[Declude.Virus] ATTENTION: My E-mail address has changed
Please Change Your Address Book Thank you for emailing me.nbsp; Your email has been received, and I will respond as soon as possible. We are pleased to announce that Rand Realty has recently affiliated with Better Homes and Gardens Real Estate.nbsp; Accordingly, our email addresses have changed from prudentialrand.com to randrealty.com.nbsp; Please update your address book and direct all future messages to marc.catuo...@randrealty.com.nbsp; PLEASE START USING THIS NEW ADDRESS IMMEDIATELY TO ENSURE DELIVERY. There is no need to resend this message as it has been forwarded to the new address, but this will change shortly.nbsp; Thereafter, all E-mail received by this address will be returned without being forwarded to me. So please update your Address Book. [This message is auto-generated] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ATTENTION: My E-mail address has changed
Please Change Your Address Book Thank you for emailing me.nbsp; Your email has been received, and I will respond as soon as possible. We are pleased to announce that Rand Realty has recently affiliated with Better Homes and Gardens Real Estate.nbsp; Accordingly, our email addresses have changed from prudentialrand.com to randrealty.com.nbsp; Please update your address book and direct all future messages to marc.catuo...@randrealty.com.nbsp; PLEASE START USING THIS NEW ADDRESS IMMEDIATELY TO ENSURE DELIVERY. There is no need to resend this message as it has been forwarded to the new address, but this will change shortly.nbsp; Thereafter, all E-mail received by this address will be returned without being forwarded to me. So please update your Address Book. [This message is auto-generated] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ATTENTION: My E-mail address has changed
Please Change Your Address Book Thank you for emailing me.nbsp; Your email has been received, and I will respond as soon as possible. We are pleased to announce that Rand Realty has recently affiliated with Better Homes and Gardens Real Estate.nbsp; Accordingly, our email addresses have changed from prudentialrand.com to randrealty.com.nbsp; Please update your address book and direct all future messages to marc.catuo...@randrealty.com.nbsp; PLEASE START USING THIS NEW ADDRESS IMMEDIATELY TO ENSURE DELIVERY. There is no need to resend this message as it has been forwarded to the new address, but this will change shortly.nbsp; Thereafter, all E-mail received by this address will be returned without being forwarded to me. So please update your Address Book. [This message is auto-generated] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus]
Marc Catuogno MIS Director Prudential Rand Realty 845-825-8025 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus]
I didn't send it, or at least did not do so intentionally - sorry - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, July 12, 2007 2:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Brief, and to to the point. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Thursday, July 12, 2007 11:54 AM To: Declude Virus Subject: [Declude.Virus] Marc Catuogno MIS Director Prudential Rand Realty 845-825-8025 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the check prices macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Switches
really rare information about the /AI Switch... just found this about Neural network: http://www.f-prot.com/support/windows/fpwin_faq/17.html We will not use it, because increases the risk of false alarms. marc At 03:55 29.03.2006, you wrote: What is the value of the AI switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /PACKED /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt marc At 18:46 28.03.2006, you wrote: After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Changes @ Declude
I didnt get an e-mail. Dont you like me? : )~ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 10, 2006 1:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
[Declude.Virus] Blank folding vulnerablity help
Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
RE: [Declude.Virus] Blank folding vulnerablity help
Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
RE: [Declude.Virus] Blank folding vulnerablity help
So since I am running 1.82 I can either allow all vulnerabilities or not I have been putting off upgrading till IMAIL and Declude are all at nice stable releases Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00418 [base64; Length=1744 Checksum=207233] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00421 [base64; Length=664 Checksum=83706] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00424 [base64; Length=1118 Checksum=136918] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00427 [base64; Length=12674 Checksum=1212421] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00430 [base64; Length=82 Checksum=7785] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00433 [base64; Length=112 Checksum=14219] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00436 [base64; Length=685 Checksum=83744] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00439 [base64; Length=1361 Checksum=169802] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: ATT00442 [base64; Length=101 Checksum=14316] 01/20/2006 07:25:45 Qd6c809e500d45890 File(s) are INFECTED [[Outlook 'Blank Folding' Vulnerability]: 0]
RE: [Declude.Virus] Blank folding vulnerablity help
Matt thanks again. I cant get a download off of the declude page other than the latest version and hot fixes for 1.76-1.82 no 2. versions at all I may venture into the 3s but I am still running IMAIL 8.15 Ive been too scared to upgrade either product lately, sad really. I used to wait about a week before jumping on an upgrade Keep hoping smarter mail will pan out, most of my users are on webmail and I hear that it is abysmal on IMAIL 2006 Sorry for the rant, but I hate I far behind I feel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 30, 2006 9:10 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, 2.0.6.16 is as solid as any release that I have seen, and I can't see how you would have any issues with upgrading to it, nor are there any changes that must be made. The only caveat here is that you will have issues on any version of IMail later than 8.15HF2. 2.0.6.16 fixes issues present in 1.82, adds new functionality such as this vulnerability stuff, and does not introduce any new bugs that I am aware of. I don't want to dismiss the latest 3.x release since others are happy with it, but since I run IMail 8.15HF2, there is little in that release that enhances my immediate use, and I am willing to wait a bit longer so that a period of stability can be established before I make the jump. Matt Marc Catuogno wrote: So since I am running 1.82 I can either allow all vulnerabilities or not I have been putting off upgrading till IMAIL and Declude are all at nice stable releases Any input on what the latest/best working combo is? Crap. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but I know it works in 2.0.6.14 and higher. I think it came along somewhere after 2.0.6.0 Matt Marc Catuogno wrote: Matt thank you What version of Declude is needed for these allows? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, January 30, 2006 5:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blank folding vulnerablity help Marc, It was certainly a vulnerability at one point, but it was discovered years ago and should be long patched, plus I have never ever seen an exploit; I have however seen a steady stream of false positives with it. You can turn this off by using the following line in your Virus.cfg so long as you are on at least 2.0.6 (I'm not sure when exactly it was introduced). ALLOWVULNERABILITY OLBLANKFOLDING I would actually suggest turning off all of the following: ALLOWVULNERABILITY OLCR ALLOWVULNERABILITY OLSPACEGAP ALLOWVULNERABILITY OLMIMESEGMIMEPRE ALLOWVULNERABILITY OLMIMESEGMIMEPOST ALLOWVULNERABILITY OLLONGFILENAME ALLOWVULNERABILITY OLBLANKFOLDING ALLOWVULNERABILITY OBJECTDATA ALLOWVULNERABILITY OLBOUNDARYSPACEGAP If you want to leave all of this stuff in and suffer from other false positives that they create, you can instead just exclude a single address using the following line in your Virus.cfg: ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] Matt Marc Catuogno wrote: Somebody is sending e-mail that must get through (of course) and it is failing the blank folding Vulnerability test. What can I tell this person they should do to not have this e-mail get caught? I dont want to allow vulnerabilities through but. 01/20/2006 07:25:44 Qd6c809e500d45890 Outlook 'Blank Folding' vulnerability in line 18 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [text/html][quoted-printable; Length=18542 Checksum=1227819] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4306 Checksum=452062] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=1034 Checksum=131676] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=856 Checksum=109734] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=7726 Checksum=981323] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=82 Checksum=8156] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=112 Checksum=14660] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=811 Checksum=104494] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/png][base64; Length=635 Checksum=80089] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/jpeg][base64; Length=4089 Checksum=441269] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=101 Checksum=14757] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME file: [image/gif][base64; Length=310 Checksum=41235] 01/20/2006 07:25:44 Qd6c809e500d45890 MIME
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Mike, thx for fix this problem with your suggestion adding the SKIPIFVIRUSNAMEHAS Sober in the recip.eml file, this really helps! We had the same problem excatly 1 year before, posting here this problem and discuss on imailforum with no solution. Now after the new Sober flood two weeks ago, again all symptoms like your description, also new users was created like po, post, postma, postmaster, ... so i am sure this is a declude issue. Windows 2000 Server Imail 8.15 HF2 Declude Virus Standard 1.82 F-Prot Marc At 18:49 09.12.2005, you wrote: What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the SKIPIFVIRUSNAMEHAS Sober in the recip.eml file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window (create mail message) pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop
[Declude.Virus] OT: Virus Backscatter
The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: Virus Backscatter
Actually I was talking about the notices from other postmasters - I have almost no bounce messages, I don't notify on banned files and so on for just that very reason. -- Original Message -- From: Darin Cox [EMAIL PROTECTED] Reply-To: Declude.Virus@declude.com Date: Wed, 23 Nov 2005 10:02:38 -0500 We went with AVAFTERJM ON to minimize this. That way most get held as spam instead of being detected by Virus as a banned files, and don't generate banned file notifications. Others may have better ways to handle filtering these out, but that worked well for us. Darin. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 9:12 AM Subject: [Declude.Virus] OT: Virus Backscatter The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
You have a user base that is educated and that you trust enough to click a link that would send them a potential virus? I so envy you... I'm scared to let them open and send and receive regular e-mail. I had one user ready to open an account for someone in Nigera. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, October 11, 2005 8:14 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXITSCANONVIRUS
John, Sorry to hear about that it sucks. There was something I heard once about having identical drives mirrored. That if they were from the same vendor and the same model and lot number they can fail at the same time. The IBM Deskstar was apparently notorious for this. If Im building a server I try to use two different HDs on the mirror one IBM and one Maxtor or something. It is tough to get my host to do this for me. Good luck man~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 30, 2005 3:31 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, May 29, 2005 4:59 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS Thanks! The grass is cut and the friends are already on the way over with beer and stuff to burn :) Matt Darin Cox wrote: Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin, My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients. 2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients. 3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach. I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed. I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base. Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail. Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary=
