go through both doesn't take much extra resources. The benefit is that you can tell from the log files if both scanners are detecting viruses, and if one is not able to report the virus/file name, the information from the other can be used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
Scott - did you ever find these guys? They still don't get it... I finally got a hold of someone there. It looks like they will fix the problem, but I just have to convince them first that it wasn't really someone on your server that sent the virus. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Multi-scanner Question
Scott, During virus outbreaks like this one, having the second scanner not run when the first detects a virus would be a big processing saver. My server was probably averaging about 5 times the normal processing load in the last 3 days, catching a virus on average about 1.5 times a minute. With more clients this could have turned a server with plenty of power to spare into one that was backed up or worse. I personally don't care if my second scanner logs a catch if the first one does. The best of both worlds approach would be to allow for a switch, SKIPIFFOUND ON. Removing the second scanner isn't a good option as variants can come at any time and both F-Prot and AVG lagged badly on picking up both Mimail.s and MyDoom.b. Matt R. Scott Perry wrote: If they are run in series, then wouldn't it be best to run the next scanner only if the previous scanner passed? In other words why scan the email again if it already failed one of the scanners? The logic behind that is the only a small fraction of E-mail contains a virus. Since the majority of E-mail has to go through both scanners, having the viruses go through both doesn't take much extra resources. The benefit is that you can tell from the log files if both scanners are detecting viruses, and if one is not able to report the virus/file name, the information from the other can be used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Multi-scanner Question
The best of both worlds approach would be to allow for a switch, SKIPIFFOUND ON. Removing the second scanner isn't a good option as variants can come at any time and both F-Prot and AVG lagged badly on picking up both Mimail.s and MyDoom.b. We will look into adding an option like this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.