[Declude.Virus] dropping virus report e-mails
Hi, I also asked this question in the IMail forum but. could I maybe do something with the BANNAME keyword without sending the standard reply which I do want to send for regular files I ban on extention? As far as I know I have little flexibility (yet) in the the name of the *.eml file which needs to be BANnotify.eml While we are on the subject, can I easily delete e-mails with a 0 byte zip file, as they are just broken virusses anyway? Like I wrote below, I have IMail (8.05), Declude (1.78i28) Junkmail standard and virus pro Met vriendelijke groet, Bonno Bloksma - Original Message - From: Bonno Bloksma [EMAIL PROTECTED] To: IMail_Forum [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:34 AM Subject: [IMail Forum] dropping virus report e-mails Hi, Some virusses send to the secondary MX, that's the MX from my uplink. He also does virusscanning but reports those virusses to the end recipient. My users are going crazy with those hundreds of emails and I simply want to drop them. As my uplink has some/several customers who want to receive those e-mails and he cannot differentiate between customers I have to drop them myself. Is there a way to have a domain wide rule in IMail to simply delete all mails that have an attachment called: Virtu-Attachment-Warning.txt ? That is the only constant in all those virus report e-mails. I'm also using Declude Junkmail standard and virus pro, if any of those products can do what I want then that's ok too. Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Trend and McAfee installed on same machine
One option (with Declude Virus Pro) is to ban file extensions within .ZIP files (blocking all .EXE, .PIF, .SCR, .BAT, .COM, etc. files). The other option would be to rename the .ZIP file to use another extension. So if I understand correctly, I should be able to send a zip file to somebody on my server and they will receive it? But, if it was zip file that contained a scr or pif or whatever, Declude would stop it? Again, it all depends on how you have it set up. With BANEXT EZIP, all encrypted .ZIP files are blocked (which is recommended). In that case, you can send a .ZIP file to someone on your server and they will receive it (assuming it is not an encrypted .ZIP file). If you do not want to ban all encrypted .ZIP files, you'll need to use Declude Virus Pro with BANEZIPEXTS ON (to ban file extensions within encrypted .ZIP files; you can also use BANZIPEXTS ON to ban file extensions within non-encrypted .ZIP files) and a bunch of BANEXT lines (one per extension you wish to block). Then, those extensions will be blocked in standard files, as well as encrypted .ZIP and/or standard .ZIP files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] dropping virus report e-mails
I also asked this question in the IMail forum but. could I maybe do something with the BANNAME keyword without sending the standard reply which I do want to send for regular files I ban on extention? As far as I know I have little flexibility (yet) in the the name of the *.eml file which needs to be BANnotify.eml Right now, there isn't a way that you could use BANNAME and not send out the banned file notification (unless you turned off the banned file notifications completely). While we are on the subject, can I easily delete e-mails with a 0 byte zip file, as they are just broken virusses anyway? No, I am not aware of any way to do that. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Request for per-domain configuration
Hmmm...I hate having to turn off the footer for everyone just because of one customers. Haven't run into it yet myself, but some people on this list will probably run into the problem with having to pass encrypted zips for one customer while banning them for everyone else...or similar requests for other files... so how about this... Add support for domain-specific configuration files. This would allow not only removing the footer on a domain basis, but also skipping/banning of files, deletion of viruses, and potentially even virus codes (such as the F-Prot virus code 8 for suspicious files) to be configurable by domain. Would mostly solve our problem as well as provide much greater flexibility for everyone...and hopefully be easier to implement than the fix for the footer problem. Thoughts? Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 7:31 AM Subject: Re: [Declude.Virus] Corrupting of Outlook Meeting Requests Early in 2002 you mentioned in this list... We are planning to change the footer option so that it will only appear in plain text segments, which will prevent interfering with the [Outlook] meeting requests, and will ensure that the footer is visible even when HTML and/or attachments are present. What there a resolution to this? No, that has remained a fairly low priority, because of two factors: [1] it is not commonly requested, and [2] would be a lot of work. If not, is there any way to turn the footer off for a single domain? No. The FOOTER option is a global option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Trend and McAfee installed on same machine
Scott: Just an idea... What if you extend the idea of Whitelist password to Declude Virus- for password protected zip files. If the subject has a code then the attachment with password protected will be skipped. If you can take the subject and delete the password before passing it on it can work great.. Sort of like the password protected list in IMail. This can solve a lot of problems.. But I am sure it can introduce more. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, March 25, 2004 7:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Trend and McAfee installed on same machine One option (with Declude Virus Pro) is to ban file extensions within .ZIP files (blocking all .EXE, .PIF, .SCR, .BAT, .COM, etc. files). The other option would be to rename the .ZIP file to use another extension. So if I understand correctly, I should be able to send a zip file to somebody on my server and they will receive it? But, if it was zip file that contained a scr or pif or whatever, Declude would stop it? Again, it all depends on how you have it set up. With BANEXT EZIP, all encrypted .ZIP files are blocked (which is recommended). In that case, you can send a .ZIP file to someone on your server and they will receive it (assuming it is not an encrypted .ZIP file). If you do not want to ban all encrypted .ZIP files, you'll need to use Declude Virus Pro with BANEZIPEXTS ON (to ban file extensions within encrypted .ZIP files; you can also use BANZIPEXTS ON to ban file extensions within non-encrypted .ZIP files) and a bunch of BANEXT lines (one per extension you wish to block). Then, those extensions will be blocked in standard files, as well as encrypted .ZIP and/or standard .ZIP files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-prot passing Netsky.P or variant?