[Declude.Virus] Bypassing whitelist (German Spam)
I have this set in my global file: BYPASSWHITELIST bypasswhitelist 30 8 0 0 As I understand it, it will by pass the whitelist (whether it is due to whitelistauth or autowhitelist on) if the weight is at least 30 and there are 8 recipients. The German spam is getting through because many of the forged senders are in the address books of the recipients - it also appears that they are sending to less than 8 people at once. Is there any other way I can get tests (or actually one specific test - german filters - to run regardless?) Anyone have any suggestions on this one? I'm stumped - Thanks - Marc --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] WinZip Companion for Outlook (OT)
This is going to a problem for me if it catches on people will think it is cool to password their zip files, and since I block them Just thought I'd heads up the group in case any of you automatically block encrypted files as well. A choice of Zip 2.0 or 128- or 256-bit AES encryption AES encryption provides much greater cryptographic security than the traditional Zip 2.0 encryption method used in earlier versions of WinZip. Encryption applied to an attachment is done when the file is zipped. The recipient of the attachment must then use a password to extract the contents from the Zip file. The Companion's advanced encryption (FIPS-197 certified) uses the Rijndael cryptographic algorithm which, in 2001, was specified by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication 197 as the Advanced Encryption Standard (AES). Note: Recipients to whom you send AES-encrypted Zip files must have a compatible Zip file utility, such as WinZip 9.0, in order to decrypt the files. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HiJack Question
John, Been there..doing that. My concern is that Customer #2's email will be incorrectly blocked due to DECCON's "memory". I felt it would be safer to stop the SMTP service before killing the deccon instance. -M---"Problems are only opportunities in work clothes." -- Henry J. Kaiser - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, February 07, 2005 2:53 AM Subject: RE: [Declude.Virus] HiJack Question First, you should be actively monitoring the HOLD2 directory. There are some scripts on the Declude Tools sight that can be used for this. Second, you do not need to cycle the SMTP service. However, you will have to rename the HOLD2 files if you want to release them and then manually move them. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MarcSent: Sunday, February 06, 2005 11:12 PMTo: declude.virus@declude.comSubject: [Declude.Virus] HiJack Question Scenario: Dialup ISP using dynamic IP allocation. Customer#1 using IP address of 1.2.3.4 trips threshold #2. Logs off. Customer #2 logs on and obtains the same IP that customer #1 had (1.2.3.4) My understanding is that HiJack will block Customer #2's outbound email as well. At leastuntil the Declude Console (DECCON.EXE) is closed. Question: If this is true, is it acceptable practice to cleanup HOLD2, stop the SMTP service, kill the DECCON PID and restart the SMTP service? Thx. -M---"The toughest part of getting to the top of the ladder, is getting through the crowd at the bottom." -- unknown
[Declude.Virus] HiJack Question
Scenario: Dialup ISP using dynamic IP allocation. Customer#1 using IP address of 1.2.3.4 trips threshold #2. Logs off. Customer #2 logs on and obtains the same IP that customer #1 had (1.2.3.4) My understanding is that HiJack will block Customer #2's outbound email as well. At leastuntil the Declude Console (DECCON.EXE) is closed. Question: If this is true, is it acceptable practice to cleanup HOLD2, stop the SMTP service, kill the DECCON PID and restart the SMTP service? Thx. -M---"The toughest part of getting to the top of the ladder, is getting through the crowd at the bottom." -- unknown
RE: [Declude.Virus] wuaurlt.exe
I also run crap cleaner - it can be set to clean the prefetch, temp Internet files, C:\Documents and Settings\User\Local Settings\Temp and more. It has helped me get virus/Trojan files that won't other wise delete. Also the online scan from Trend Micro is also a great help. It has been a great help in conjunction with spybot and spyware blaster in addition to some custom registry keys. I hope people will forgive me for posting the link. PS I have nothing to do with the company and it is a free utility. It is just a great little tool that can run at startup and prevent some of those Trojans from getting started. http://www.ccleaner.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Tuesday, December 14, 2004 3:07 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] wuaurlt.exe On 14 Dec 2004 at 11:19, Colbeck, Andrew wrote: Thanks Andrew! You are sharp. I spent quite a bit of time on google and on the AV sites without any results. -Nick Subject:RE: [Declude.Virus] wuaurlt.exe Date sent: Tue, 14 Dec 2004 11:19:50 -0800 Priority: normal From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] I've seen a variant of RBOT that was similar; the naming format is try to confuse you that it is part of windows update, which is wuauserv.exe There is a gray area between the antivirus scanners and the spyware scanners in picking this stuff up. You'll want to get that machine patched, the registry cleaned for the HKLM, HKDU and the HKCU for whomever was logged in when it ran. If the affected OS has one, you'll also need to empty the %windir%\prefetch folder, as some antivirus scanners won't find it because the extension is renamed (or they have a blind spot for that folder). Since this worm has a dropper and an active component, you'll need to clean out both. If your antivirus scanner isn't picking it up, you can use: http://housecall.trendmicro.com which downloads an ActiveX control version of their scanner, which will do a full sweep of the local hard drive. And yes, this TrendMicro name does have aliases. Depending on which vendor you talk to, you'll also see it as GAOBOT or SDBOT. This specific name has no alias, according to this site, which is the only one I know of that tracks the virus lingo across vendors: http://www.virusbtn.com/resources/vgrep/index.xml There is also this site, to which you can upload a virus to have it checked by multiple vendors' scan engines and email you a report. Some engines have been removed due to legal pressures: http://www.virustotal.com/flash/index_en.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Tuesday, December 14, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] wuaurlt.exe On 14 Dec 2004 at 12:31, Nick wrote: Has anyone seen or heard of a virus/worm that uses this file? It seems to be attacking several pc's at my day job.. As a follow up - I just found this - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_R BOT.ADGVSect=T Nothing on mcafee or fprot though. Is there an alias that exists? Thanks again - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] about Imail1.exe security issue
same here after the update to 8.14 and hf1 marc At 15:57 24.11.2004, you wrote: We had same issue, then mysteriously got fixed. Imail was aware of it as we had opened ticket. Everytime this would happen, the affected domain registry entry would have some weird users and entries (dont recall exactly but if you search the archives you will find the post). PV - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 9:09 AM Subject: RE: [Declude.Virus] about Imail1.exe security issue This is odd, odd because my server has this problem also and I called Ipswitch about it and they said that my server was the only one having the problems. It had it several months ago (and called) and then started again (and called). Those are the only calls to tech support in the past several years for my SA. I will read the posts to find out more about this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Wednesday, November 24, 2004 7:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] about Imail1.exe security issue we had the same issue few month ago i suspected problem from declude because the addresses that appear in the open imail1 window looked like ones that would be generated by declude notifications (or maybe imail gses ?) anyway, rebooting the server resolved the issue back then Unfortunatly, since upgrading to 8.13 (or 8.14, can't tell exactly, because i did both in less than 48 hours) the problem is coming again, and rebooting did not help this time. if you find a solution, let me know - Original Message - From: Crejob.com [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 10:05 AM Subject: [Declude.Virus] about Imail1.exe security issue My Imail server keep pop up a Create Mail Message, it's seems that Imail1.exe is exploit by someone to try send out spam. I try to limit the imail1.exe user permission, but this will result the webmail can not send out email. Any advice on how to solve this problem? Regards Brian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] about Imail1.exe security issue
i think thats not by a clients PC virus. i got just right the ip using the imail1.exe to existing and no existing users (217.255.255.100) searching the log*.txt itsd using different pc names sorry about this post, because this is not a declude issue marc At 16:45 24.11.2004, you wrote: I'm now quite sure that it is caused by a clients PC virus, I use the specific email string to search the sys*.txt log, and found it come from 1 IP, I block this IP in my firewall, then this problem dispear, but the problem is from the IP I can not identify the clients PC name, because virus using forged PC name, and the IP is a ISP dynamic PC so I also can not find out who infected by which virus, but this virus should be a big headache to IMAIL users. - Original Message - From: Mailing Lists [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 10:57 PM Subject: Re: [Declude.Virus] about Imail1.exe security issue We had same issue, then mysteriously got fixed. Imail was aware of it as we had opened ticket. Everytime this would happen, the affected domain registry entry would have some weird users and entries (dont recall exactly but if you search the archives you will find the post). PV - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 9:09 AM Subject: RE: [Declude.Virus] about Imail1.exe security issue This is odd, odd because my server has this problem also and I called Ipswitch about it and they said that my server was the only one having the problems. It had it several months ago (and called) and then started again (and called). Those are the only calls to tech support in the past several years for my SA. I will read the posts to find out more about this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Wednesday, November 24, 2004 7:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] about Imail1.exe security issue we had the same issue few month ago i suspected problem from declude because the addresses that appear in the open imail1 window looked like ones that would be generated by declude notifications (or maybe imail gses ?) anyway, rebooting the server resolved the issue back then Unfortunatly, since upgrading to 8.13 (or 8.14, can't tell exactly, because i did both in less than 48 hours) the problem is coming again, and rebooting did not help this time. if you find a solution, let me know - Original Message - From: Crejob.com [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 10:05 AM Subject: [Declude.Virus] about Imail1.exe security issue My Imail server keep pop up a Create Mail Message, it's seems that Imail1.exe is exploit by someone to try send out spam. I try to limit the imail1.exe user permission, but this will result the webmail can not send out email. Any advice on how to solve this problem? Regards Brian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http
Re: [Declude.Virus] about Imail1.exe security issue
