[Declude.Virus] Banned Extensions Still Getting Through?
Need some help for a part time sys admin! Declude Virus/Junkmail Standard 2.0.6.16/F-prot. We have very limited bandwidth so have expanded the banned extensions list in virus.cfg to include .mpg, .mpeg, .wmv, etc. This works well but there seems to be some that are still slipping through? The only thing I have noticed is that in every instance the banned extension is not the only attachment and it has some extra characters in the file extension as reported by Declude. The attachment appears as normal in the email client. Example shown below- When it does work (in every test that I do) Declude inserts MM/DD/2005 HH:MM:SS Q1BA800E400B8C964 Banning file with mpg extension [video/mpg] before the virus scanner line. Any ideas as to why Declude is trapping some and not others? vir0606.log 06/06/2005 10:00:54 Q109E001900B2AC5A Vulnerability flags = 0 06/06/2005 10:00:54 Q109E001900B2AC5A MIME file: pic09894.jpg [base64; Length=1577 Checksum=178405] 06/06/2005 10:00:55 Q109E001900B2AC5A MIME file: =?ISO-8859-1?Q?POWERLEAGUE_HAMSTER=2Empg?= [base64; Length=1435545 Checksum=172528633] 06/06/2005 10:00:55 Q109E001900B2AC5A Virus scanner 1 reports exit code of 0 06/06/2005 10:00:55 Q109E001900B2AC5A Scanned: Virus Free [MIME: 3 1438701] dec0606.log 06/06/2005 10:01:13 Q109E001900B2AC5A CMDSPACE:8 . Total weight = 8. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=IGNORE[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A R1 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [copyall_account] = IGNORE [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=WARN[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A L2 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [EMAIL PROTECTED] = IGNORE WARN [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Cumulative action(s) taken on this email = IGNORE WARN [LAST ACTION=""> Paul Crouch Technical Manager Marble Building Products Ltd Tel: 01759 373352 Fax: 01759 373394 Email: [EMAIL PROTECTED]
[Declude.Virus] Invalid ZIP Vulnerability
What exactly triggers the Invalid ZIP Vulnerability? I am a small ISP, and one of my client keeps getting expected zips from a graphics company caught by this. Thanks, Paul --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Extension Modify
Is this a new possible feature for Declude Virus? The option of changing the attachment file extension to a non-executable extension? [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, July 19, 2004 6:45 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Extension Modify We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I have tested it with varying sizes of files and none get banned. Thanks for the aid. Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Serious Problem with attachments and AVG 7
I had a client call and tell me that attachments were not going through. Basically the message and the attachment disapeared into thin air. I was able to confirm that this was the case over all of my domains. Even messages with an attachment sent to myself would disapear. After much head scratching, I turned off AVG (our 2nd virus scanner), and it appears that the problem has gone away. Here are the facts as I understand them: * At or around the time when the problem occurred, I manually updated AVG. There were 2 new updates. One was new virus defs and the other was described as an update to the updater engine. * Messages with attachments passed through Junkmail with no problems * I found an entry like this in the logs for the messages in question: 06:10 14:47 SMTPD(003400F8) [208.151.247.226] C:\IMail\spool\Dd6e2003400f8f6e9.SMD 22739 * In the virus logs, I got the following: 06/10/2004 14:47:40 Qd6e2003400f8f6e9 Could not find parse string identified in report.txt 06/10/2004 14:47:40 Qd6e2003400f8f6e9 Error 10 in virus scanner 2. 06/10/2004 14:47:40 Qd6e2003400f8f6e9 Test2.2c319.0.xls.15872.3.predef.declude.com After this I could find no trace of the messages. I assume they were deleted. Can anybody explain the virus log to me? Has something changed with AVG that now makes it unusable, or do I have a problem with my configuration? For anyone using AVG, I would definitely send yourself a test attachment to be sure it is working. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Serious Problem with attachments and AVG 7
Thanks for the reply. Do you have a line DELIVERERRORS OFF in your \IMail\Declude\virus.cfg file? If so, E-mails where the virus scanner reports an error will not be delivered (and might be deleted, depending on your settings). I do *not* have the DELIVERERRORS OFF in my virus.cfg file. I also don't have any setting that would delete anything as far as I know. Thanks, Paul --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] info on Worm.SomeFool.P
I'm looking for info on Worm.SomeFool.P Anyone know where I can find out about this one? [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Scott, what do you use to generate this report
Thanks Scott, While I have your attention, what do you use to generate this report from your log files? Each month, we go through our spamtraps (E-mail addresses designed to collect spam), to find out which spam tests were most effective at catching spam. snip WEIGHT1099.48% WEIGHT2095.45% NOLEGITCONTENT 95.43% SNIFFER 94.06% SPAMCHK 93.20% IPNOTINMX 90.76% SPAMCOP 79.83% CMDSPACE77.37% snip [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: CBL:RE: [Declude.Virus] SKIPIFFORGING Question
Hello,
Wednesday, March 3, 2004, 11:54:36 PM, you wrote:
Do I need to do something on my end to hit this DB??
Run recent version of declude
and set AUTOFORGE ON in virus.cfg
Ok that was essy. Thanks.
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] Doh! SpamCop Report
I just got a SpamCop report about one of my mail servers. Upon looking at the report, it appears that they are complaining about a Undeliverable Mail message. It seems that one of my domains is being dictionary attacked. The spammer did a joe-job, so some poor guy is being bombed by my server with Undeliverable Mail messages. It seems the guy being joe-jobbed is the one reporting my mail server. Anybody have any advice about what (if anything) I should do? Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sophos
Hello,
Can someone share there SCANFILE line out of the virus.cfg file
with me for Sophos.
I have been using the following in my virus.cfg
SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP
/NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt
VIRUSCODE1 13
REPORT1 Found
SCANFILE2 C:\Progra~1\Sophos~1\SAV32CLI.EXE -ns -p=report.txt -mac -archive
VIRUSCODE2 3
VIRUSCODE2 6
REPORT2 Virus
I seem to be having problems with Sophos. I say Sophos because if I
drop Sophos and just use McAfee alone all works fine. I would really
like to use Sophos behind McAfee if I can.
I am getting this in the logs.
11/27/2003 07:29:56 Qee340fb6011cba7f Could not find parse string Virus in
report.txt
11/27/2003 07:29:56 Qee340fb6011cba7f Error 2 in virus scanner 1.
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] Something interesting..
I'm debating backing up all my info and running the exe just to see if anything happens. I have my laptop ghosted and will be back up and running in about 30 minutes.. Plus, the software firewall I run would let me know if anything tries to connect to anything.. Probably just a dialer, Of course, we all know not to open EXEs we don't know the origin of. =) The USERS usually don't, but. If you DO run it, let us know what you find out. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot vs Other brands
With the problems I've seen with F-Prot like the one mentioned below. Why did you F-Prot users choose F-Prot over other brands like McAfee? Something is probably not right in his configuration, as this problem has not been reported on machines running the latest f-prot version. We certainly stop everything that is thrown at us, at least as I write this! F-Prot had a 100% record for us in terms of timely releases until they messed up with one of the latest viruses and did not get a satisfactory release out until 3 days later. This has prompted many of us to add a 2nd scanner, but nevertheless their history has been very, very good. The biggest reason I think F-Prot is so popular is that their license is very straight-forward. With the bigger players, they really want you to buy one license for each of your mailboxes. There are often legal or at least plausibly legal way around this in some cases, but I know I feel better about having a license with F-Prot that seems about as clear as you can make it. Additionally it is cheap and I have had good luck with support from them. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Neroma@mm virus in .jpg?
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] Sheesh! That's nice. What really gets me on these bugs, is that you're supposed to disable System Restore in ME/XP You would think that compressed backup data would be immune to this sort of thing. What's the point of having sys restore if everytime you MAY have a virus you need to wipe ALL the restore data? That's a pain... if only you could kill the last X number of restore points, but save the earlier ones from before the virus hit. stupid M$. just a rant... no real meaning. It's Monday after all =) Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus protection between users on same iMail server?
