RE: [Declude.Virus] I do not think this should of failed.

2004-07-16 Thread Douglas Cohn 
It may be worth your time to contact Yahoo and alert them of this if it is
really an issue.  If they give a hoot (and they very well may) they will put
some text on the page to use the Url and not the filename when sending links
of maps in email.

Doesn't Yahoo have a link for sending a map to somone directly on their
site. 

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Thursday, July 15, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] I do not think this should of failed.

The real issue is not one with our client base rather the other quarter of a
million people who are not our clients but send email to our servers.  When
that email does not make it through it creates a problem for me.

Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Doug Anderson
 Sent: Wednesday, July 14, 2004 4:33 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] I do not think this should of failed.


 We have the same problem.

 DO NOT USE the email map link on the page

 Copy and paste the link/url into an email or email link directly from 
 the browser to the user. The url contains all the info for creating the
map.

 - Original Message -
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, July 14, 2004 4:13 PM
 Subject: Re: [Declude.Virus] I do not think this should of failed.


 
  A soccer club sent an email regarding the location of soccer practice.
  Declude appeared to catch it because of a yahoo map link to the 
  soccer fields.  It would seem to be a common practice for someone 
  to use a map
 link
  for directions.  Copy of logfile below.
  
  How do we prevent this from happening in the future?   I do
 not have any
  clout with Yahoo so I doubt I could get them to change their
 nomenclature.
 
  Unfortunately, filenames longer than 256 characters are very unsafe.  
  If Yahoo chooses to use filenames greater than 256 characters, they 
  need to understand that their E-mails are going to be blocked.  It 
  sounds like Yahoo just changed their file naming system.
 
  Note that it is fine for them to have a *link* that is longer than 
  256 characters, it is only the filename that has the problem.  In 
  this case, the filename was
 
 overviewmap_OVMAPDATA=Ypg91eR32XWTWSco9NwX6snk0KVRpsRh.tpax9mLk 
 followed
  by at least
  158 more characters.
 
  In general, if the average person isn't going to be able to type a
 filename
  without making a typo after a few tries, it shouldn't be used as a
 filename.
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail 
  mailservers since 2000.
  Declude Virus: Ultra reliable virus detection and the leader in
 mailserver
  vulnerability detection.
  Find out what you've been missing: Ask for a free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To 
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
 
  *Scanned for viruses by Declude Virus*
 
 


 *Scanned for viruses by Declude Virus*

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] SKIPIFRECIP SKIPIFVIRUSNAMEHAS

2004-07-16 Thread Dan Geiser 



Hello, All,
I know that I can use SKIPIFRECIP to skip Virus 
Warnings for specific Domain Names and I can use SKIPIFVIRUSNAMEHAS to skip 
Virus Warnings for specific Virus Names. But is there any way I can 
supress Virus for a specific Virus Name for just one domain name? 
Specifically I have one customer who doesn't want to receive the "Vulnerability" 
warnings any longer.

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

RE: [Declude.Virus] SKIPIFRECIP SKIPIFVIRUSNAMEHAS

2004-07-16 Thread John Tolmachoff \(Lists\) 









Yes and no.



For virus notices, yes.



For Vulnerabilities, it is either all or
none.





John Tolmachoff

Engineer/Consultant/Owner

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, July
 16, 2004 12:45 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus]
SKIPIFRECIP  SKIPIFVIRUSNAMEHAS





Hello, All,





I know that I can use SKIPIFRECIP to skip Virus Warnings for
specific Domain Names and I can use SKIPIFVIRUSNAMEHAS to skip Virus Warnings
for specific Virus Names. But is there any way I can supress Virus for a
specific Virus Name for just one domain name? Specifically I have one
customer who doesn't want to receive the Vulnerability warnings any
longer.











Thanks In Advance,





Dan Geiser





[EMAIL PROTECTED]

[Declude.Virus] Binhex reminants from virus scanning

2004-07-16 Thread Matt 




Scott,

I finally captured a binhex message that caused the vir directory to be
left behind. This one contained six JPG attachments, although I have
definitely seen it with only one. I can forward you the entire message
source (about 3 MB), or maybe you can get something from the attachment
definition pasted below:
--MS_Mac_OE_3171616584_11162912_MIME_Part
Content-type: application/mac-binhex40; name="01.jpg"
  
(This file must be converted with BinHex 4.0)
:"M!a,QT`C`"+8%9([EMAIL PROTECTED]0rrBrq!!%%T'58B!!3)"!%J!5!!
!rqdS$"SEh4[FfK[F#!c,M!!1%**633%!*!%$k!F!J!!!J!#(!*i!-e1EhBJ-$3

In Webmail, the above attachment name appears as "ISLAM !.jpg" which I
assume comes from the encoded portion of the message. The file that
corresponds to this within the leftover vir directory is called
"1_1.exe". I seem to recall you indicating that binhex attachments
don't have extensions and that this is why declude creates them by
taking the file and giving it an EXE extension. I'm going to guess
that what is happening here is some confusion in the code about what
the proper name is because it is actually defined. Note that my system
is configured to not scan JPG files, and while the "01.jpg" name in the
attachment header could probably be forged and therefore is not good to
trust, the one that comes from the actual encoded message, "ISLAM
!.jpg", should have caused Declude to not scan it.

I can provide log snippets as well as the contents of this vir
directory if you need that also. This is only a minor nuisance that I
see about 5-10 times a month and nothing actually gets blocked that
shouldn't, although I would imagine there is a possibility that it
could be a potential hole.

Thanks,

Matt
-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=