your are right about the virus always change the PC name, but its very strange, that sending to different domains on our imail!? like Dictionary Attacks trough webmail... At 17:25 24.11.2004, you wrote: Sorry, i don't get your meaning, why you think it's not by a client PC virus? virus always change the PC name if using it's own SMTP engine, also, the IP maybe a broadband shared in a network, and several PCs in the network maybe all infected. In my case, I just found that IP is infected by http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] http://vil.mcafeesecurity.com/vil/content/v_130130.htm - Original Message - From: marc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 25, 2004 12:01 AM Subject: Re: [Declude.Virus] about Imail1.exe security issue i think thats not by a clients PC virus. i got just right the ip using the imail1.exe to existing and no existing users (217.255.255.100) searching the log*.txt itsd using different pc names sorry about this post, because this is not a declude issue marc At 16:45 24.11.2004, you wrote: I'm now quite sure that it is caused by a clients PC virus, I use the specific email string to search the sys*.txt log, and found it come from 1 IP, I block this IP in my firewall, then this problem dispear, but the problem is from the IP I can not identify the clients PC name, because virus using forged PC name, and the IP is a ISP dynamic PC so I also can not find out who infected by which virus, but this virus should be a big headache to IMAIL users. - Original Message - From: Mailing Lists [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 10:57 PM Subject: Re: [Declude.Virus] about Imail1.exe security issue We had same issue, then mysteriously got fixed. Imail was aware of it as we had opened ticket. Everytime this would happen, the affected domain registry entry would have some weird users and entries (dont recall exactly but if you search the archives you will find the post). PV - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 9:09 AM Subject: RE: [Declude.Virus] about Imail1.exe security issue This is odd, odd because my server has this problem also and I called Ipswitch about it and they said that my server was the only one having the problems. It had it several months ago (and called) and then started again (and called). Those are the only calls to tech support in the past several years for my SA. I will read the posts to find out more about this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Wednesday, November 24, 2004 7:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] about Imail1.exe security issue we had the same issue few month ago i suspected problem from declude because the addresses that appear in the open imail1 window looked like ones that would be generated by declude notifications (or maybe imail gses ?) anyway, rebooting the server resolved the issue back then Unfortunatly, since upgrading to 8.13 (or 8.14, can't tell exactly, because i did both in less than 48 hours) the problem is coming again, and rebooting did not help this time. if you find a solution, let me know - Original Message - From: Crejob.com [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 10:05 AM Subject: [Declude.Virus] about Imail1.exe security issue My Imail server keep pop up a Create Mail Message, it's seems that Imail1.exe is exploit by someone to try send out spam. I try to limit the imail1.exe user permission, but this will result the webmail can not send out email. Any advice on how to solve this problem? Regards Brian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
Fwd: Re: [Declude.Virus] [Declude.JunkMail] Solution to death of IMail
scott, it is never too late and i think your are right with the 90% of your customers. marc At 13:09 26.10.2004, you wrote: [Replying to several posts here] Here's a thought - what about a Declude mail server? It sounds like a great idea, but it would also be a huge undertaking. By the time we had something ready, it could be too late. What makes everyone think that Declude won't work with Ipswitch ICS? It almost certainly will. I think the concern is that about 90% of our customers will likely not be upgrading to ICS. It's Declude holding me on this line. But even Declude showed certain things I can see now with IPSwitch/ICS. It's not completely the same story but customers in both cases are left in the dark and feel patronized by new features (colaboration, MTLD) they not realy need. We will likely have more answers very soon. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Recommended Scanner
I couldn't get Clamav to run on mine. May I ask what version of ClamAV you are using? When I installed it I couldn't figure out if it was in and Declude kept throwing me an error. What is your Declude config line ? Thanks - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, October 07, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Recommended Scanner My personal scores from best to worst: Clamav (been only a week, but it hasn't missed one) and free (Also catches some phish with prescan off) Mcafee Virusscan (beats F-prot on encyrpted zips) pretty resonably priced if you can secure DOS command line only license. (Also catches some phish with prescan off) F-Prot (catches more corrupted variants than Virusscan) Most expensive at $50 a year AVG (lags behind the others especially with encrypted zips). $75 for two years. I'll note that scanning speed isn't a consideration of mine. Others can comment on that. - Original Message - From: Brian Guenther [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 12:24 PM Subject: [Declude.Virus] Recommended Scanner From the list of virus scanners given in the Declude Virus Manual is there one more preferred than the others and why? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] GDI false Postive
I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. User-Agent: Microsoft-Entourage/10.1.0.2006 Does he need to update his version? Or is it something else? Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
Thanks- Both jpgs held were sent by the same person - a graphic designer using a MAC. If that helps you change the code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, September 29, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] GDI false Postive I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. User-Agent: Microsoft-Entourage/10.1.0.2006 Does he need to update his version? Or is it something else? The problem is that Microsoft decided not to give out any information on how to detect the exploit. The person that discovered the exploit, however, provided details on how the exploit could be detected. There was, unfortunately, a flaw in the detection method, causing occasional false positives (in our tests, about 1 in 1,000 legitimate JPEG files was getting caught as a result). We are planning to change the detection code to use our own (more complex) method. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
installed 1.80 declude virus (restart imail smtp) and sending the infected JPEG jpegcompoc.zip (http://www.gulftech.org/?node=downloads) it was not automatically detect and goes trough, using F-Prot 3.15B updated. virus.cfg: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt # SKIPEXT GIF # SKIPEXT JPG SKIPEXT TXT SKIPEXT MPG SKIPEXT PNG A Desktop AV F-Prot 3.15B (same version and updates) detect the JPEG exploit. any ideas? marc At 23:31 27.09.2004, you wrote: Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Uwe is right: http://www.f-prot.com/news/gen_news/040924_release_all.html New versions of F-Prot Antivirus for Exchange and of F-Prot Antivirus for DOS will be released in the next few days. 3.15B just windows upgraded. but i understand, that the new release of Declude Virus will automatically detect the JPEG exploit!? marc At 14:18 28.09.2004, you wrote: Hi Uwe: I am not sure where you are seeing 3.15A- I downloaded B version last week by logging into our account on F-Prot site. Kami [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Attack?
I am with Kris, thats a great solution, we just in planning here. And of course, deleting all nobody aliases... marc. At 19:17 21.09.2004, you wrote: I had two gateways running declude, both boxes were Dual Xeon 2.8Ghz, 2GB Ram, 3x36Gb 15K scsi, 128MB Raid controller and both boxes could not handle the load when this happened to me. In the last week and a half I put up a postfix(Imgate) gateway. This one box is doing what 2 of the others could not do. I take in about 3.1 Million messages a day at a 98% reject rate! So in my opinion Postfix at the gateway level is the only way to go. I still run declude virus pro on my mail box server and am very satisfied. Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Tuesday, September 21, 2004 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Attack? I've seen this happening with us for a while now.. I started tracking the IP addresses to try and have iMail block them, but I would have to enter them manually and wasn't going to do that.. Way too many.. Hahaha I think the only way to really fix this (what I've been looking at and trying to implement) is to setup a postfix mail gateway for messages as they come in and have it checked against a database of good e-mail accounts (can be edited locally or looked up via LDAP).. If they're legit, they're forwarded to the iMail server.. If not, they're dropped at the gateway.. Just been busy with other things to try and track this how-to down.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stan Buck Sent: Tuesday, September 21, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Attack? For three days now we've been getting these emails addressed to random strings every few minutes. IPs keep changing. Sometimes one mail per IP, sometimes several. What is this? Zombie computers? Forged IPs? And how many hits are you going to get with random strings? 09:21 00:00 SMTPD(54FA0120) [10.0.0.109] connect 216.167.161.91 port 34112 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] EHLO pop3.nts-online.net 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] MAIL FROM: 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] RCPT TO:[EMAIL PROTECTED] 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] ERR mdchildcare.org invalid user [EMAIL PROTECTED] 09:21 00:01 SMTPD(56180120) [10.0.0.109] connect 131.103.218.79 port 20368 09:21 00:01 SMTPD(56180120) [131.103.218.79] HELO mail15a.boca15-verio.com 09:21 00:01 SMTPD(56180120) [131.103.218.79] MAIL FROM: 09:21 00:01 SMTPD(56180120) [131.103.218.79] RCPT TO:[EMAIL PROTECTED] 09:21 00:01 SMTPD(56180120) [131.103.218.79] ERR mdchildcare.org invalid user [EMAIL PROTECTED] 09:21 00:14 SMTPD(6B9E0124) [10.0.0.109] connect 64.29.144.72 port 49234 09:21 00:14 SMTPD(6B9E0124) [64.29.144.72] EHLO mx305.megamailservers.com 09:21 00:14 SMTPD(6B9E0124) [64.29.144.72] MAIL From: 09:21 00:14 SMTPD(6B9E0124) [64.29.144.72] RCPT To:[EMAIL PROTECTED] 09:21 00:14 SMTPD(6B9E0124) [64.29.144.72] ERR mdchildcare.org invalid user [EMAIL PROTECTED] 09:21 00:14 SMTPD(6BB80124) [10.0.0.109] connect 206.190.36.133 port 20018 09:21 00:14 SMTPD(6BB80124) [206.190.36.133] HELO mta137.mail.re2.yahoo.com 09:21 00:14 SMTPD(6BB80124) [206.190.36.133] MAIL FROM: 09:21 00:14 SMTPD(6BB80124) [206.190.36.133] RCPT TO:[EMAIL PROTECTED] 09:21 00:14 SMTPD(6BB80124) [206.190.36.133] ERR mdchildcare.org invalid user [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] strange zip file
Apparently it's another variant of the ubiquitous Bagle worm. http://www.eweek.com/article2/0,1759,1633739,00.asp -M - Original Message - From: Bob McGregor To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:18 PM Subject: Re: [Declude.Virus] strange zip file It appears as though frisk is calling it Virus Name: : HTML/[EMAIL PROTECTED] On Monday, August 9, 2004 1:16 PM, Andy Schmidt [EMAIL PROTECTED] wrote: Hi: As far as I can tell, it's been discovered by McAfee for a few hours (as usually is the case, when I see these exchanges on this list)! 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanner 1: Virus= the W32/Bagle.aq!zip Attachment=price2.zip [17] O 08/09/2004 13:30:51 Qb4c66687008ebd6f Test3.3f3b3684.1.zip.5932.4.predef.declude.com the W32/Bagle.aq!zip price2.zip 08/09/2004 13:30:51 Qb4c66687008ebd6f File(s) are INFECTED [ the W32/Bagle.aq!zip: 13] 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanned: CONTAINS A VIRUS [MIME: 2 6058] 08/09/2004 13:30:51 Qb4c66687008ebd6f From: [Forged] To: [EMAIL PROTECTED] [outgoing from 65.118.130.2] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, August 09, 2004 02:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] strange zip file Have also received price.zip and price_08.zip. I've ended up blocking all zip files until defs are update (not running Declude Pro). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: F prot as a desktop scanner
I've been happy with F-prot on the mail server and since I know many people are using it on their servers as well, I was wondering if anyone has it deployed on their user's machines. If so I'd like to know, how well it does on regular windows XP machines. You can't beat the price Thanks - Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Hello?
Title: OT: Hello? Hi Sharyn. I haven't seen anything today either, maybe everyone in the north-east is out looking at that strange yellow object in the sky (the sun) and trying to dry out. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Sharyn SchmidtSent: Thursday, July 29, 2004 12:58 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: [Declude.Virus] OT: Hello? I haven't rec'd anything from either of these lists today? Sharyn
RE: [Declude.Virus] Another Varient??!