Real life example: There are two users, we'll call them [EMAIL PROTECTED] and [EMAIL PROTECTED] Both users are hosted on the same iMail server, but at different domains which are separate virtual servers. Declude virus scans all mail for all users both in and out of GoodDomain.com. BadDomain.com has no virus scanning. [EMAIL PROTECTED] has the sobig virus and is sending it to [EMAIL PROTECTED] Will Declude Virus protect [EMAIL PROTECTED] in this situation, where both users are on the same iMail machine? [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Anyone else getting hit hard today with Sobig.F again?
here are my server stats since the day before SoBig-f hit up till last nights log rollover http://www.cfhosting.net/virus.scan.txt Ouch. You have outgoing Sobig? I've not seen 1 outbound sobig yet As of today, we've gotten this for the month... it's only the 5th! Virus Summary by Count --- Count Inbound/Outbound Name 16,862 16,862 / 0W32/[EMAIL PROTECTED] - 54,316 was the total in August. 182 182 / 0W32/[EMAIL PROTECTED] 152 138 / 14 W32/[EMAIL PROTECTED] 18 18 / 0W32/[EMAIL PROTECTED] 14 2 / 12 W32/Hybris.worm.B 9 9 / 0W32/[EMAIL PROTECTED] (corrupted) 8 8 / 0W32/[EMAIL PROTECTED] 6 3 / 3W32/Hybris.worm.D 2 2 / 0W32/[EMAIL PROTECTED] 1 0 / 1JS/[EMAIL PROTECTED] 1 1 / 0W32/[EMAIL PROTECTED] 1 1 / 0VBS/Lovelorn.dropper If only I could get the users with that dang Klez to clean their systems, as well as the Hybris. It's the same 3 or 4 people. over and over. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS
John, Scott, everyone. Question to this. I have the SKIPIF lines in my eml files, but I was curious, what happens to the corrupt versions of Sobig, etc that the attachments get through due to no virus? Since these return addresses are no doubt bogus, is there a guard against this? Do we have a SKIPIFATTACHMENTIS .scr option? Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. I can hear the tech calls now. I have this big window calling me a dummy. what am I supposed to do? Read.the.message.. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Adding Sophos
Hello,
I am haveing a little problem getting Sophos added as a scanner. The
problem is it does not work. Can anyone see what I am missing
===Virus.cfg===
SCANFILE C:\Progra~1\Sophos~1\sav32cli.exe -ns -p=report.txt -mac -archive
VIRUSCODE 3
VIRUSCODE 6
REPORT1 Virus (is this my error)
SCANFILE2 C:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe
/ALL/NOMEM/NOBEEP/NOBREAK/UNZIP/SILENT/NODDA/REPORT report.txt
VIRUSCODE2 13
REPORT2 Found
SCANFILE3 C:\Progra~1\FSI\F-Prot\F-PROT.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY
/NOBOOT /DUMB /REPORT=report.txt
VIRUSCODE3 3
VIRUSCODE3 6
VIRUSCODE3 8
REPORT3 Infection
=END==
***Location of Sophos savcli32.exe**
C:\Program Files\Sophos Sweep for NT
**End*
#Virus log##
08/25/2003 07:21:24 Qf13403e3020a6b9c Your virus scanner DOES NOT EXIST (at
C:\Progra~1\Sophos~1\sav32cli.exe -ns -p=report.txt -mac -archive
g:\spool\DF1340~1.VIR\); NOT SCANNING ATTACHMENTS! [2]
08/25/2003 07:21:25 Qf13403e3020a6b9c Scanner 2: Virus=: EICAR test file NOT a virus.
Attachment= [2] I
08/25/2003 07:21:27 Qf13403e3020a6b9c Scanner 3: Virus=: EICAR_Test_File
Attachment=eicar.zip [2] I
08/25/2003 07:21:28 Qf13403e3020a6b9c File(s) are INFECTED [: EICAR test file NOT a
virus.: 3]
08/25/2003 07:21:28 Qf13403e3020a6b9c Scanned: CONTAINS A VIRUS [MIME: 2 800]
08/25/2003 07:21:28 Qf13403e3020a6b9c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
[incoming from 216.58.174.203]
08/25/2003 07:21:28 Qf13403e3020a6b9c Subject: Test eicar.com file [eicarzip]
End
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] Adding Sophos
SWEEP.LOG
08/21/2003 11:15a 212,992 SWEEPNT.DLL
08/21/2003 11:15a 290,816 SWEEPSRV.SYS
08/21/2003 11:15a 159,744 SWNETSUP.EXE
08/21/2003 11:15a 176,128 SWOUTPUT.DLL
08/21/2003 11:15a 32,768 SWOUTRES.DLL
08/21/2003 11:15a 159,744 SWSPAWN.EXE
08/21/2003 11:16a 266,240 SWUPDATE.EXE
08/23/2003 11:44a DIR TEMP
08/21/2003 11:15a 64,957 vdl.dat
08/21/2003 11:16a 443,637 vdl01.vdb
08/21/2003 11:16a 401,446 vdl02.vdb
08/21/2003 11:16a 389,383 vdl03.vdb
08/21/2003 11:16a 439,542 vdl04.vdb
08/21/2003 11:16a 459,468 vdl05.vdb
08/21/2003 11:16a 376,402 vdl06.vdb
08/21/2003 11:15a 374,881 vdl07.vdb
08/21/2003 11:15a 344,925 vdl08.vdb
08/21/2003 11:15a 258,931 vdl09.vdb
08/21/2003 11:16a 370,090 vdl10.vdb
08/21/2003 11:15a 474,813 vdl11.vdb
08/21/2003 11:16a 479,646 vdl12.vdb
08/21/2003 11:16a 462,176 vdl13.vdb
08/21/2003 11:16a 786,432 VEEX.DLL
08/22/2003 10:48a DIR W95Inst
08/23/2003 11:44a 57,219 WSWEEPNT.CFG
08/21/2003 11:15a 385,024 WSWEEPNT.EXE
08/21/2003 11:16a 16,700 WSWEEPNT.INF
91 File(s) 12,709,402 bytes
10 Dir(s) 8,329,158,656 bytes free
C:\Program Files\Sophos Sweep for NT
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] Adding Sophos
Hello,
Monday, August 25, 2003, 9:57:08 AM, you wrote:
C:\cd C:\Program Files\Sophos Sweep for NT
This is what I got.
Seems to be right. Also i can start sav32cli.exe just fine.
RSP I'm guessing that Sophos installed more than one directory. If you try this:
RSP cd C:\Program Files
RSP dir Sophos* /x
Thats was it. Enterprise Manger is in c:\progra~1\sophos~1 and sav32cli.exe is in
c:\progra~1\sopos~2
Thanks!!
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] Using FORGINGVIRUS with more than one virus
In my virus_cfg.txt file, I have: FORGINGVIRUSKlez To add the sobig virus, do I add another line? like this? FORGINGVIRUSKlez FORGINGVIRUSSobig [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
It make's me really wonder how many stupid people is not able to patch the own system (or at least outlook). Exactly! they can't do more. (except write a worm that install automatically all available patches from MS) What they (M$) really need to do, is make windows update integrated into Windows, the problem is they tell you Stay current with updates in a little box above the taskbar when you install Windows (XP at least), so you can elect to have them downloaded. or you have to download the critical notification tool. Instead, it should already be set to retrieve critical updates, and the notification should be a big window that says YOU HAVE CRITICAL PATCHES FOR YOUR SYSTEM AVAILABLE TO INSTALL! PLEASE CONSULT KB ARTICLE X TO ENSURE VALIDITY AND UPDATE ASAP FAILURE TO UPDATE LEAVES YOUR SYSTEM VULNERABLE TO HACKERS, WORMS, VIRUSES, ETC. To which you click some acknowledge button, but will come back if you don't update. People need to know they need to keep software like this updated. Plus M$ releasing a patch that doesn't cause more problems is nice too. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses
Does anyone else bother to look at the header, do a who is on the IP and notify the responsible party of the possible problem on their IP? I see the IPs in the e-mail headers so if someone was notified do you think they can find the actually infected user? Would they bother? MY experience, I can't get the 4 or 5 people on our service to clean the viruses off their machines, I'm not going to waste my time trying to track who else is infected. A lot of people A: Don't care, or B: Don't know how to operate a computer, much less download a virus update, repair tool, etc. I checked some of my border appliances and saw repeated scans on port 135 - when I tried to tell some of the ISPs who owned the IP block that I thought they might have the blaster worm, I met with hostile abuse bots telling me that I didn't send them enough info or I got no reply at all. I know I'd appreciate it if someone found that one of the systems in my network was compromised. Is anyone doing this at all? I mean could we find some of these computers with sobig and alert the cable company and they can call the user to get it stopped? I know this would be very time consuming, but even if we got a few In the end, all you can do is make sure your stuff is secure, and up to date, and working properly. As long as your virus scanner is catching them entering, your users should be safe. You could email til your hands fall off, I doubt it would make any noticable difference. =) Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig.f email coming through
Hello,
It seems I am getting the Sobig email coming throught to my users
but with ot a payload. In other words tey are getting the message
with all chaistics of SoBig.f but no attachment.
