[Declude.Virus] Fw: Sweep VIRUS ALERT from dommie.hengelo.tio.nl
Hi Scott, If I understand the IMail directory structure correctly the spool\web directory is only used for mail attachments sent via the webinterface. If that is indeed the case then here a logfile from Sophos to show you why it is important to scan webmail for virusses. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 4:20 AM Subject: Sweep VIRUS ALERT from dommie.hengelo.tio.nl Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\Info(1).zip User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~2.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~3.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~4.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INE785~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INE385~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INEB85~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\Info.zip User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INEF75~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications
Sorry about that. I included the wrong message. I had 2 issues confused with each other. Here is the one I was referring to where Declude blocks the message... Headers Follow: Received: from bhfserver [68.74.44.200] by NexusTechGroup.com (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 02 Apr 2004 01:29:56 -0400 Subject: Backup Exec Alert: Job Failed (Server: BHFSERVER) (Job: Backup 0001) X-Mailer: VERITAS SMTP Mail Component MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Message-Id: [EMAIL PROTECTED] The problem here is the blank line after the Subject: header. That line presumably originally contained a single space or tab character, which introduces the Blank Folding vulnerability (which violates RFC2822). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications
Hi, Scott, Sorry about that. I included the wrong message. I had 2 issues confused with each other. Here is the one I was referring to where Declude blocks the message... --- -Original Message- From: Postmaster Sent: Fri 4/2/2004 1:29 AM To: [EMAIL PROTECTED] Cc: Subject: WARNING: YOU WERE SENT A VIRUS The virus scanner software at Nexus Technology Group on NexusTechGroup.com has reported someone sent you an E-mail from [EMAIL PROTECTED], containing the [Outlook 'Blank Folding' Vulnerability] virus in the [No attachment] attachment. The subject of the E-mail was Backup Exec Alert: Job Failed (Server: BHFSERVER) (Job: Backup 0001) . The E-mail containing the virus has been deleted to prevent any damage. Headers Follow: Received: from bhfserver [68.74.44.200] by NexusTechGroup.com (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 02 Apr 2004 01:29:56 -0400 Subject: Backup Exec Alert: Job Failed (Server: BHFSERVER) (Job: Backup 0001) X-Mailer: VERITAS SMTP Mail Component MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Message-Id: [EMAIL PROTECTED] --- Any ideas? Thanks, Again, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 05, 2004 6:54 PM Subject: Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications We have a customer who is running Veritas Backup Exec. When their backup runs a notification is triggered by Backup Exec and we bounce that notification through our IMail server and then on to the appropriate parties. This notification system has been running fine for months now using our IMail server as a relay. In the past week or so IMail has had trouble routing these messages. Here is an example message... - From: Postmaster mailto:[EMAIL PROTECTED][EMAIL PROTECTED] undeliverable to mailto:[EMAIL PROTECTED][EMAIL PROTECTED] This one indicates that IMail can't deliver the E-mail to mailto:[EMAIL PROTECTED][EMAIL PROTECTED] However: Original message follows. Subject: Backup Exec Alert: Job Success ... There is no indication that Declude blocked this E-mail. For those of you with a trained eye... 1) Why does Declude flag the original notification message as having the blank folding vulnerability? I'm OK with that I'm just curious to know why. I don't see any indication that it did. 2) Secondly and actually more importantly. Why is my IMail system unable to deliver the notification to mailto:[EMAIL PROTECTED][EMAIL PROTECTED] There appears to be a space right before mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in the to line of the original notification. I believe that space is being added by Backup Exec. Would that cause the message to be undeliverable? That would likely cause the message to be undeliverable. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion
Scott: My first suggestion thinking of those new Declude users that are not yet in the list and will become new declude customers as well as old ones, I suggest to add an explanation in the demo config file and the Manual about how BANEZIPEXTS and BANZIPEXTS works. Explaining that the setting should be ON and the effect it causes. The release notes are clear about the banning feature but not that clear about using the ON switch. I believe that now the only way to find that out is through the file archives. I would be very useful then to add it to the config file and the Manual. Now my question: I tested the BANEXIPEXTS ON encrypting 1 file. A .COM extension file that I ban via Banext. Declude stopped right away. Then I tested the same option encrypting 2 files: A .com extension and .log one. I don't ban .log. My objective was to see if the zip was going to be banned by Declude since it had a .COM extension. Declude didn't stop it. I tried it with 3 files. .COM and 2 txt files (txt is not banned in my configuration), and Declude didn't stop it. As far as I understand then, the BANEXIPEXTS considers that only one file is in the encrypted zip and that is the one it checks, or perhaps if there is more than one file and one of them is not in the Banext then it doesn't stop it. Let me know your thoughts. I am afraid that new viruses come in a way that 2 files come within an encrypted zip, one being a .COM, PIF, or any dangerous extension and the other one a simple txt file, so at the end Declude let it pass. How does BANEZIPEXTS work if 2 or more files are included in the encrypted ZIP and at least one of them is not in the BANEXT list. -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] [AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion
How does BANEZIPEXTS work if 2 or more files are included in the encrypted ZIP and at least one of them is not in the BANEXT list. With the original interim release that added the BANEZIPEXTS option, it would only look at the first file. That was due to the speed needed to add the feature (Declude Virus already had access to the information needed to check the first file, but not subsequent files). With the latest beta, though, this was expanded so that if you use BANEZIPEXTS ON and any file in the encrypted .ZIP file has a banned file extension, the E-mail should be blocked. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