They are still getting through to my users. Even though Anyway to banexten on this one? Something like BANNAME *prudentialrand.com.zip Or BANEXT com.zip It is creating some confusion and I'm not sure if it's a viable virus that is getting through or not. I'd like to stop it regardless. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, July 26, 2004 3:13 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another Varient??! - Original Message - From: Jeff Maze [EMAIL PROTECTED] Anyone else see this one yet? Yep, seen lots of them, and all are being detected by McAfee, TrendMicro, F-Prot, BitDefender, and ClamAV. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Blocking the files in mydoom
I am running Declude 1.79 and this is in my CFG file: BANEZIPEXTS ON BANEXT com In desperation I have added: BANNAME prudentialrand.com BANNAME prudentialrand.com.zip BANNAME prudentialrand.zip BANNAME [EMAIL PROTECTED] BANNAME *prudentialrand.com.zip The files are still getting through to my users. Any suggestions? An Imail rule maybe? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Varient??!
Sorry - yes Virus defs are up to date. I have blocked .zip files for now. I think that they are non-viable files that are slipping through, but I need to stop them as all my users want to know what is going on... I will remove the erroneous entries from my config file. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 3:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Another Varient??! They are still getting through to my users. Even though Anyway to banexten on this one? That all depends on what you are trying to ban: Something like BANNAME *prudentialrand.com.zip That won't work, because BANNAME doesn't use wildcards. BANEXT com.zip That won't work either, because com.zip isn't an extension. It is creating some confusion and I'm not sure if it's a viable virus that is getting through or not. I'd like to stop it regardless. Are your virus definitions up-to-date? I would suggest manually downloading the latest virus definitions (for example, if you only check once a day, you probably won't detect Mydoom.O). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Something must be broken or something must be unusual about this file. I just added BANEXT ZIP It is catching other files that I have banned. And I was able to forward this file ([EMAIL PROTECTED])to myself from a user that sent it to me. Does declude treat a forwarded file differently somehow? CRAP. Maybe I should go back to the last beta... I am using F-protect and I updated it about noon and I'm using an interim downloaded about three days ago. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marc catuogno Sent: Monday, July 26, 2004 3:39 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Blocking the files in mydoom I am running Declude 1.79 and this is in my CFG file: BANEZIPEXTS ON BANEXT com In desperation I have added: BANNAME prudentialrand.com BANNAME prudentialrand.com.zip BANNAME prudentialrand.zip BANNAME [EMAIL PROTECTED] BANNAME *prudentialrand.com.zip The files are still getting through to my users. Any suggestions? An Imail rule maybe? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in MyDoom
I was just putting the relevant lines in (or what I thought was relevant). I am blocking many extensions. I am trying to make sure this file isn't getting through. It is my belief (hope) that the files getting through are non-viable because: 07/26/2004 15:49:04 Q602e069800d0e086 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 07/26/2004 15:49:04 Q602e069800d0e086 Deleting file with virus 07/26/2004 15:49:04 Q602e069800d0e086 Deleting E-mail with virus! Mydoom.O has been getting caught. I just want to stop the damn files from getting through to my users so a virus can't slip through and so they don't panic and call and e-mail/call me to death. I am also concerned that I can't seem to ban this file from getting through by any means. Anything to stop double file extensions? I'd like to get this stopped ASAP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, July 26, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in MyDoom You are way behind the times if all you block are com files. What about exe, bat, cmd and a list of others? Also, I have temporarily blocked all zip files, as I am seeing quite a few that are not being caught by banned extension or F-Prot or AVG. I am investigating these. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marc catuogno Sent: Monday, July 26, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Blocking the files in mydoom I am running Declude 1.79 and this is in my CFG file: BANEZIPEXTS ON BANEXT com In desperation I have added: BANNAME prudentialrand.com BANNAME prudentialrand.com.zip BANNAME prudentialrand.zip BANNAME [EMAIL PROTECTED] BANNAME *prudentialrand.com.zip The files are still getting through to my users. Any suggestions? An Imail rule maybe? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Thanks Scott I'm not totally brain dead (only partially) it was definitely a zip file. I did mistype in my haste to ban the .zip files. I ran a manual F-protect update moments again and it is all up to date. I am now blocking all zip files for now. Any chance wild cards or double extensions can be added to the wish list for Declude Virus? Maybe even a BANZIPEXT ON (not just e-zip) so that people can get zipped .JPGs but not zipped .exe's Thanks - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in mydoom Something must be broken or something must be unusual about this file. I just added BANEXT ZIP It is catching other files that I have banned. And I was able to forward this file ([EMAIL PROTECTED])to myself from a user that sent it to me. Does declude treat a forwarded file differently somehow? CRAP. No, the forwarded files are not treated differently. Does the E-mail you received (the one you forwarded) have a .ZIP file attachment? Are you sure it is .ZIP? I am using F-protect and I updated it about noon and I'm using an interim downloaded about three days ago. Noon EST? If so, I would recommend downloading the virus definitions again. The date of them should be July 26 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
http://www.informationweek.com/story/showArticle.jhtml?articleID=25600493 According to this it is double zipping so the only way I can think of stopping it is by banning .zip files completely. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, July 26, 2004 5:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Blocking the files in mydoom Please excuse me, but I'm having trouble figuring out exactly what is going on here. It sounds like this virus is double-zipping files, and that this technique is tricking the virus scanners. Is that correct? If so, BANZIPEXTS, which will by default ban double-zips in addition to other banned extensions, is the presumeably best work-around? If not that, then custom filters in Declude? I'm seeing a fair number of MyDoom.M (F-Prot)/MyDoom.N(McAfee), but no MyDoom.O that the scanners have picked up on. Am I missing something? Thanks, Matt R. Scott Perry wrote: Maybe even a BANZIPEXT ON (not just e-zip) so that people can get zipped .JPGs but not zipped .exe's BANZIPEXTS ON is in v1.79. For any file extension that you ban with the BANEXT option, it will then be blocked if it is in a .ZIP file as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bitdefender claims terror ties to virus
I agree, to a point. Right now there IS a vast network of zombies being used to send spam. If the virus writers sell or give access to spammers, they could be giving access to anyone and these compromised computers could be used just as easily to launch DDOS attack on infrastructure as they can to send spam. If this story can encourage my users, and others, to put the equivalent of plastic and duct tape on their PCs by making sure they have updated virus software, patched Windows, put at least a simple router between their computer and high speed connection, run spyware scans, disabled file sharing and so on, then I will forward it along. It may be a bit alarmist, but it may get them to take the reasonable precautions that they should be taking anyway to keep their computers operational and reduce the risk that they will be compromised for any purpose. I'll leave the real plastic, duct tape and so on to those who think it will help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, July 22, 2004 12:06 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Bitdefender claims terror ties to virus I think it's just another individual with antisocial personality disorder (http://www.mentalhealth.com/dis1/p21-pe04.html) who will say or do anything in order to illicit a critical response from us. These guys love it when you draw the connection between them and terrorism and warn your users about the dangers of their code. If real terrorists wanted to be doing us harm, they wouldn't be futzing around with a dime-a-dozen viruses, they would be building networks of zombies for powerful and extended DDOS attacks on infrastructure. Such tactics have already been done by a 16 year old circa 2001, so this may be beneath them. Real terrorists don't strive to become just simply a nuisance, but mentally ill social misfits will take whatever they can get. I however won't put it past some of these guys doing it just for fun. I think it's best to put the plastic sheets and duct tape away for the time being :) Matt marc catuogno wrote: What do you guys think of this? http://antivirus.about.com/od/virusdescriptions/a/atakb.htm I've forwarded it to all my users, maybe they will take their computer security more seriously. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Bitdefender claims terror ties to virus
Bonk Bonk on the head... (yes it was Miri) I'd just like to get more people thinking about securing their systems (as I have spent the last hour on a new agents machine removing Ncase and all the other spyware), at least minimally, because it really is scary thinking about what a determined hacker could do with all these zombies. If I have to scare people into doing it, I can live with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, July 22, 2004 1:34 PM To: Markus Gufler Subject: Re[2]: [Declude.Virus] Bitdefender claims terror ties to virus On Thursday, July 22, 2004, 12:04:19 PM, Markus wrote: Right now there IS a vast network of zombies being used to send spam. If the virus writers sell or give access to spammers, they could be giving access to anyone and these compromised computers could be used just as easily to launch DDOS attack on infrastructure as they can to send spam. MG This is why I really really hope that someone write a Sasser-like worm with MG the only intention to activate something very nerve-racking on the infected MG machine. (5-minute popups or automaticaly deactivated hardware devices like MG mouse, printer, floppy, cdrom...) insanity Hey - what about a DNSBL that is fed by a worm? The worm goes out and infects as many machines as it can with as many methods possible - then it reports back the IP to a central server and the server puts the IP in a DNSBL - then the worm goes to sleep to see if it can infect again another day What about worms that exploit holes in worms to kill the worms and then... no wait, that's been done... /insanity Stuff like this comes up in brainstorming sessions here all the time - that doesn't make it a good idea. Putting on the black hat once in a while and looking for holes is a cornerstone of bulletproofing RD... I know I'm glad I'm not working for the dark side... I can't even say some of the things I've thought of - it just wouldn't be worth the risk of getting it out there - no telling who's listening. Suffice to say, unsecured equipment is a bad thing and it needs to go away. Any way we can do that, without turning to the dark side, is a good thing. Since no amount of cleanup will ever be perfect or complete, the other thing we will always need to do is strengthen the network against exploits... There are lots of ways to do this that just haven't been done... and politically may never be done... but I hope those things happen before we start writing white worms. _M I'm reminded of a Star Trek episode... Miri I think it was. They came across a handful of children - all that was left of an industrialized society that had attempted to cure mortality by releasing a series of viruses to alter their DNA and boost their immune systems. In the end, the viruses mutated so that anyone reaching puberty became very scary and died. Sure, it's sci-fi - but if you can dream it, it can happen - so be careful what you wish for. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Animal Messages with Viruses?