Anyone know why this maybe. I can not filter on some of the subject
such as 'd e t a i l s ... or... A p p r o v e d So filtering in
junkmail is out.
I do stripp all attahesments that could care a payload so I am good
there. Users are just worried they are enfected which they should
not since all attachments are stripped. And as far as share on the
LAN I am very carefull with those so but I do have to have open
shaers for the last of our Win95 systems.
I have been slammed with an AS/400 down the last three days so if
this is a dumb question please let it pass till I have more sleep.
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig F
FYI: Mcafee's Extra Dat is not catching all instances of this virus... However, it is still being dropped by the banned pif extension. Wow! I've noted over 200 hits of this virus today so far. sheesh. Paul - Glad I have Fprot checking for updates every 2 hours to be safe. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim release of Declude Virus to block Mimail'smessage.zip Mimail'smessage.zip block Mimail'smessage.zip Mimail'smessage.zip
It will block files based on the file name. So if you use BANNAME message.zip, it will ban any attachments that are named message.zip Can you use wildcards? What I'd really like to do is ban all attachments to my lists (but allow attachments to all of my other clients). Using Pro this should be possible if the syntax allows it. If anyone has any ideas how this might be done I would appreciate it. Thanks, Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New offical F-Prot version
Just received an offical announcement from F-Prot offically stating the release of ver 3.14a downloaded and installed the newest version of F-prot and it IS detecting the virus. What a relief. 08/05/2003 16:17:46 Q10dc008500c81b09 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=message.zip [2] I 08/05/2003 16:17:46 Q10dc008500c81b09 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 08/05/2003 16:17:46 Q10dc008500c81b09 Deleting file with virus 08/05/2003 16:17:46 Q10dc008500c81b09 Deleting E-mail with virus! 08/05/2003 16:17:46 Q10dc008500c81b09 Scanned: CONTAINS A VIRUS [MIME: 2 21926] Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and Mimail
Kami, F-Prot: $50 AVG: $35 [http://www.Grisoft.com] Where on the site is $35? I must be blind and missing it. The prices I see for AVG are $33 for workstation, not supporting Win2000 Server, and mail server edition STARTING at $120 for 6 boxes.. help? Due to F-prot's inability to get it's act together for this silly virus is making us look for a 2nd scanner. Granted, the body filters in place are handling the problem nicely, but it's still a pain. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] M e s s a g e . z i p possible virus
I am using F-Prot and it is completely update to date, and not catching it the virus...is anyone using F-prot actually stopping it? Same here, F-Prot and it's getting through, however, with the additions to our BODY filters, it's being stopped. Hopefully they will update soon. I know Norton AV hasn't updated yet, though they say it's detected in August 1st's dat list which isn't out yet, as my live update just run still says 7/30. That's NAV on my workstation guys, not the server. =) Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Airline confirmations blocked
I had two clients contact me today about similar situations. One had confirmation from United Airlines blocked, while the other had one from Northwest Airlines blocked. I understand why this is happening, and the necessity for Declude to stop malformed messages that could allow a virus to sneak through. Nevertheless I feel like I should be doing something (other than explaining the situation to the clients). Should I try to contact the airlines and try to get them to fix their software? Is there the possiblity of creating a whitelist feature a la Junkmail to handle this, or is that too risky? I'm just a little surprised that this hasn't come up more often. I am guessing this has happened to others too. Are others just using education? Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Holar on the rise....
Wow, this one just popped up it seems, [EMAIL PROTECTED] nothing on the 28th, to 68 outgoing yesterday, and a smaller amount incoming. Even more today. Anyone else seen this increase? Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] FORGE question.
Hey gang, I was curious about something. We have gotten an e-mail to our abuse account at least 3 times stating we're sending him spam/infected mail. This is the bottom header line of what he sees. Received: from Satumqc ([63.160.179.245]) by out016.verizon.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP id [EMAIL PROTECTED] for user; Wed, 2 Apr 2003 19:35:37 -0600 Now that IP shown IS ours, but the brackets tell me it's fake. Besides our mailserver is obviously not verizon. Comments / suggestions? This guys starting to tick me off. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FORGE question.
Actually, the bracket doesn't mean it is fake. The bracket just indicates an IP address. This header means that the mailserver claims to be called out016.verizon.net, and that it received the E-mail from a mailserver (or mail client) claiming to be Saturmqc, from the IP 63.160.179.245. Ok, I figured fake since it was a KLEZ sent mail message.. Most likely, this E-mail *did* originate from 63.160.179.245. The only way to be sure is to have verizon.net confirm it, but they are very unlikely to do that, given the volume of viruses that are transmitted via their mailservers. Hmmm, that's really odd. When someone logs onto our system and is assigned an an IP, and this particular one was not in us at the time of this least not issued by us... Thanks Scott. Any other ideas? Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANEXT question.....
Scott. Is there a way to just refuse attachments of certain types? instead of quarantined OR strip the attachment off? I don't want to bounce messages, I'd be happy with just removing the attachment. maybe add a line to the mail Attachment removed ? Is this possible? Or something we can add? Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] patch mail.
W.32gibe.b and/or its variants http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] Thanks! I've seen this one caught saveral times... whew. I knew I'd get the answer. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Hourly Logs?
Just a note to Scott, Thanks for such a marvelous product like Declude! Dang! I'm impressed each day with how it works, and ease of use! I've just recently started scanning the virus logs and have cut down on a vast # of our users with viruses. Since most with one don't realize they have one. Tracking users down can be a pain, but not seeing the 1000 Yaha infected e-mails makes me happy. Less wasted mail. Cheers! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Help locating CR. Outlook CR Vulnerability
Hello, One of my servers started sending malformed headers yesterday for some reason. Declude picked it up as a the Outlook CR Vulnerability. I am wondering if anyone can tell me where the vulnerability is in the attached message (attachment is a copy of what Declude Quarantined). I do not see any stand-alone CRs in the middle of the header and am a little confused as to where I should start looking for the culprit. Thanks much, Paul Hassinger Received: from blackbox.ipaul.com [65.204.120.129] by winonaweb.com (SMTPD32-7.13) id AC3C327D024E; Thu, 20 Feb 2003 23:42:20 -0600 Received: (qmail 2012 invoked by uid 507); 21 Feb 2003 05:31:07 - Received: from [EMAIL PROTECTED] by blackbox by uid 504 with qmail-scanner-1.15 (f-prot: 3.12. spamassassin: 2.43. Clear:. Processed in 0.06583 secs); 21 Feb 2003 05:31:07 - Received: from localhost ([EMAIL PROTECTED]@127.0.0.1) by blackbox.ipaul.com? with SMTP; 21 Feb 2003 05:31:07 - Received: from grover.ipaul.com (grover.ipaul.com [65.204.120.15]) by www.ipaul.com (Horde) with HTTP for [EMAIL PROTECTED]; Thu, 20 Feb 2003 23:31:06 -0600 Message-ID: [EMAIL PROTECTED] Date: Thu, 20 Feb 2003 23:31:06 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: t4 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Originating-IP: 65.204.120.15 X-Note: This E-mail was scanned by ipaul.com for spam. X-Spam-Tests-Failed: None t4
[Declude.Virus] good grief, what a relief.
Scott, and all potential Declude Virus users Thanks to the handy Log analyzer tool, I've noticed a HUGE increase inthe Lentin.F virus, and have just contacted the user on our network thatappears to be infected with it. But thanks to Declude for making me be ableto see it. And blocking it!January Total scanned: 600,582 Infected: 12,622 6,019 outbound Lentin.F last 3 daysof Jan. Infected / scanned 2.1016%FEB 1-3 Total scanned: 64,476 Infected: 12,124 11,359 outbound Lentin.F!! Infected / Scanned 18.8039%!!!Sheesh! Thank you Declude for stopping this! If only Yahoo and Hotmail wereas reliable.FWIW Klez is still a second placer, amazing after all the talk about thisvirus, people still get it.Paul
[Declude.Virus] log analyzer error
hey gang, here's a problem: I downloaded the Virus Log Analyzer tool, not the batch tool and it worked GREAT the first 2 times it ran, now I get the following error: Error Returned From Produce_Outputfile() Any help? I tried to reinstall the newest version, but get the same results. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] bogus files.....