Anyone else having trouble with a lot of new viruses slipping through? I submitted two to F-Prot earlier this morning, but they are claiming that the attachments were Netsky.P. However, I have the latest virus defs from them and the virus logs clearly show them being scanned and virus free. I'm betting it's a new, fast-spreading variant or Netsky, but am curious as to what others are seeing.. Darin.
RE: [Declude.Virus] F-prot passing Netsky.P or variant?
Darin, Sounds exactly like what we had happen yesterday but the mail logs made it look like there was no attachment in the e-mail. Yet Norton caught an attachmentas Netsky.P. Something strange - Rodney -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darin CoxSent: Thursday, March 25, 2004 10:17 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] F-prot passing Netsky.P or variant? Anyone else having trouble with a lot of new viruses slipping through? I submitted two to F-Prot earlier this morning, but they are claiming that the attachments were Netsky.P. However, I have the latest virus defs from them and the virus logs clearly show them being scanned and virus free. I'm betting it's a new, fast-spreading variant or Netsky, but am curious as to what others are seeing.. Darin.
RE: [Declude.Virus] Netsky returns with auto-response
Now that Darin has posted something similar I have to ask... If Norton caught something that wasn't actually there, then what is the 28.8 kb file it put in quarantine? Could the virus have come through as text which didn't show as an attachment? Thanks, Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, March 24, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Netsky returns with auto-response 03/24/2004 11:02:31 Qb110d53600d64d81 Scanned: Virus Free If there is nothing after the Virus Free, that would indicate that there weren't any actual attachments. Most likely, the bounce message included something like Original message follows:, followed by the original message. In this case, it's actually a text file, but Norton is improperly treating it as a MIME file (so it sees a virus that really isn't there). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot passing Netsky.P or variant?
I had one slip thru to me this morning also... McAfee detected it on my system as the W32/Netsky.b.eml!zip virus. Not sure as to where it quarantined the file too, but I was surprised my banext's did not catch it also. Sincerely,Grant Griffith, Vice PresidentEI8HT LEGS Web Management Co., Inc.http://www.getafreewebsite.com877-483-3393 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darin CoxSent: Thursday, March 25, 2004 10:17 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] F-prot passing Netsky.P or variant? Anyone else having trouble with a lot of new viruses slipping through? I submitted two to F-Prot earlier this morning, but they are claiming that the attachments were Netsky.P. However, I have the latest virus defs from them and the virus logs clearly show them being scanned and virus free. I'm betting it's a new, fast-spreading variant or Netsky, but am curious as to what others are seeing.. Darin.
RE: [Declude.Virus] F-prot passing Netsky.P or variant?
I had one slip thru to me this morning also... McAfee detected it on my system as the W32/Netsky.b.eml!zip virus. Not sure as to where it quarantined the file too, but I was surprised my banext's did not catch it also. The .eml is now being used for E-mails where no virus is detected, but the E-mail appears to have been generated by a virus. Since no virus was present, Declude Virus allowed the E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Suggestion, Whitelist password in subject
This might be a way to block virus traffic, but allow employees and selected customers to send and receive EZip files. For example, when a virus sample is sent to McAfee's AVERT, they want a zip encrypted with infected. Currently I expect that since I'm blocking EZips, I could not send a sample to AVERT though my e-mail server. The danger would be that viruses, etc. might use this system against us. As long as each site chose it's own (different) White list Code Word, and changed it as needed, that risk should be low. A few viruses (none of the current batch?) have responded to currently unanswered e-mails, so that would increase the risk of a virus getting through. The White list Code Word would NOT be related to the Zip file password. So the subject might be My important and encrypted info [CodeWord$12] Would we only want to override the ban ezip? Leave other checking like extension blocking (no EXEs or PIFs) in place? Still pass the file to the virus scanners? Although this concept could be extended to white list past all kinds of checking, a poorly configured/administered mail server could have some huge holes. I like the idea, but sometimes the details get messy. For the sites that need to handle EZips, it might be a way to open the door and still keep most of the protections in place. -- Greg Little Kami Razvan wrote: Scott: Just an idea... What if you extend the idea of White list password to Declude Virus- for password protected zip files. If the subject has a code then the attachment with password protected will be skipped. If you can take the subject and delete the password before passing it on it can work great.. Sort of like the password protected list in IMail. This can solve a lot of problems.. But I am sure it can introduce more. Kami --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