I am running 1.79 (I don't remember which interim but I wil D/l the latest) I have in my global config: BANEXT EZIP BANEZIPEXTS ON I am still getting some e-mails through. They are zip files 67 bytes or so and don't seem to have anything in them nor are they password protected. Any way to stop them other than using banname on the following: Cat.zip Cool_MP3.zip Dog.zip Doll.zip Fish.zip Garry.zip MP3.zip Music_MP3.zip New_MP3_Player.zip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, July 20, 2004 1:14 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: Animal Messages with Viruses? The newer Decludes should reject the .zip as invalid .zip file with a size 0. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 07/20/04 11:54AM Check the file size.. I've seen *animals*.zip with a zero file size that got through.. Looks like in instances like this, an outgoing mail server stripped the virus out of the zip and continued to deliver the message.. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Nitterauer Sent: Tuesday, July 20, 2004 12:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: Animal Messages with Viruses? Why won't declude virus catch these all the time? We have a lot getting through. Virus defs are updated hourly. Any ideas? Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net http://www.creativedata.net/ 850-434-7645 800-607-6168 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Powner Sent: Tuesday, July 20, 2004 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: Animal Messages with Viruses? I think those are the new Bagel-AI virus. We have a Fortinet box that strips most of these before they ever get to declude. The animal appears random. We've been seeing a lot of CAT. Scott Powner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Moose Sent: Tuesday, July 20, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: Animal Messages with Viruses? Dan, We have received a few messages like this here the past couple of days. I haven't found anything on them either. Justin Moose Information Technology Manager Sioux Valley Energy _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, July 20, 2004 8:29 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] OT: Animal Messages with Viruses? Hello, All, Has anyone see an influx of messages with subjects, bodies and attachments related to animals that might contain a virus? I've seen such things as the snake and horse with attachment like fish.com but I can't find anything about this on Symantec or the usual virus discussion arenas. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Animal Messages with Viruses?
I checked a few out and figured they weren't dangerous and told everyone that they were corrupted or stripped attachments... but the support calls and e-mails about the passworded zip files that everyone got, what a waste of time, sigh. I did a Baname on what was listed as possible file names for the latest virus. I'm just dreading the next one that I can't Ban all of the possible names -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, July 21, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] OT: Animal Messages with Viruses? I am running 1.79 (I don't remember which interim but I wil D/l the latest) I have in my global config: BANEXT EZIP BANEZIPEXTS ON OK, that will ban encrypted .ZIP files, and .ZIP files that have files within them with banned file extensions. I am still getting some e-mails through. They are zip files 67bytes or so and don't seem to have anything in them nor are they password protected. Any way to stop them other than using banname on the following: The problem is that these aren't viruses. At 67 bytes, they don't contain any actual data. Most likely, some bogus mailserver AV program detected the viruses that were in them, removed the viruses, but left the shell .ZIP file with nothing in it. Unfortunately, it isn't easy to block such E-mails (but fortunately, they are not at all dangerous). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Bitdefender claims terror ties to virus
What do you guys think of this? http://antivirus.about.com/od/virusdescriptions/a/atakb.htm I've forwarded it to all my users, maybe they will take their computer security more seriously. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mcafee NetShield Problems
Start;Programs;Imail;Imail release notes - I'm really shocked that they don't put this in Imail admin or help or something... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Hahn Sent: Wednesday, April 28, 2004 8:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Mcafee NetShield Problems How can I tell what hotfixes were applied to my system? I am 8.1, I think I have HF2 (The latest) In the meantime I have disabled LDAP to see if that helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, April 28, 2004 3:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Mcafee NetShield Problems I also opened drwatsn32. It is enabled and noticed a error I N ldap Application exception occurred: Given this App: f:\imail\OpenLDAP\bin\slapd.exe (pid=1940) and: Imail 8.1 latest this, I think this is one of the problems people are having with LDAP on IMail v8.10. I would recommend getting the latest hotfix from Ipswitch, if you have not yet done so. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Deactivation
I believe you are in the same exact situation you were before the trial. Imail would've passed on the spam and viruses too with out Declude. I would buy it, really, it is the only thing saving my butt... Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mitch Hegstad Sent: Wednesday, April 07, 2004 1:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Deactivation I can't argue with that. I just wish I wasn't left in a worse situation than I was prior to setting up declude when it deactivated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Wednesday, April 07, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Deactivation One would think that prior to the 30 day trial one would purchase declude and it would run forever! At 12:20 PM 4/7/2004 -0400, you wrote: What happens when the 30 days is up and declude deactivates? At that point, mail will be handled almost exactly the same as it was before Declude was installed (the core Declude code will still run, but E-mail will be delivered exactly as it had before). Are the virus's passed on to the users? Correct. The Declude Virus code will not run, so viruses will not be detected, and will be delivered to users exactly as they would be before the Declude Virus evaluation was installed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] A different view of banned files
I think this has been brought up a few times, I think it would be a good option as well once it is tweaked. You forgot PDF, txt, bmp, wks, wpd, ppt and maybe .zip : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Shadix Sent: Tuesday, March 16, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] A different view of banned files I would like to be able to reverse the logic of BANEXT and block all attachments except a small list of allowed ones. ALLOWEXT doc ALLOWEXT mdb ALLOWEXT xls ALLOWEXT pub ALLOWEXT gif ALLOWEXT jpg That's all I can think of that I would allow, but if I noticed some being blocked I could easily add them. This follows the normal security logic. I also would like to be able to save the banned e-mails in a separate folder from the known viruses. Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] NAV 2003 catches passworded virus??
Sorry, I know Ive brought this up before but Im befuddled as to how plan old Norton Antivirus 2003 on my XP desktop using outlook 2002 can pick up this virus within a passworded file without the password. This was held in the virus directory by Declude and I released it to see if it would be caught, and it was - before it was opened. Again, this isnt really important, but Id like to know how it is happening. Any theories??? Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: Re: Document Your file is attached. Password - This was the replacement attachment: Norton AntiVirus removed the attachment: Info.zip. The attachment was infected with the [EMAIL PROTECTED] virus. image001.jpg
RE: [Declude.Virus] NAV 2003 catches passworded virus??
I just did and NAV didn't catch it but a quote from the e-mail is: This E-mail contains the test eicar.com file in a dynamic encoded .ZIP file. It is expected that no AV program will block this E-mail due to the eicar.com file in it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Tuesday, March 16, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] NAV 2003 catches passworded virus?? On 16 Mar 2004 at 17:20, marc catuogno wrote: Marc, I do not have Norton so I cannot test it - have you sent to your desktop the EicarDynamicEncodedZip from Scott's site? Results? http://www.declude.com/tools/mailsend.html From what I understand static zips are easy its the the dynamic zip/rars that are the challenge -Nick Hayer Sorry, I know ITve brought this up before but ITm befuddled as to how plan old Norton Antivirus 2003 on my XP desktop using outlook 2002 can pick up this virus within a passworded file without the password. This was held in the virus directory by Declude and I released it to see if it would be caught, and it was - before it was opened. Again, this isnTt really important, but ITd like to know how it is happening. Any theories??? Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: Re: Document Your file is attached. Password - This was the replacement attachment: Norton AntiVirus removed the attachment: Info.zip. The attachment was infected with the [EMAIL PROTECTED] virus. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] NAV 2003 catches beagleJ in encrypted zip?
Plain old NAV 2003 on my Win XP workstation that scans e-mail - sorry for not being specific. BUT the weird thing is there was no e-mail with a PW. I had saved the file from one that had gotten through and attached it to a e-mail with the only the word test in the body of the e-mail. I don't even have the PW to unzip it if I wanted to. I did rename the zip VIRUS.ZIP... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, March 07, 2004 8:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] NAV 2003 catches beagleJ in encrypted zip? I was trying to test the latest interim and when I tried to send myself a copy of the virus, NAV outbound scanning caught it even though it was passworded. I tried to unzip it to make sure and it does require a password. I didn't think they could detect it like that... Is this a NAV E-mail gateway, NAV on a client that scans E-mail, or plain 'ole NAV that doesn't scan E-mail? The first two can detect Bagle.J in an encrypted .ZIP file by grabbing the password from the E-mail. But without the password (as is the case with a standard installation of NAV), it won't be able to detect it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] NAV 2003 catches beagleJ in encrypted zip?
If you want I can send it to you, it isn't important but I found it curious. All I know is it is a virus, it is reported as beagle.j by NAV, it is in a passworded .Zip file, there in nothing but the word test in the body of the e-mail and it is caught by the e-mail scanning as it goes out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, March 07, 2004 4:30 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] NAV 2003 catches beagleJ in encrypted zip? Plain old NAV 2003 on my Win XP workstation that scans e-mail - sorry for not being specific. BUT the weird thing is there was no e-mail with a PW. I had saved the file from one that had gotten through and attached it to a e-mail with the only the word test in the body of the e-mail. I don't even have the PW to unzip it if I wanted to. I did rename the zip VIRUS.ZIP... My guess then is that it isn't really Bagle.J, but is really Bagle.F or a similar one. The only way it would be able to accurately detect it would be to use a password cracker on the .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] NAV 2003 catches beagleJ in encrypted zip?
I was trying to test the latest interim and when I tried to send myself a copy of the virus, NAV outbound scanning caught it even though it was passworded. I tried to unzip it to make sure and it does require a password. I didn't think they could detect it like that... --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Use Net Send to alert user of virus?
Does anyone have a way of using doing this? I mean if scumware people and pornographers can use the windows messenger service why can't I? I know it wouldn't always work, but most of the IP's I get in my virus notifications are from Road Runner or Cablevision. I'll bet more than half of those people could be reached by this method. I know that I don't have the time to contact many of them but even if I could send a message you have the netsky.d virus on your PC! go to www.sarc.com for removal instructions! maybe I can cure a few potential zombies. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
I didn't see your last e-mail? What virus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Wednesday, March 03, 2004 8:32 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Update- New virus Hi; Just to update my last email. The new virus is still not being caught by scanners: Norton AV McAfee F-Prot AVG None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. As of 8:31 EST We are now blocking it with the new features. Regards, Kami In case it is of interest this is what we have in our .cfg file so far virus.cfg entries: BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEZIPEXTS ON attachment: winmail.dat
[Declude.Virus] Passworded zip files still getting through!
F.Y.I. I am running the latest interim release: 1.78i.8 and have BANEZIPEXTS ON In my config file but several people have complained to me that they are still getting the zipped files. I have added BANEXT EZIP In the hopes of stopping them all now. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Passworded zip files still getting through!