Hey guys, While going through my logs, I noticed a lot of lines like this: 12/19/2002 09:14:11 Qd43109d000d4e8d9 Found a bogus .jpg file 12/19/2002 09:14:11 Qd43109d000d4e8d9 Found a bogus .jpg file 12/19/2002 09:14:11 Qd43109d000d4e8d9 Found a bogus .jpg file 12/19/2002 09:14:11 Qd43109d000d4e8d9 Found a bogus .jpg file 12/19/2002 09:14:11 Qd43109d000d4e8d9 Found a bogus .jpg file 12/19/2002 09:14:11 Qd43109d000d4e8d9 Found a bogus .jpg file I see it's pointing to the same message, but was just curious to know how common this is? Is this the .jpg.exe setup it's finding? What got me on this was yesterday my NAV snagged a magistr virus that came through that Declude missed. I've also seen alot of these: 12/19/2002 09:48:25 Qdc38012d013e4431 Outlook 'MIME segment in MIME Preamble' vulnerability in line 17 layer 1 [Content-Type: multipart/altern] 12/19/2002 09:48:25 Qdc38012d013e4431 File(s) are INFECTED [0] So far all of these seem to be spam, but it's amazing the amount of these in there Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] bogus files.....
What version of Declude Virus are you running? 1.65. That log file entry is part of an experimental system in Declude Virus designed to find files that aren't what they claim to be (for example, if someone renamed an .exe file to a .jpg extension). However, I believe there was a recent beta that would falsely detect these bogus files. In any case, the only damage is the extra log file entries. Ok, that's what I figured it had to be, as it appeared no actions are taken. Is that planned for a later release? If the attachment is bogus to hold/warn/delete? Have you checked the Declude Virus log file to see what it says about that E-mail? No, I missed it when it came in and NAV canned it before I could see it. So I don't know the exact time. I would've looked it up tho. Yes, there are a lot of spammers who apparently write their own spamware, and send out incorrectly formatted E-mails that contain some of the recently discovered vulnerabilities. I guess this makes good use of holds for vulnerabilities. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
H:Re: [Declude.Virus] New virus: W95/CIH-1106 New variant of Chernobyl
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 5 (Req: 18) Tot: 5 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: D0b76652e03caa7c8.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, December 3, 2002, 2:39:49 PM, you wrote: John Any one see how this is passed through e-mail yet? This is about all I have seen. ===Snip from SearchSecruity.com=== VENDOR REPORTS NEW STRAIN OF CHERNOBYL VIRUS | News: CNET Panda Software said it has detected a new strain of the Chernobyl virus, a piece of malicious code that could damage a computer's BIOS chips and motherboards, rendering them unusable. Panda said the new strain has not been seen in the wild, and it has not spread. Chernobyl activates its payload on the second day of every month. The original activates on April 26, the anniversary of the Chernobyl nuclear disaster. Other antivirus companies, however, question Panda's announcement and caution against crying wolf. Now this one looks bad. I am blocking .pif files but not sure what the .ceo is about. The only CEO's don't usally infect anything just slow stuff down. :) I guess i need to find that link on file types. === WINEVAR DISABLES ANTIVIRUS, TRIES TO DELETE FILES | News: CNET Antivirus companies are warning against the Winevar worm that attacks Windows computers with dangerous payloads that could cost users valuable data. Winevar spreads via e-mail, attaching itself as a .pif or .ceo file arriving from fictional organizations. If opened, Winevar tries to shut down antivirus programs and also attempts to delete every file on the computer. === -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
H:Re: [Declude.Virus] New virus: W95/CIH-1106 New variant of Chernobyl
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 5 (Req: 18) Tot: 5 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: D13d62cb1066e5efd.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, December 3, 2002, 3:08:32 PM, you wrote: John http://filext.com/ John .CEO Extension associated with Winevar Worm (The worm sets .CEO as an John executable extension so future files arriving with this extension will be John automatically run.) Thanks for the link. I guess that goes in to banext -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
H:Re: [Declude.Virus] New virus: W95/CIH-1106 New variant of Chernobyl
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 5 (Req: 18) Tot: 5 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: D1cc9d50003ca5674.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, December 3, 2002, 3:56:58 PM, you wrote: Kris What is extensions is everyone blocking in general? I am blocking scr, pif, Kris ceo ? Should I be blocking any thing else? This is what I am using. .pif.nws.dll.cmd.xml.sys.asd.chm .ocx.vbe.wsf.com.exe.vbs.scr.shs .wsh.vbx.bat.cab.lnk.asp.swf.js .ceo -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] H:OT anyone using The Bat email prog??
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 0 (Req: 18) Tot: 0 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: D224c093f0600decb.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 8 (XBL, BADHEADERS, CURRENT, HEUR1, IPNOTINMX) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Ok don't laugh. Well not much anyways. Evrytime I reply to a [EMAIL PROTECTED] or [EMAIL PROTECTED] The Bat puts an H befor my subject. It is not there when I send only once I see it on the list. Also i get an auto reply from cybrhost about someone not being in. There is nothing in the CC or BCC when it goes out. I only get the letter H added to my subjects and the auto reply when i mail to these to list. I have check every setting I can find anything wrong. Anyone here have any ideas?? Oh I fell so like a user. :( Sorry for the OT -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] H:E card
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 0 (Req: 18) Tot: 0 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: Db570efe303768cf1.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, I just had an f r i e n d - g r e a t i n g slip through. These have been blocked in the past. What is the best point to start to fine out how this one made it. 1.63 beta Imail 7.13 -- Best regards, ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] H:H;E card
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 0 (Req: 18) Tot: 0 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: Dbdda852203a66978.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, November 26, 2002, 12:57:28 PM, you wrote: eicar stops fine and catching other viruse no problem. Yeah i know not truly a virus. I was stopping some that faild the vulnebbilty test I figured that would get all Then this week end i really started to added to Junkmail I have a file body.txt with the line. BODY20 CONTAINSa virtual postcard from F r i e n d G r e t i n g s.c o m global.cfg has the right path to the body.txt file. In the header that follows I see a weight of -52. I do have citravel.com in the allow.txt could that be the problem since it came from an inside user Should I not add my domain to the allow.txt --- boundary==_NextPart_000_017B_01C29547.41F53200 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-Declude-Sender: [EMAIL PROTECTED] [216.113.128.165] X-Declude-Spoolname: Daf36019a01e84bd5.SMD X-Note: This message was scanned for Spam X-Spam-Tests-Failed: IPNOTINMX, NONE, OPTNAME X-RBL-Warning: Total weight value: -52 X-Note: Recipient Host:citravel.com X-Note: Sender Address:[EMAIL PROTECTED] X-Note: Sender Host Name: hide5.wspan.com X-Note: Sender IP Address: 216.113.128.165 X-Note: Sender Country ID: . Precedence: bulk Sender: [EMAIL PROTECTED] Status: U X-UIDL: 333656655 -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] H:H;E card
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 5 (Req: 18) Tot: 5 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: Dc3476bc003729a9d.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, November 26, 2002, 1:43:47 PM, you wrote: I do have citravel.com in the allow.txt could that be the problem since it came from an inside user Should I not add my domain to the allow.txt John Does not matter. What has happened if you read my first reply is they are John using different domain names, and since you are only filter for one domain John name, it got through. John You will need to read Tom's post and add the domains listed. John http://www.mail-archive.com/declude.junkmail@declude.com/msg05444.html John John Tolmachoff MCSE, CSSA John IT Manager, Network Engineer John RelianceSoft, Inc. John Fullerton, CA 92835 John www.reliancesoft.com John --- John [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] John --- John This E-mail came from the Declude.Virus mailing list. To John unsubscribe, just send an E-mail to [EMAIL PROTECTED], and John type unsubscribe Declude.Virus.The archives can be found John at http://www.mail-archive.com. John --- John [This E-mail scanned for viruses by Declude Virus/McAfee] I was trying to do that and stop people from sending this thing out any more. Thanks John. I am trying. :) -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] H:H;E card