Sorry for my incomplete message what I meant to say is that they are still getting PASSWORDED zip files. Even with the addition of BANEXT EZIP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Passworded zip files still getting through! F.Y.I. I am running the latest interim release: 1.78i.8 and have BANEZIPEXTS ON In my config file but several people have complained to me that they are still getting the zipped files. Please read the information on the list very, very carefully. That is the expected behavior. BANEZIPEXTS ON will *not* block .ZIP files, it will not block encrypted .ZIP files. Previous posts cover both this and the information you must include before we can assist with any issues related to these new features. I apologize for my tone, but there is an incredible amount of work that needs to be done here, and a high volume of unnecessary posts that are going to cause people to leave the list that need the good information from this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Passworded zip files still getting through!
Confirmed. I commented out # BANEZIPEXTSON I left in: BANEXT EZIP And resent myself the virus and it was blocked. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Ryan Sent: Wednesday, March 03, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Passworded zip files still getting through! Scott, I think there may still be a problem with this. Hear me out I've been running 1.75 waiting until the next full release. This morning, I downloaded 1.78i8 (and declude.exe -diag verifies this) to try to catch these ezip viruses. My virus.cfg previously had this (along with others BANEXT entries): BANEXTscr BANEXTpif BANEXTvbs BANEXTbat BANEXTCEO BANEXTEXE BANEXTCOM BANEXTCMD I updated it to this: BANEZIPEXTSON BANEXTscr BANEXTpif BANEXTvbs BANEXTbat BANEXTCEO BANEXTEXE BANEXTCOM BANEXTCMD . I sent myself a zip with a password protected .exe in it from a yahoo account. It came through. I then tried your eicarencodedzip file from the web site and it too came through. The virus log shows this entry for the one I sent from yahoo: 03/03/2004 11:06:49 Q029800550082312d Scanned: Virus Free [MIME: 2 147788] And this for the one from your site: 03/03/2004 11:07:51 Q02d7003600222735 Scanned: Virus Free [MIME: 2 983] I then remove the BANEZIPEXTS ON line and replaced it with BANEXT EZIP just so I could stop these things (I know this also now blocks EZIPs with non-BANned extensions inside). It now blocks both attachments I tested earlier and my yahoo account gets my virus.eml message correctly. So I think there IS a problem with BANEZIPEXTS ON *and* extensions that have BANEXT type entries. Anything I can do to help diagnose this? Just ask! --Todd. R. Scott Perry wrote: F.Y.I. I am running the latest interim release: 1.78i.8 and have BANEZIPEXTS ON In my config file but several people have complained to me that they are still getting the zipped files. Please read the information on the list very, very carefully. That is the expected behavior. BANEZIPEXTS ON will *not* block .ZIP files, it will not block encrypted .ZIP files. Previous posts cover both this and the information you must include before we can assist with any issues related to these new features. I apologize for my tone, but there is an incredible amount of work that needs to be done here, and a high volume of unnecessary posts that are going to cause people to leave the list that need the good information from this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: Netsky pronunciation?
I saw a woefully inadequate report on this virus on Fox 5 NY last night - don't even get me started, do these reporters even talk to people who deal with viruses? Love how they report it as new yesterday - but anyway, the reported called it net-ski. I have been inclined to call it that as well. However, it occurred to me that it could be net sky (like sky net from the Terminator reversed). I know the anti-virus companies can't even agree on name sometimes - but when I talk to people about it I'd like to give them the correct pronunciation. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] .PIF files being held instead of deleted?
I am running the latest beta 1.78. I have the following in my virus.cfg file: BANEXT scr BANEXT pif BANEXT bat BANEXT exe DELETEVIRUSES ON Yet I am still seeing e-mails with .PIF extensions being held in the virus subfolder. I'm concerned that these are making it this far. Shouldn't these just be deleted? This is a header from one such held e-mail: Received: from prudentialrand.com [64.115.120.37] by mail.prudentialrand.com with ESMTP (SMTPD32-7.15) id A3981BD00DE; Mon, 01 Mar 2004 10:15:36 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: My details Date: Mon, 1 Mar 2004 09:50:37 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0003_14FE.0C4E X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.115.120.37] X-Declude-Spoolname: D539801bd00de78ce.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: This E-mail was sent from ([64.115.120.37]). This is a multi-part message in MIME format. --=_NextPart_000_0003_14FE.0C4E Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7bit See the attached file for details. --=_NextPart_000_0003_14FE.0C4E Content-Type: application/octet-stream; name=my_details.pif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=my_details.pif --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BANEXT
That was a great list. I have the following extensions blocked as well: BANEXT data BANEXT link BANEXT unk BANEXT uue I wish I remember why - but I imagine it won't hurt... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Sunday, February 01, 2004 9:23 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BANEXT Good list, John. Thanks for sharing. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 28, 2004 3:55 PM Subject: RE: [Declude.Virus] BANEXT What are the recommended extensions to BAN? http://www.eservicesforyou.com/documents/emailattachments.pdf How do you handle it if someone needs to send a file through...sometimes there will be legitimate files that need to be send through. I tell them to zip it. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] A horrible idea - maybe it could work?
I know everyone hates the challenge response system BUT what if there was a way to adapt it for attachments? If an e-mail is sent with an attachment the server sends a challenge to the supposed sender who can verify or deny having sent it. Denial would delete the e-mail, verification would allow it to pass. Couldn't this type of system, widely adopted, stop the rampant spread of these worms? It would prevent the users who often open any attachments from ever having the chance. Obviously once or if it does spread there would have to be a way to shut it off for certain attachments so as not to spam the forged senders or maybe a third response I will not be sending an attachment to you for the next week, month, year whatever thereby this particular users e-mails with attachments would be automatically deleted for that time period. Sounds like this could be a bitch to program though... I dunno I guess I'm just typing what I'm thinking, maybe I'm just posting this to start an argument or get flamed. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] A horrible idea - maybe it could work?
Let's just say for argument sake, that you have that ability to only do this for specific attachments, like a .zip file. You don't want to do it for pictures or PDF's (until someone figures out how to infect these). All the Aunt Millie's out there are probably not sending .zip or .exe files routinely, so they wouldn't automatically just confirm this. Even if it slows the spread enough to give the Anti-virus companies time to update the defs it might be worth it. There was maybe a 6 hour window between the time I was aware of the virus and the time I had updated defs, before that there was at least a couple of hours were I didn't know about it and a few infected .zip files got through my server. If they had been delayed waiting for a response to a challenge or deleted by someone saying that they didn't send it they would never have been delivered, sparing my users the possibility of infection. Even average users who received multiple confirm you sent this attachment messages would suspect that something was up and say no. I'm not for increasing traffic, but I think something like this COULD save a lot of grief. The person who gets the first infection, accidentally or deliberately, could send out 100's of e-mails because of all the potential e-mail like addresses from his cache and address book. Now consider the fact that with this type of system all of viruses sent from invalid e-mail addresses would never get delivered because no one could verify them. Next consider all the people who don't check their e-mail every hour, those e-mails could be at least delayed until virus definitions could be updated. Then think about the people who would say no and have the virus deleted. I think this could reduce the spread exponentially OR I could be sitting at home on a Saturday avoiding housework. You decide. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Saturday, January 31, 2004 2:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] A horrible idea - maybe it could work? The biggest problem would be the Aunt Millie effect. Aunt Millie routinely sends e-mail to cousin Fred. Aunt Millie gets a response from cousin Fred's mail server, asking if she sent this e-mail with an attachment. Aunt Millie doesn't bother to acutally read the statement and follows the information to deliver the mail whether she remembers it or not and cousin Fred is infected. Challenge/Response is ok for end users, but I don't see a real benefit for it with servers. Rich - Original Message - From: marc catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 31, 2004 10:37 AM Subject: Possible Spam: [Declude.Virus] A horrible idea - maybe it could work? I know everyone hates the challenge response system BUT what if there was a way to adapt it for attachments? If an e-mail is sent with an attachment the server sends a challenge to the supposed sender who can verify or deny having sent it. Denial would delete the e-mail, verification would allow it to pass. Couldn't this type of system, widely adopted, stop the rampant spread of these worms? It would prevent the users who often open any attachments from ever having the chance. Obviously once or if it does spread there would have to be a way to shut it off for certain attachments so as not to spam the forged senders or maybe a third response I will not be sending an attachment to you for the next week, month, year whatever thereby this particular users e-mails with attachments would be automatically deleted for that time period. Sounds like this could be a bitch to program though... I dunno I guess I'm just typing what I'm thinking, maybe I'm just posting this to start an argument or get flamed. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] FW: Your mail server sent us a virus
Scott - did you ever find these guys? They still don't get it... -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment document.bat, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject . The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If this virus did originate from one of your users, you may want to consider adding virus protection to your mailserver. You can check the headers below to verify that the virus originated from your mailserver. The headers from the E-mail are: Received: from prudentialrand.com [65.160.6.2] by mail.toplineus.com with ESMTP (SMTPD32-7.07) id A36A225A007C; Fri, 30 Jan 2004 10:08:26 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Fri, 30 Jan 2004 10:16:03 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0008_E3290E97.E7FC4C52 X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Partial (Fragmented) Vulnerability
Is there any way to disable the Partial (Fragmented) Vulnerability check? Thx. -Marc --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new forging worm: Bagle
Wouldn't you want to also update your otherpostmater.eml and sender.eml with: SKIPIFVIRUSNAMEHAS Bagle SKIPIFVIRUSNAMEHAS Beagle To stop the bogus warnings? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Markus Gufler Sent: Monday, January 19, 2004 08:27 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] new forging worm: Bagle Today we've hold some mails containing Bagle, a new Mailworm http://vil.nai.com/vil/content/v_100965.htm Please update your virus.cfg file with FORGINGVIRUS Bagle Looks like Symantec's name is Beagle, not Bagle. AVG, Symantec, Nai, F-Secure, Trend and Sophos has updates. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new forging worm: Bagle
AH! That is a nice feature that I must have missed! Gratzie! Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Markus Gufler Sent: Monday, January 19, 2004 09:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] new forging worm: Bagle Wouldn't you want to also update your otherpostmater.eml and sender.eml with: SKIPIFVIRUSNAMEHASBagle SKIPIFVIRUSNAMEHASBeagle No, because I've set in this files: SKIPIFSENDER [Forged] So I have to maintain only the forgingvirus-list in the virus.cfg file. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] SoBig more prolific now?
I have been doing that, but I have heard that IMAIL's CAL can only handle 100 IPS and I am running at about 90 now. Most of the offenders are from Optimum online, I could block their whole IP range, but then I think my home Optimum users trying to POP or SMTP (maybe even Webmail)won't be able to connect to my machine. I can use the Declude IP blacklist, but that is not removing the processing time required. When I get hit like I did on Friday, I call and e-mail Optimum, but they really haven't done anything. Usually within 2 or 3 days I get more SOBIGS from the same machine (HIPHOPSOUNDS) name with a slightly different IP. So when the cable modem keeps getting a different IP from cable the machine can then blast me again You would think Optimum would know who has leased an IP and then contact them, just in the interest of protecting their own network. Stupid virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson Sent: Monday, September 08, 2003 10:43 AM To: Jeff Pereira Subject: Re[2]: [Declude.Virus] SoBig more prolific now? If I where you and the infected machine connected directly to your mailserver I would create a BAN in Imail for this ip to prevent it to even connect and send anything to your server. / Eje Monday, September 8, 2003, 5:28:14 AM, you wrote: JP I have sort of resigned myself to just continue deleting them as they come JP in. JP Hopefully they will actually stop on the 20th. JP jp JP - Original Message - JP From: Hermann Strassner [EMAIL PROTECTED] JP To: [EMAIL PROTECTED] JP Sent: Monday, September 08, 2003 3:59 AM JP Subject: RE: [Declude.Virus] SoBig more prolific now? were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. I think it depends on the speed of the internet connection, and if it is fast enough, from the speed of the PC. Hermann --- [This E-mail was scanned for viruses by Declude Virus JP (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JP --- JP This E-mail came from the Declude.Virus mailing list. To JP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JP type unsubscribe Declude.Virus.The archives can be found JP at http://www.mail-archive.com. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network eFax : 240-376-7272 Phone : 620-231- Fax : 620-231-4066 Online Store http://www.fament.com/catalog/ - Your Full Time Professionals - -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig more prolific now?
Last night I got hammered with about 3,000 sobigs in the course of about 2 hours from one infected computer - it seems this particular computer had almost every address from my domain on it. This morning I got about 100 from another computer - the strange thing was that all 100 were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. When will people stop opening this attachment.? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Blocking SObig IPs
This maybe a stupid observation so bear with me please. As I was adding more and more IPs to the control access list something occurred to me. It seems that most of the offending IPs are from cablevision companies. If I could get the range of their dynamic IPS I could block them all, permanently. I doubt anyone would be using dynamic IPs to host a mail server at home, if they are using a cable companies SMTP I doubt it would be listed as one of the dynamics. This would stop my server from ever getting mail from any virus that has its own SMTP engine. Also if this SoBig ever does update itself to send anonymous spam, those too won't hit my server. Would this prevent my users from performing an SMPT auth to send mail? Any thoughts on this? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] FW: Your mail server sent us a virus
Scott can you bitch slap this moron? I've sent him three separate e-mails with detailed instructions (I think I even copied one to the list) on how to turn this off in Declude and he hasn't replied once. Maybe you have a better contact e-mail. Marc -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 5:43 PM To: [EMAIL PROTECTED] Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment thank_you.pif, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject Re: Approved. The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. The headers from the E-mail are: Received: from DJHX0Y21 [68.193.182.54] by eastwestresorts.com with ESMTP (SMTPD32-7.13) id A1F34F800078; Thu, 04 Sep 2003 15:43:15 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Approved Date: Thu, 4 Sep 2003 17:42:30 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_53E041C4 Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig
I've been sticking the IPs into IMAIL's control access list as fast as they have been coming in. Declude reports them and I'm popping them in there and I'm not sure I'm ever going to remove them. Under local host SMTP second tab SMTP security Control access button You must stop and restart SMTP for the changes to take effect Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Spangenberg Sent: Saturday, August 30, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] SoBig Where are you denying those IP addressesat your router I assume? I don't have control over that...is ther anyplace else to enter an IP address to be denied? Imail? Delcude? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of serge Sent: Friday, August 29, 2003 8:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] SoBig thanks scott i was able to select a dozen of adresses and this is making a big difference !SoBig senders deny tcp host 200.93.136.5 any eq smtp deny tcp host 81.192.2.130 any eq smtp deny tcp host 80.11.225.195 any eq smtp deny tcp host 80.11.225.123 any eq smtp deny tcp host 80.14.187.188 any eq smtp deny tcp host 193.253.189.90 any eq smtp deny tcp host 217.128.120.96 any eq smtp deny tcp host 194.167.144.29 any eq smtp deny tcp host 196.1.100.215 any eq smtp deny tcp host 212.62.54.13 any eq smtp deny tcp host 213.154.90.82 any eq smtp deny tcp host 213.154.70.180 any eq smtp deny tcp host 141.155.142.158 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 200.93.136.5 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 63.126.131.20 any eq smtp - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 30, 2003 1:51 AM Subject: Re: [Declude.Virus] SoBig is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt Then, you can open file2.txt with Notepad and scroll through it to find the worst offenders. If you have several weeks or more of viruses in there, you may want to clear out the directory and only use new incoming viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS
I had to argue with an IMAIL admin with Declude for two days and had to e-mail him the damn otherpostmaster and sender eml files before he would change them. I hope my change took effect... : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, August 30, 2003 2:19 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS Importance: High After all this has been talked about, that Sobig forges the sender, this pisses me off. Do you not know how to add FORGINGVIRUS and SKIPIFVIRUSNAMEHAS to the config and e-mail files? Get your bleeping act together or forfeit your Declude software to someone who knows how to use it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: WARNING: YOU MAY HAVE A VIRUS The Declude Virus software on lcs.net has reported that you sent an E-mail to [EMAIL PROTECTED], containing the Unknown Virus virus in the Unknown File attachment. The subject of the E-mail was Your details. The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from ARNOLDS_ROOM [160.36.73.149] by lcs.net with ESMTP (SMTPD32-7.07) id A2A72C08013C; Fri, 29 Aug 2003 22:57:43 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your details Date: Fri, 29 Aug 2003 22:59:36 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_7E49D478 Message-Id: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Your mail server sent us a virus: SOBIG FORGES
The sobig virus forges the sender, as you should know. The Declude software allows you to indicate this in the bounce message to yourself by putting the line FORGINGVIRUS Sobig in the virus.cfg fie. It also allows you not send this notification by putting the line SKIPIFVIRUSNAMEHAS Sobig in both your otherpostmaster.eml file and your sender.eml file, open them in notepad and paste the line at the very top. By sending these erroneous notifications out, you are adding the problems that this virus creates. I'd also like to make two suggestions: 1. Join the Declude mailing lists so you know how to better utilize your software. They are very helpful. 2. Also add the following to your sender and postmaster .eml files: SKIPIFVIRUSNAMEHAS Yaha SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Braid SKIPIFVIRUSNAMEHAS Palyh SKIPIFVIRUSNAMEHAS Fizzer SKIPIFVIRUSNAMEHAS Ganda SKIPIFVIRUSNAMEHAS Dumar Good luck - Marc -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Saturday, August 30, 2003 9:01 AM To: [EMAIL PROTECTED] Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment details.pif, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject Re: Wicked screensaver. The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. The headers from the E-mail are: Received: from DJHX0Y21 [68.193.182.54] by eastwestresorts.com with ESMTP (SMTPD32-7.13) id A01CF6B00EC; Sat, 30 Aug 2003 07:01:16 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Sat, 30 Aug 2003 9:00:36 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_3842A4B8 Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] No wonder viruses spread
So if a forged user from my domain sends a message to another IMAIL machine to a user that doesn't exist and then their Imail Machine rejects the message. I'm assuming that postmaster gets the entire message (virus included) based upon the forged domain. So I would get the message, even though no one on my domain sent it and Declude would stop the virus (that seems to be what it happening). And then the user won't get the message returned, right? But my users are getting occasional undeliverables and I'm assuming that these are generated by other mail servers. I just want to make sure that my server isn't returning messages to the forged users that contain the virus. Forgive me if this seems a bit circuitous as my brain feels like tapioca this Monday morning -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Sunday, August 24, 2003 12:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] No wonder viruses spread But since the subject that you are receiving is undeliverable : RE: Details isn't that his server is just returning the message Unless the virus has more subjects then the list of subjects that I am aware of. Comparing it to the headers generated by the copies of Sobig.F we've looked at, it appears that it was indeed a bounce message. However, the fact remains that there was a virus in the bounce message, so they were spreading the virus. Fortunately, IMail won't do this. If an E-mail is sent to an address that doesn't exist, IMail will reject the E-mail. It would then be up to the remote mailserver to generate the bounce message. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] No wonder viruses spread
Um - I'm not sure, but I think he may be right. The declude virus catch looks like a bounce from his server, not sent through his server. As you said the e-mail address is forged - so if an infected computer has a user from your domain and a bad address from his, once his server can't deliver the mail to the bad address it returns the e-mail to the postmaster at what the server assumes is the domain from the forged address. I guess it is returning the whole message, virus included and then Declude it catching it and notifying you. I hope my server isn't doing that, bouncing infected messages from bad or expired address. If it is, is there a way to shut down? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Saturday, August 23, 2003 6:01 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] No wonder viruses spread Here is a snipet of some on going email I'm having with a LAN administrator at a university hospital. I forwarded a copy of the Declude virus catch, to show them the IP #'s of the machine that sent the Sobig virus. I can't get it through his head that the headers are forged, and irrevelant. My last message to him pleaded to have him establish a telephone dialog with me so I could explain the message to him ... I politely told him if he wants to take the chance that a workstation is infected within their LAN based on the assumption that he might really be wrong, he was welcomed to the havoc it will cause. sigh David Dodell ===Original message text=== David, In looking at the header you sent Marcy, the subject of the message is Undeliverable: Re: Details which means our e-mail system was sending you a message back that it couldn't deliver a message from you. My best guess is that Sobig may be on your pc, and you have a contact somewhere to someone at uch that is no longer here or valid. Not too uncommon for we changed our domain last year. Furthermore, our e-mail system doesn't allow .pif or .scr attachments and will strip them if attempted whether infected or not. We appreciate the heads up, but based upon the header it looks like it was a bounced message from you that was infected and thus the hit by your antivirus. If you have any additional questions, comments, or concerns don't hesitate to let me know. -Original Message- This came from David who said this came from one of our computers. He said he was this stat technology. Marcy -Original Message- From: David Dodell [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 2:22 PM To: left out to protect identity Subject: Fwd: Virus Notification ===Original message text=== Declude Virus v1.75i2 caught the following: Virus Name: W32/[EMAIL PROTECTED] Virus File: movie0045.pif From: [Forged] To : [EMAIL PROTECTED] Date: 08/23/2003 13:06:35 Subject:Undeliverable: Re: Details Spool File: Dc94a00d300be355a.SMD RemoteIP: 168.200.2.37 SenderHost: Unknown Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sat, 23 Aug 2003 14:06:33 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id RLYYQK7T; Sat, 23 Aug 2003 14:06:23 -0600 Message-ID: [EMAIL PROTECTED] from: System Administrator [EMAIL PROTECTED] to: [EMAIL PROTECTED] [EMAIL PROTECTED] subject: Undeliverable: Re: Details Date: Sat, 23 Aug 2003 14:06:22 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C369B2.066CB0EC Return-Path: X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) FILETIME=[07029210:01C369B2] End of original message text=== End of original message text=== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] No wonder viruses spread