CI Travel X-CYBERsitter-NoXMail: FAILED - Score Adult: 0 (Req: 18) Spam: 23 (Req: 18) Tot: 23 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: Dc78d1d02039e4f27.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 9 (XBL, BADHEADERS, CURRENT, HEUR1, CYBERSITTER) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, November 26, 2002, 1:43:47 PM, you wrote: I do have citravel.com in the allow.txt could that be the problem since it came from an inside user Should I not add my domain to the allow.txt John Does not matter. What has happened if you read my first reply is they are John using different domain names, and since you are only filter for one domain John name, it got through. John You will need to read Tom's post and add the domains listed. John http://www.mail-archive.com/declude.junkmail@declude.com/msg05444.html Ok i looked at the post. This is what i got allow1.txt citravel.com global.cfg NONEfromfileE:\imail\declude\allow1.txt x -60 0 body.txt BODY 60 CONTAINSa virtual postcard from FriendGreetings.com BODY60 CONTAINSPick up your postcard by clicking below: Global.cfg BODYfilter E:\imail\declude\body.txt x 10 0 The email that was sent matched the body text above 100% Why would i need to block on the domain name also?? Not saying i don't need to just trying to see why. -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] H:H;E card
CI Travel X-CYBERsitter-NoXMail: FAILED - Score Adult: 0 (Req: 18) Spam: 23 (Req: 18) Tot: 23 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: Dca28400503d87a5a.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 9 (XBL, BADHEADERS, CURRENT, HEUR1, CYBERSITTER) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, November 26, 2002, 1:43:47 PM, you wrote: I do have citravel.com in the allow.txt could that be the problem since it came from an inside user Should I not add my domain to the allow.txt John Does not matter. What has happened if you read my first reply is they are John using different domain names, and since you are only filter for one domain John name, it got through. John You will need to read Tom's post and add the domains listed. John http://www.mail-archive.com/declude.junkmail@declude.com/msg05444.html Ok i looked at the post. This is what i got allow1.txt citravel.com global.cfg NONEfromfileE:\imail\declude\allow1.txt x -60 0 body.txt BODY 60 CONTAINSa virtual postcard from F r i e n d G r e e t i n g s.c o m BODY60 CONTAINSP i c k u p y o u r p o s t c a r d b y c l i c k i n g b e l o w: Global.cfg BODYfilter E:\imail\declude\body.txt x 10 0 The email that was sent matched the body text above 100% Why would i need to block on the domain name also?? Not saying i don't need to just trying to see why. PS I know the filter is working because i went this with out the space and it got caught. Still want to know how to add the domains and is it needed if you filter on body of message. -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
H:Re: FW: [Declude.JunkMail] [Declude.Virus] H;H.E Card
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 8 (Req: 18) Tot: 8 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: Dd91876840160d2ac.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, November 26, 2002, 3:18:50 PM, you wrote: John Example: John BODY 10 CONTAINS have a happy fourth of July John Will not catch the phrase have a happy fourth of July. John BODY 10 CONTAINS user at domain John The reason is if that was the case, if it found user and at and domain John anywhere in the message, it would get caught. John It must be a string of characters. Ah there is light at the end of this tunnel. Thanks. I was thinking why keep two files up to date when one with the correct words would work no matter where it came from. I have put all those domain in my fromfile with a weight of 44 for the fromfile in gobla.cfg and 50 is delete so i think it should work. Hmmm is there away to test something like this. I can't just forward the email because it would then come from our domain. correct?? -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
H:Re: FW: [Declude.JunkMail] [Declude.Virus] H;H.E Card
CI Travel X-CYBERsitter-NoXMail: Passed - Adult: 0 (Req: 18) Spam: 8 (Req: 18) Tot: 8 (Req: 20) X-RBL-Warning: XBL: 163.41.34.208.xbl.selwerd.cx. X-Declude-Sender: [EMAIL PROTECTED] [208.34.41.163] X-Declude-Spoolname: De15a241f01601738.SMD X-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com) X-NRecips: 1 X-Reverse-IP: 163.41.34.208.in-addr.arpa X-Weight: 2 (XBL, BADHEADERS, CURRENT, HEUR1) X-Country-Chain: UNITED STATES-destination. Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello, Tuesday, November 26, 2002, 3:37:46 PM, you wrote: I have put all those domain in my fromfile with a weight of 44 for John the fromfile in Global.cfg and 50 is delete so I think it should work. John WHOA! What about all the legit e - c a r d s that people send to one John another? John Better to hold and review. Yeah I will at some point. I just want them stopped for now. I am trying to read the archive to figure out how to use the filters better. I will be moving any other questions to the Junkmail list. Well one more. anyone have a list of good e - c a r d companys??? How can you tell the good bad and ugly apart. I would hate to look at spamviwer all day. Hmmm is there away to test something like this. I can't just forward John the email because it would then come from our domain. correct?? John Ask and ye shall receive. Please send on to [EMAIL PROTECTED] Thanks!! -- Best regards, ~Paul~mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] what does this mean?
No big deal, I don't think, but can someone tell me what this is in my virlog file? We're set up to level MID. 11/22/2002 06:13:59 Q117616cf0124f484 Warning: EOF in middle of MIME segment [] [---f8de0acee6fc52cf1ab9eab27] 11/22/2002 06:13:59 Q117616cf0124f484 Scanned: Virus Free [MIME: 2 3512] I know EOF, End Of File, right? I see several of these in the logs, but don't know if it's important, or just messed up e-mail. Thanks! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-prot question
Scott, Is the ability there for F-prot to give you the NAME of the virus in the log? instead of Infected with a virus.? We have the Windows version running. Does F-Prot keep a log of useage by Declude with infections? I'd like to get some feel for what is coming in. Thanks! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] world of difference!
good grief! what a difference F-prot made! Declude's working now! hoo-ray! It's nice to see no error messages popping up in the logs. LOL! way to go Scott, and thanks to everyone on this list who put up with me over the last week. I'm sure I'll have questions, but you people are the best! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-PROT
Ok, I've tossed Innoculan in favor of F-prot, about set to start Declude again, For users of F-prot, or Scott, what's the precautions to take going this route? Obviously disabling real time protector on install, but anyone else have any comments? Paul --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: SPAMCOP:Re: [Declude.Virus] Junk mail module.
Is it possible you have your client set to send HTML? This can screw up the confirmation. Paul Navarre -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mitch Irvine Sent: Thursday, October 10, 2002 4:28 PM To: [EMAIL PROTECTED] Subject: SPAMCOP:Re: [Declude.Virus] Junk mail module. here is the the email I got back after I reply to confirm sign up. Subject: Illegal IMail List Server Command! Date: Thu, 10 Oct 2002 13:17:15 -0400 Status: Normal From: [EMAIL PROTECTED] (List Server) IMail List Server for Windows NT, Ipswitch, Inc. Valid Commands are: To subscribe to a list, send a mail message to imailsrv at this address with the following in the body of the message: subscribe listname your_full_name To unsubscribe from a list, send a mail message to imailsrv at this address with the following in the body of the message: unsubscribe listname To receive a list of the lists supported here: list To receive a list of users on a given list (If enabled for that particular list): list listname To receive help send: help [listname] To change to digest mode, send a mail message to imailsrv at this address with the following in the body of the message: set mode digest listname To change back to standard mode, send a mail message to imailsrv at this address with the following in the body of the message: set mode standard listname I'm trying to sign up for that forum, I keep getting rejected emails.. Are you sending the message in the proper format (subscribe declude.junkmail Your Name)? Are you sending the E-mails to [EMAIL PROTECTED]? Are you responding to the confirmation E-mail? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MacAfee kosher or not?
As a McAfee reseller, and by earlier threads, I had a long conversation with a senior licensing person at McAfee, and the synopsis is that in the usage of scanning incoming and outgoing e-mail messages REQUIRES a per mail box license. I was just looking at that thread. I had though there was a discussion on this in the past. Thanks for looking into the issue. I would like to know how much each box would be but I know I will never get that kind of funds sooo So since I will not go back with McAfee. What is next best thing for a second scanner? Is a second scanner really needed? Thanks, ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Scanner other then McAfee
Subject Change to Scanner other then McAfee was MacAfee kosher or not? I rather end that one. I am currently looking into Kaperseky and Command AV, plus a few others. Thanks let us know how it goes. What about Sophos? I guess I could try that one. I bet it cost I will let the list know. Or someone else been there done that. I am going to keep F-Prot works and it is the right price. Plus I think I have 10 or so copies left out of the 20 to use. LoL!! Still question is a secound scanner really that much better if you keep the first up dated? Only point I see is if one company has the geatest latest defs and the other does not. ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Copying all emails to / from domain
So Declude JunkMail can not be set to scan a specific domain's out-bound email? [EMAIL PROTECTED] Using the latest beta of Declude JunkMail, this might be possible. You could have a per-domain configuration set up for the domain, with a line CATCHALLMAILS COPYTO [EMAIL PROTECTED]. However, I believe this would only work for incoming mail -- I don't believe that it would work for outgoing mail. -Scott Is there a way, using Declude, to copy all emails to and from this one domain name to a single email address? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
Sheldon, Does the windows updater work for you? I should say reliably? I have found it does don't seem to work at all. I do use the scripts for the server and that works. F-Prot 3.12a ~Paul~ If you are using the DOS version, there are scripts available to check and download automatically. I use the Windows version and have it's own scheduler set to check every 6 hours for updates. They just do not have an update yet... Sheldon --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Footer
Is there a way to add the footer to only outgoing messages? I though this might be an easy way to put a company disclaimer in every out going email. Unless someone else has a better way. ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Another virus to skip notify
Would the notification emails be something like this: SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Kelz ONLYSENDIFREMOTESENDER From: postmaster@%LOCALHOST% To: postmaster@%SENDERHOST% Subject: Your mail server sent us a virus Or SKIPIFVIRUSNAMEHAS W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B ONLYSENDIFREMOTESENDER From: postmaster@%LOCALHOST% To: postmaster@%SENDERHOST% Subject: Your mail server sent us a virus Also would you need the whole name of the virus? I ask this because of the different variants either of the viruses itself or the way the AV reports the name. Would this list be good or if some one has a better one please post it. I have about 20 flaming emails from postmasters that say they are not infected. I would like to keep the email from going out to the wrong person. W32/Klez.h@MM W32/Klez.H@mm W32/Klez.gen@MM W32/Magistr.32768@mm W32/Magistr.b@MM W32/Magistr.28672@mm W32/Magistr.a@MM W32/Klez.E@mm W32/Klez.e@MM W32/Hybris.worm.B W32/Hybris.gen@MM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, April 25, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another virus to skip notify Now I don't know which address (nmiller or mmiller) Declude sends it's you sent a virus message to. Maybe Scott can answer that, but if it is the wrong address then sending that message to the sender could be skipped. Declude Virus sends to the return address (from the SMTP envelope), which in the case of Magistr is the altered address. So skipping the sender notification (adding SKIPIFVIRUSNAMEHAS Magistr to the sender.eml file) would be a good idea. -Scott --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Declude and F-Prot
Man I hate that. I can't put desktop AV here so Declude is it! They scream they have to have Hotmail then scream they have a virus. I love my job! Here come the men in white coats so I must go now! ~Paul~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Madscientist Sent: Thursday, April 25, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Declude and F-Prot Is it possible that the user also has an alternative account where they cought the bug? (We have users who also insist on keeping hotmail or other accounts - that is until they get hit with one of these). _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Rooth | Sent: Wednesday, April 24, 2002 6:53 PM | To: [EMAIL PROTECTED] | Subject: [Declude.Virus] Declude and F-Prot | | | | | | Jim Rooth | | I have a weird one here. Declude seems to be working fine | but here is the rub. It caught the Klez-H@mm coming into a | user and then it caught 30 instances of the user sending the | bug back out. | | Here are parts of both virus messages: | | The incoming message: | | Declude Virus v1.46 caught the W32/Klez.H@mm virus in | setup.exe from [EMAIL PROTECTED] to: [EMAIL PROTECTED] | | Date: 04/24/2002 16:34:54 | Subject:A funny game | Spool File: D24e701910028c05b.SMD | Remote IP: 65.120.133.104 | | X-Virus-Name: W32/Klez.H@mm | | Headers: | outgoing | 1 | | == | Received: from Ufbcjf [65.120.133.104] by centralfreight.com | (SMTPD32-7.07) id A4E71910028; Wed, 24 Apr 2002 16:34:31 -0500 | From: grahamb [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Subject: A funny game | MIME-Version: 1.0 | Content-Type: multipart/alternative; | boundary=CX572978I8I5KbuWk3K92VITP8tBiL8W0 | Message-Id: 200204241634640.SM01180@Ufbcjf | == | | One of 30 outgoing messages: | | Declude Virus v1.46 caught the W32/Klez.H@mm virus in | height.scr from [EMAIL PROTECTED] to: | [EMAIL PROTECTED] | | Date: 04/24/2002 16:59:02 | Subject:End banner ad | Spool File: D2a8902470028c447.SMD | Remote IP: 65.120.133.104 | | X-Virus-Name: W32/Klez.H@mm | | Headers: | outgoing | 1 | | == | Received: from Zpkjcp [65.120.133.104] by centralfreight.com | (SMTPD32-7.07) id AA892470028; Wed, 24 Apr 2002 16:58:33 -0500 | From: kwelch [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Subject: End banner ad | MIME-Version: 1.0 | Content-Type: multipart/alternative; | boundary=Y77k61j00V4C46C4209kEsR853Cf929jY | Message-Id: 200204241658843.SM01180@Zpkjcp | | Only thing I can figure is the virus was introduced by a | different mail account than ours. Perhaps hotmail, yahoo or | something similar. | | --- | Outgoing mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Another virus to skip notify
Thanks For the great product and A++ support!!! ~Paul~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, April 25, 2002 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Another virus to skip notify Would the notification emails be something like this: SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Kelz Like this -- although I'd use Klez instead. :) SKIPIFVIRUSNAMEHAS W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B This way will not work. This will look for a virus that has W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B in the name, which won't occur. Also would you need the whole name of the virus? No, you do not. If there is a partial match, the notification will not get sent out. So Klez will cover all the Klez variants. That way, you don't have to worry about having to add a line for future variants. -Scott --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Virus sent to one user alot
I have one user who has been sent a virus about 15 times today she is getting tired of the auto coming to her. What would be the best solution be. Ban the incoming IP with Imail rules? Oh the other postmaster for the address is not responding. It is the KLEZ.H so I know it is spoofing the Address so I can't really blame him. Can I? ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Huge amount of Klez going around?