But since the subject that you are receiving is undeliverable : RE: Details isn't that his server is just returning the message Unless the virus has more subjects then the list of subjects that I am aware of. Looks like the original message had the virus attached and that was Declude detected when his server bounced it back to you. Maybe? I'm hoping someone else jumps in -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Sunday, August 24, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] No wonder viruses spread Um - I'm not sure, but I think he may be right. The declude virus catch looks like a bounce from his server, not sent through his server. As you said the e-mail address is forged - so if an infected computer has a user from your domain and a bad address from his, once his server can't I don't think so. The only reason is there is another IP address showing received past his server, another IP from their block that shows that the message originated there. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Saturday, August 23, 2003 6:01 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] No wonder viruses spread Here is a snipet of some on going email I'm having with a LAN administrator at a university hospital. I forwarded a copy of the Declude virus catch, to show them the IP #'s of the machine that sent the Sobig virus. I can't get it through his head that the headers are forged, and irrevelant. My last message to him pleaded to have him establish a telephone dialog with me so I could explain the message to him ... I politely told him if he wants to take the chance that a workstation is infected within their LAN based on the assumption that he might really be wrong, he was welcomed to the havoc it will cause. sigh David Dodell ===Original message text=== David, In looking at the header you sent Marcy, the subject of the message is Undeliverable: Re: Details which means our e-mail system was sending you a message back that it couldn't deliver a message from you. My best guess is that Sobig may be on your pc, and you have a contact somewhere to someone at uch that is no longer here or valid. Not too uncommon for we changed our domain last year. Furthermore, our e-mail system doesn't allow .pif or .scr attachments and will strip them if attempted whether infected or not. We appreciate the heads up, but based upon the header it looks like it was a bounced message from you that was infected and thus the hit by your antivirus. If you have any additional questions, comments, or concerns don't hesitate to let me know. -Original Message- This came from David who said this came from one of our computers. He said he was this stat technology. Marcy -Original Message- From: David Dodell [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 2:22 PM To: left out to protect identity Subject: Fwd: Virus Notification ===Original message text=== Declude Virus v1.75i2 caught the following: Virus Name: W32/[EMAIL PROTECTED] Virus File: movie0045.pif From: [Forged] To : [EMAIL PROTECTED] Date: 08/23/2003 13:06:35 Subject:Undeliverable: Re: Details Spool File: Dc94a00d300be355a.SMD RemoteIP: 168.200.2.37 SenderHost: Unknown Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sat, 23 Aug 2003 14:06:33 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id RLYYQK7T; Sat, 23 Aug 2003 14:06:23 -0600 Message-ID: [EMAIL PROTECTED] from: System Administrator [EMAIL PROTECTED] to: [EMAIL PROTECTED] [EMAIL PROTECTED] subject: Undeliverable: Re: Details Date: Sat, 23 Aug 2003 14:06:22 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C369B2.066CB0EC Return-Path: X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) FILETIME=[07029210:01C369B2] End of original message text=== End of original message text=== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by
[Declude.Virus] BANEXT to delete all .pif?
Please excuse this if it has already been answered- Just like everyone else, we are getting hammered by Sobig.F. Declude seems to be catching and holding the virus e-mails with the attachments because of the BANEXT option. The potential exists to overload our hard drive. There were over 3,000 held messages today (that is about 2x what we would normally do in a day)and I'm worried that with some minor modification some idiot could make this send out a larger file. Is anyone else setting to Deletevirus to on to address this and will that cause the held messages to be deleted for BANEXT? Thanks - Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BANEXT to delete all .pif?
I thought BANEXT worked before the scanner? DAMN... maybe my f-protect.exe is old and not catching viruses? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, August 20, 2003 04:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BANEXT to delete all .pif? Just like everyone else, we are getting hammered by Sobig.F. Declude seems to be catching and holding the virus e-mails with the attachments because of the BANEXT option. The potential exists to overload our hard drive. There were over 3,000 held messages today (that is about 2x what we would normally do in a day)and I'm worried that with some minor modification some idiot could make this send out a larger file. Is anyone else setting to Deletevirus to on to address this and will that cause the held messages to be deleted for BANEXT? No, there isn't. However, if the E-mail is caught due to a banned file extension, that means that the virus scanner is not catching it, which is normally a serious problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BANEXT to delete all .pif?
I just ran a manual scan on the spool virus directory with F-protect and it identified all the held viruses as [EMAIL PROTECTED] - BUT I did run an update immediately before that even though I ran it this morning. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, August 20, 2003 04:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BANEXT to delete all .pif? Just like everyone else, we are getting hammered by Sobig.F. Declude seems to be catching and holding the virus e-mails with the attachments because of the BANEXT option. The potential exists to overload our hard drive. There were over 3,000 held messages today (that is about 2x what we would normally do in a day)and I'm worried that with some minor modification some idiot could make this send out a larger file. Is anyone else setting to Deletevirus to on to address this and will that cause the held messages to be deleted for BANEXT? No, there isn't. However, if the E-mail is caught due to a banned file extension, that means that the virus scanner is not catching it, which is normally a serious problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Notifying Postmasters/ISPs etc of viruses
Does anyone else bother to look at the header, do a who is on the IP and notify the responsible party of the possible problem on their IP? I see the IPs in the e-mail headers so if someone was notified do you think they can find the actually infected user? Would they bother? I checked some of my border appliances and saw repeated scans on port 135 - when I tried to tell some of the ISPs who owned the IP block that I thought they might have the blaster worm, I met with hostile abuse bots telling me that I didn't send them enough info or I got no reply at all. I know I'd appreciate it if someone found that one of the systems in my network was compromised. Is anyone doing this at all? I mean could we find some of these computers with sobig and alert the cable company and they can call the user to get it stopped? I know this would be very time consuming, but even if we got a few Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses
The Pentagon? REALLY??? That's friggin scary as hell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, August 20, 2003 06:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses Does anyone else bother to look at the header, do a who is on the IP and notify the responsible party of the possible problem on their IP? We occasionally do so (that's how we found out that Disney and the Pentagon were infected by Sobig). I see the IPs in the e-mail headers so if someone was notified do you think they can find the actually infected user? Would they bother? They should be able to find the user, and many (but not all) would bother. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Turing off .pif notifications? (sobig.F)
I have BANEXT active, and as a courtesy I have a notification through Delcude going out in case someone is legitimately trying to send an .exe file. Is there anyway to turn this off for the .pif extension? The SOBIG.F Virus is sending this to all my users with fake e-mail addresses and then the notice is going out to either the innocent or to bad addresses - this is generating more useless e-mail traffic. I'd like to keep the notify on the .exe (for now) but is there a way to turn it off for just the .pif? Thanks - Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude letting viruses through?
I do a weekly scan with of my Imail sever with F-protect and disturbingly enough it found two viruses in the main.mbx files of two of my users. F-protect 3.12a reported them as klez.E@mmand the attachment was called logon [2].pif. I copied the MBX file to a test user to see ifI could find the attachment via web mail. There were no suspicious attachments but there was an e-mail titled "colspan". Once that was deleted, I re-ran the F-protect scan and it was clear. My questions are, if I'm running Declude and F-protect how did this file get though to my end user? I also have .pif attachments blocked by rule. The one comforting thing was that when I clicked on the e-mail, it would not open and I got a page expired message. But disturbingly enough I have another user with a similarly infected file named http.exe. (and I have .exe blocked as well) Why are these being delivered? I am running Imail 7.12 and a family recent version of declude. Any ideas? Marc
RE: [Declude.Virus] Declude letting viruses through?
Declude has been installed for months, BUT you are right, these e-mails were delivered two days and a month before it seems that declude was installed (respectively). The weird thing is that the full system scan only reported them recently... one last week and another this week. Strange. Thanks - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus-owner;declude.com]On Behalf Of R. Scott Perry Sent: Wednesday, November 06, 2002 05:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Declude letting viruses through? I do a weekly scan with of my Imail sever with F-protect and disturbingly enough it found two viruses in the main.mbx files of two of my users. F-protect 3.12a reported them as mailto:klez.E;mmklez.E@mm and the attachment was called logon [2].pif. I copied the MBX file to a test user to see if I could find the attachment via web mail. There were no suspicious attachments but there was an e-mail titled colspan. Once that was deleted, I re-ran the F-protect scan and it was clear. My questions are, if I'm running Declude and F-protect how did this file get though to my end user? The key here is to check the date/time of the E-mail, and then check the IMail and Declude log files to see what happened. There are a few possibilities that come to mind: o Scanning was turned off for that user/domain o The E-mail arrived before Declude Virus was installed o The E-mail arrived after Declude Virus was installed, but before the F-Prot virus definitions included the Klez virus o Declude Virus was temporarily disabled the log files should help narrow down what happened. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude letting viruses through?
Strictly paranoia. In case something does get through. In case one of my users sends out a virus through their webmail. I usually just do a full system scan once a week or so, I don't have the scanner running all the time. Marc - Original Message - From: John Tolmachoff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 06, 2002 6:43 PM Subject: RE: [Declude.Virus] Declude letting viruses through? Curious, why are you scanning user mail boxes? That can cause problems. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. La Habra, CA 90631 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.