I just ran VirusLog Analyzer this is what I have gotten today. We have around 300 users that's it. I looked at the last 7 days and each has been pretty heavy. Scott you are DMAN! Thanks for a great product Count= 72 Virus Name= the W32/Klez.h@MM virus !!! Count= 50 Virus Name= W32/Klez.H@mm Count= 21 Virus Name= the W32/Klez.gen@MM virus !!! Count= 2Virus Name= the W32/Magistr.b@MM virus !!! Count= 2Virus Name= W32/Magistr.32768@mm Count= 1Virus Name= W32/Klez.E@mm Count= 1Virus Name= the W32/Klez.e@MM virus !!! Count= 1Virus Name= the W32/Magistr.a@MM virus !!! Count= 1Virus Name= W32/Magistr.28672@mm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Tuesday, April 23, 2002 3:38 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Huge amount of Klez going around? Anyone been seeing a huge amount of the Klez virus messages going around? We are a fairly small hosting company and we have had over 100 today. Usually just see around half dozen viruses a day. Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Test
Test of list. Awful quite today? ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Test
Thanks and yes everything is working fine with Declude for me as usual. Yet there is usually some activity on this list. Which started I see with the update to F-Prot ver3.12. I have also updated my server and about 15 desktops and all seems fine. Thanks again, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Thursday, March 21, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Test Maybe that means everything is working as intended. :-) John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Ingram Sent: Thursday, March 21, 2002 10:33 AM To: Declude. Virus Subject: [Declude.Virus] Test Test of list. Awful quite today? ~Paul~ --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] stray .smd files
I believe it comes with Imail. Information on it is on page 256 of the manual. Regards, Paul Paul W. Lucido www.GeekWithaBox.com 312-583-0084 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Jones, Jr. Sent: Tuesday, February 19, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] stray .smd files Where can I get a copy of that program? Thanks, Jim Jones, Jr. Partner OcuSafe, LLC www.ocusafe.com Attractive, Reliable, Affordable Protection. - Original Message - From: Paul W. Lucido [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 19, 2002 1:15 PM Subject: RE: [Declude.Virus] stray .smd files : I recommend using the the isplcln.exe utility. It will keep you \spool : directory clean, deleting files by how many days old they are. I schedule : mine to run nightly, deleting old log files and non-log files. : : Regards, : Paul : : Paul W. Lucido : www.GeekWithaBox.com : 312-583-0084 : [EMAIL PROTECTED] : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED]]On Behalf Of Sharyn Schmidt : Sent: Tuesday, February 19, 2002 6:54 AM : To: [EMAIL PROTECTED] : Subject: [Declude.Virus] stray .smd files : : : Once again, browsing through my IMAIL spool directory, I see a bunch of : stray .smd files, all with the format Dxxx.smd. : : What are these? Are they created by Declude? Can they be deleted? They : date back to October of last year. : : Sheesh, never knew that spool directory had so much junk in it. : : Thanks, : : Sharyn Schmidt : Network Specialist : Florida Distillers Company : (863) 956-1116 x139 : : : : : We are the worldwide producer and marketer of the award winning Cruzan : Single Barrel Rum, judged Best in the World at the annual : San Francisco Wine and Spirits Championships, and the : artisan tequilas of Porfidio 100% Agave Tequilas, judged Best : Tequila four years running by the Wine Enthusiast magazine. For : more information, please click (go to) htmla : href=http://www.cruzanrums.com;http:///aa : href=http://www.cruzanrums;www.cruzanrums.com/a/html : --- : [This E-mail was scanned for viruses by Declude Virus : (http://www.declude.com)] : : This E-mail came from the Declude.Virus mailing list. To : unsubscribe, just send an E-mail to [EMAIL PROTECTED], and : type unsubscribe Declude.Virus. You can E-mail : [EMAIL PROTECTED] for assistance. You can visit our web : site at http://www.declude.com . : : --- : [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] : : This E-mail came from the Declude.Virus mailing list. To : unsubscribe, just send an E-mail to [EMAIL PROTECTED], and : type unsubscribe Declude.Virus. You can E-mail : [EMAIL PROTECTED] for assistance. You can visit our web : site at http://www.declude.com . : --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] v1.40 (beta) released
The PRESCAN line doesn't currently exist in my Global.cfg. I simply add it, anywhere I like, to the file, correct? I just upgraded Declude to this new released v1.40. Do I need to add the following options to my cfg file PRESCAN OFF Can I use this option. Do I have Declude Pro That will determine whether or not you pre-scan HTML files, which will save some CPU time. This only works in the Pro version, but you do have the Pro version. The default is OFF. FOOTER Will this add more CPU usage to my server This will add a small amount of extra CPU usage to the server. It will added a footer to the bottom of E-mail (which may not be visible in HTML E-mail or E-mail with attachments, however). The default is not to have the footer. DELETEVIRUSES OFF Do I need to use this option. I already quarantine viruses by default. This one depends on whether or not you want to delete the viruses. The default is OFF. DELIVERERRORS ON Declude is working fine for me. I never have any problems. Do I need to use this option I would not recommend changing that, then. The default is OFF. BANCRVIRUSES ON I am adding this option to to my cfg file. Do I need to re-run Declude.exe after making changes to my cfg file. No, you do not need to do anything after making the changes to the virus.cfg file. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] stray .smd files
You have two negatives in your question, which confuses me a little. I haven't tried using it with only one switch. I'm guessing it will work, only deleting non-log files. I recommend giving it a run it and finding out. Regards, Paul Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Jones, Jr. Sent: Tuesday, February 19, 2002 1:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] stray .smd files If I don't want to delete log files at all and I want to delete all other files that are over 5 days old is this the command I would use? isplcln -n 5 I guess my question is, does not specifying anything about the logs (using the -l switch) make the program not delete the logs? Thanks, Jim Jones, Jr. Partner OcuSafe, LLC www.ocusafe.com Attractive, Reliable, Affordable Protection. - Original Message - From: Paul W. Lucido [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 19, 2002 1:35 PM Subject: RE: [Declude.Virus] stray .smd files : I believe it comes with Imail. Information on it is on page 256 of the : manual. : : Regards, : Paul : : Paul W. Lucido : www.GeekWithaBox.com : 312-583-0084 : [EMAIL PROTECTED] : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Jones, Jr. : Sent: Tuesday, February 19, 2002 1:20 PM : To: [EMAIL PROTECTED] : Subject: Re: [Declude.Virus] stray .smd files : : : Where can I get a copy of that program? : : Thanks, : : Jim Jones, Jr. : Partner : OcuSafe, LLC : www.ocusafe.com : Attractive, Reliable, Affordable Protection. : : - Original Message - : From: Paul W. Lucido [EMAIL PROTECTED] : To: [EMAIL PROTECTED] : Sent: Tuesday, February 19, 2002 1:15 PM : Subject: RE: [Declude.Virus] stray .smd files : : : : I recommend using the the isplcln.exe utility. It will keep you \spool : : directory clean, deleting files by how many days old they are. I schedule : : mine to run nightly, deleting old log files and non-log files. : : : : Regards, : : Paul : : : : Paul W. Lucido : : www.GeekWithaBox.com : : 312-583-0084 : : [EMAIL PROTECTED] : : : : -Original Message- : : From: [EMAIL PROTECTED] : : [mailto:[EMAIL PROTECTED]]On Behalf Of Sharyn Schmidt : : Sent: Tuesday, February 19, 2002 6:54 AM : : To: [EMAIL PROTECTED] : : Subject: [Declude.Virus] stray .smd files : : : : : : Once again, browsing through my IMAIL spool directory, I see a bunch of : : stray .smd files, all with the format Dxxx.smd. : : : : What are these? Are they created by Declude? Can they be deleted? They : : date back to October of last year. : : : : Sheesh, never knew that spool directory had so much junk in it. : : : : Thanks, : : : : Sharyn Schmidt : : Network Specialist : : Florida Distillers Company : : (863) 956-1116 x139 : : : : : : : : : : We are the worldwide producer and marketer of the award winning Cruzan : : Single Barrel Rum, judged Best in the World at the annual : : San Francisco Wine and Spirits Championships, and the : : artisan tequilas of Porfidio 100% Agave Tequilas, judged Best : : Tequila four years running by the Wine Enthusiast magazine. For : : more information, please click (go to) htmla : : href=http://www.cruzanrums.com;http:///aa : : href=http://www.cruzanrums;www.cruzanrums.com/a/html : : --- : : [This E-mail was scanned for viruses by Declude Virus : : (http://www.declude.com)] : : : : This E-mail came from the Declude.Virus mailing list. To : : unsubscribe, just send an E-mail to [EMAIL PROTECTED], and : : type unsubscribe Declude.Virus. You can E-mail : : [EMAIL PROTECTED] for assistance. You can visit our web : : site at http://www.declude.com . : : : : --- : : [This E-mail was scanned for viruses by Declude Virus : (http://www.declude.com)] : : : : This E-mail came from the Declude.Virus mailing list. To : : unsubscribe, just send an E-mail to [EMAIL PROTECTED], and : : type unsubscribe Declude.Virus. You can E-mail : : [EMAIL PROTECTED] for assistance. You can visit our web : : site at http://www.declude.com . : : : : --- : [This E-mail was scanned for viruses by Declude Virus : (http://www.declude.com)] : : This E-mail came from the Declude.Virus mailing list. To : unsubscribe, just send an E-mail to [EMAIL PROTECTED], and : type unsubscribe Declude.Virus. You can E-mail : [EMAIL PROTECTED] for assistance. You can visit our web : site at http://www.declude.com . : : --- : [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] : : This E-mail came from the Declude.Virus mailing list. To : unsubscribe, just send an E-mail to [EMAIL PROTECTED], and : type unsubscribe Declude.Virus. You can E-mail : [EMAIL PROTECTED] for assistance. You can visit our web : site at http://www.declude.com . : --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
[Declude.Virus] RE:Worked fine before I thought I would make it better.
Worked fine before I thought I would make it better. I went to setup two virus scanners McAfee as 1 and F-Prot as 2 and know I am not cathching anything. I sent a test from declude.com file eicar.zip which usally get caught. Also do both scanners report to the same log? And if so are you able to see which caught to virus. Here is a look at my config could some one help me out please LOGFILE D:\IMail\spool\declude_log\vir.log LOGLEVELMID CONSOLE OFF LOG_OK NONE # # SCANFILE is the location of the command-line virus scanner. Note that it # must include the full path. VIRUSCODE is the code that scanner returns if # it finds a virus. # SCANFILE C:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL/NOMEM/NOBEEP/NOBREAK/UNZIP/SILENT/NODDA/REPORT report.txt VIRUSCODE 13 REPORT1 Found SCANFILE C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT2Infection Paul Ingram CI Travel, IT Systems Analyst 888.461.0022 ext.826 mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Re well i still can't seem to get it right
I changed the lines as you had in the email and still test virus comes through. So I take out the line and works fine. So here is a copy of the config again and the log with both scanners when it is not catching and a log with the original setup that works Paul Ingram CI Travel, IT Systems Analyst 888.461.0022 ext.826 mailto:[EMAIL PROTECTED] 01/31/2002 16:27:23 Qb6b92c8 Scanned: Error starting scanner 01/31/2002 16:27:38 Qb6c82c8 Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db6c82c8.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:27:38 Qb6c82c8 Scanned: Error starting scanner 01/31/2002 16:28:00 Qb6df2c8 Scanner 1: Virus=: EICAR test file NOT a virus. Attachment= [-858993460] 01/31/2002 16:28:00 Qb6df2c8 File(s) are INFECTED [13] 01/31/2002 16:28:00 Qb6df2c8 Scanned: CONTAINS A VIRUS [MIME: 2 594] 01/31/2002 16:28:00 Qb6df2c8 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/31/2002 16:28:00 Qb6df2c8 Subject: Test eicar.com file [eicarzip] 01/31/2002 16:28:23 Qb6f6112 Scanner 1: Virus=: EICAR test file NOT a virus. Attachment=[BinHex Attachment] [1] 01/31/2002 16:28:23 Qb6f6112 Found a bogus .com file 01/31/2002 16:28:23 Qb6f6112 File(s) are INFECTED [13] 01/31/2002 16:28:24 Qb6f6112 Scanned: CONTAINS A VIRUS [BINHEX: 1 105] 01/31/2002 16:28:24 Qb6f6112 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/31/2002 16:28:24 Qb6f6112 Subject: Test eicar.com file [eicarbinhex] 01/31/2002 16:21:42 Qb56325c Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db56325c.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:21:42 Qb56325c Scanned: Error starting scanner 01/31/2002 16:21:43 Qb56425c Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db56425c.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:21:43 Qb56425c Scanned: Error starting scanner 01/31/2002 16:21:43 Qb56428a Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db56428a.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:21:43 Qb56428a Scanned: Error starting scanner 01/31/2002 16:21:44 Qb56514e Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db56514e.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:21:44 Qb56514e Scanned: Error starting scanner 01/31/2002 16:22:09 Qb57e144 Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db57e144.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:22:09 Qb57e144 Scanned: Error starting scanner 01/31/2002 16:22:14 Qb58424e Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db58424e.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:22:14 Qb58424e Scanned: Error starting scanner 01/31/2002 16:22:22 Qb58c20a Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db58c20a.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:22:22 Qb58c20a Scanned: Error starting scanner 01/31/2002 16:22:33 Qb598346 Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db598346.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:22:33 Qb598346 Scanned: Error starting scanner 01/31/2002 16:22:36 Qb59b1f8 Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db59b1f8.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:22:36 Qb59b1f8 Scanned: Error starting scanner 01/31/2002 16:23:52 Qb5e60c8 Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db5e60c8.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:23:52 Qb5e60c8 Scanned: Error starting scanner 01/31/2002 16:24:04 Qb5f20d0 Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool\Db5f20d0.vir\); NOT SCANNING ATTACHMENTS! [3] 01/31/2002 16:24:04 Qb5f20d0 Scanned: Error starting scanner 01/31/2002 16:24:34 Qb61123a Your virus scanner DOES NOT EXIST (at C:\Progra~1\FSI\F-Prot2\F-Prot.exe /TYPE /SILENT /NOMEM/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt d:\Imail\spool
RE: MISSING_REVERSE_DNS:Re: [Declude.Virus] Re well i still can't seem to get it right
No I fixed all that in the working config Thanks Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Marcel Sangers Sent: Thursday, January 31, 2002 4:45 PM To: [EMAIL PROTECTED] Subject: MISSING_REVERSE_DNS:Re: [Declude.Virus] Re well i still can't seem to get it right I think it's because there is an ENTER (/n,newline) in the virus command line!? --- Marcel --- - Original Message - From: Paul Ingram [EMAIL PROTECTED] To: Declude. Virus [EMAIL PROTECTED] Sent: Thursday, January 31, 2002 10:36 PM Subject: [Declude.Virus] Re well i still can't seem to get it right I changed the lines as you had in the email and still test virus comes through. So I take out the line and works fine. So here is a copy of the config again and the log with both scanners when it is not catching and a log with the original setup that works Paul Ingram CI Travel, IT Systems Analyst 888.461.0022 ext.826 mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] MY Party
Thanks!!! Just got it and stop 5 more within 10 min. Paul Ingram CI Travel, IT Systems Analyst 888.461.0022 ext.826 mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Abbott Sent: Monday, January 28, 2002 12:34 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MY Party Paul, McAfee has issued an Extra.dat that contains the update for MYParty. It can be found and downloaded at http://vil.mcafee.com/dispVirus.asp?virus_k=99332#removal_instructions Michael Abbott [EMAIL PROTECTED] Network Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Ingram Sent: Monday, January 28, 2002 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MY Party Does anyone no if McAfee is up to date on this? I am running engine 4.1.60 and Defs 4.0.4183 But I just got hit and now have users calling me a five mintues!!! Paul --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] FPROT
Thanks Scott! The windows version would not work but the DOS version works like a champ. Paul Ingram CI Travel, IT Systems Analyst 888.461.0022 ext.826 mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, January 18, 2002 9:46 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] FPROT Any ideas or thoughts? I would recommend just running the DOS version on a server. The Windows version isn't very server friendly (although I've never heard of it causing a BSOD). Windows AV programs need delve deep into the heart of the OS to do their dirty work (they need to intercept files while they are being written to the hard drive), whereas the DOS program is only called as needed, and just needs to read the file in a standard way. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude/McAfee] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Question on version
Question 1.) I purchased Declude around 01/2001 before the first split of Standard and Pro. So do I have the Pro now? 2.) I purchased a new services agreement 01/11/2001 so I will automatically get the new Pro? I would like to take a moment and thank Scott and Declude for the hard work and outstanding product. Thanks!! Paul Ingram CI Travel, IT Systems Analyst 888.461.0022 ext.826 mailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] BANnotify
Ummwhat happens to the email does it get deleted or is it sitting in file somewhere? I am assumeing it is in the \Imail\spool\virus(just looked it is) If this is the case then could still some how if need get the email delivered? Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Monday, December 10, 2001 2:07 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] BANnotify Hey it doe work. All get same message but that's ok. This is what I did To: %ALLRECIPS%,%MAILFROM%,[EMAIL PROTECTED] Good work -- I didn't realize that could be done. -Scott --- [This E-mail was scanned for viruses by Declude Antiviral Software] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Declude v1.29 beta released
I wish that all of the software we use (as a web site hosting company) was support like Declude. I would have a lot more hair - and a lot more days off :) [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
RE: [Declude.Virus] New W32/Goner-A virus
You are right about F-Prot!!:) I just download and tried it again it it is now catching it. But as of 45min ago the defs on frisk.is where not cathching at least it didn't work here but all is rosey now:) Thanks, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Tuesday, December 04, 2001 2:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New W32/Goner-A virus No F-Prot is not chaching it ..I have caught 68 since 2:15pm when a user called me to ask could the install this screen saver. I am caching by filtering the subject line and body text. I also tried Macfee and I didn't see an update for them yet either. Both McAfee and F-Prot *do* have updates. I've installed the F-Prot update and tested it against a copy we had received here, and it does work. Note that F-Prot's web site has a Last Updated date of 11/30, but the file is actually dated today. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] New W32/Goner-A virus
Cool thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andy Schmidt Sent: Tuesday, December 04, 2001 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New W32/Goner-A virus Nope - has nothing to do with boot disks. EXTRA.DATs contain protection against a particular new virus strain before the regular scheduled .DAT file update becomes available. It's been this way for the longest time and works with all current VirusScan family products. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Ingram Sent: Tuesday, December 04, 2001 02:54 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New W32/Goner-A virus Is not the extra.dat only for the bootdisk for emergency recovery or did I look at that wrong? This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] REVDNS:Has anyone used F-Prot...
Does anyone use F-prot for workstations? For $2 a system I thought it might be worth looking into. Also if I go to F-Prot on my servers should I use the on demand scanner or just the command line part? Paul Ingram IT Systems Analyst CI Travel 1.888.461.0022 Ext:826 [EMAIL PROTECTED]
