RE: [Declude.Virus] 1.28 - Sender Notification
>1. >> For the Badtrans.B that just came out, the ones we have seen all have >a "_" before the From: address << > >Yes - I have seen those two - but I've also see the following style header >at least TWICE. As you can see - the FROM header appears to have a valid >email address, but the envelope FROM was identical to the "To" user. OK, I'll see if we can add an option to let you choose which address to send to. >2. >> The %ALLRECIPS% option should show the recipients from the SMTP >envelope (the actual addresses that were used to send the mail to). If >using the new "SWITCHRECIPS" option, this behavior could vary. << > >Yes, I HAD to use this option to avoid incorrect notifications in the >JUNKMAIL feature. Then you're stuck. The SWITCHRECIPS option was added for cases where per-user and per-domain options needed to be done based on the actual recipient, rather than the intended recipient. In that case, Declude only uses the actual recipient rather than the intended recipient. One of the side-effects of having Declude use the actual recipient is that %ALLRECIPS% will show the actual recipient(s). >I definitely have see a sender notification forwarded to me which showed >BOTH the original and the intended email address. That may be a glitch with the SWITCHRECIPS option (it's still in beta). -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] 1.28 - Sender Notification
Hi Scott: 1. >> For the Badtrans.B that just came out, the ones we have seen all have a "_" before the From: address << Yes - I have seen those two - but I've also see the following style header at least TWICE. As you can see - the FROM header appears to have a valid email address, but the envelope FROM was identical to the "To" user. Received: from aol.com [172.183.212.19] by mail.webhost.hm-software.com (SMTPD32-7.04) id A490B5A02D0; Mon, 26 Nov 2001 08:33:04 -0500 From: "Linda" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="_ABC1234567890DEF_" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 Message-Id: <[EMAIL PROTECTED]> --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary="_ABC0987654321DEF_" --_ABC0987654321DEF_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable cid:EA4DMGBP9p height=3D0 width=3D0> --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name="SETUP.DOC.scr" ... virus follows 2. >> The %ALLRECIPS% option should show the recipients from the SMTP envelope (the actual addresses that were used to send the mail to). If using the new "SWITCHRECIPS" option, this behavior could vary. << >> >b) ALLRECIPS should only show the ORIGINAL recipient << >>It should be working like that. << Yes, I HAD to use this option to avoid incorrect notifications in the JUNKMAIL feature. I definitely have see a sender notification forwarded to me which showed BOTH the original and the intended email address. I did check the headers and the SMTP conversation - and I did not see TWO "TO" addresses being submitted. So I don't believe it's working like that, at least if SWITCHRECEIPTS is turned on for the JUNKMAIL option. 3. >> Declude doesn't ever look at the "From:" header in the E-mail. << Well - at least Declude Junkmail does, otherwise it could't have all those BADHEADER and SPAMHEADER and SPAMROUTING tests. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.hm-software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Tuesday, November 27, 2001 01:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] 1.28 - Sender Notification >The BADTRANS virus uses different "FROM:" data in the message envelope (from >the SMTP conversation) vs. what's in the SMTP "From:" headers. I've had >several people who seemingly got mail from themselves (e.g., the FROM in the >envelope was my customer, so was the TO.) However, in EACH case, the SMTP >"From:" header contained a different person's email address. For the Badtrans.B that just came out, the ones we have seen all have a "_" before the From: address (IE "From: <_username..." rather than "From: Furthermore, it was confusing, because the %ALLRECIPS% seems to show BOTH >the original recipient AND the ultimate recipient - something that my >clients do NOT wish to publish. The %ALLRECIPS% option should show the recipients from the SMTP envelope (the actual addresses that were used to send the mail to). If using the new "SWITCHRECIPS" option, this behavior could vary. >Thus - I have the following suggestions: > >a) if SENDER and RECIPIENT are one and the same - don't send TWO >notifications. Suppress the SENDER notification. That's something we will look into. >b) ALLRECIPS should only show the ORIGINAL recipient It should be working like that. >c) There should be a way to show the ENVELOPE "from" and the HEADER "from" - >and there should be a way to notify EITHER - IF they are different! Declude doesn't ever look at the "From:" header in the E-mail. The envelope MAIL FROM is that address that "bounce" messages should be going to. The "From:" in the E-mail headers is less likely to be correct. But, this is something we will also look into. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] 1.28 - Sender Notification
>The BADTRANS virus uses different "FROM:" data in the message envelope (from >the SMTP conversation) vs. what's in the SMTP "From:" headers. I've had >several people who seemingly got mail from themselves (e.g., the FROM in the >envelope was my customer, so was the TO.) However, in EACH case, the SMTP >"From:" header contained a different person's email address. For the Badtrans.B that just came out, the ones we have seen all have a "_" before the From: address (IE "From: <_username..." rather than "From: Furthermore, it was confusing, because the %ALLRECIPS% seems to show BOTH >the original recipient AND the ultimate recipient - something that my >clients do NOT wish to publish. The %ALLRECIPS% option should show the recipients from the SMTP envelope (the actual addresses that were used to send the mail to). If using the new "SWITCHRECIPS" option, this behavior could vary. >Thus - I have the following suggestions: > >a) if SENDER and RECIPIENT are one and the same - don't send TWO >notifications. Suppress the SENDER notification. That's something we will look into. >b) ALLRECIPS should only show the ORIGINAL recipient It should be working like that. >c) There should be a way to show the ENVELOPE "from" and the HEADER "from" - >and there should be a way to notify EITHER - IF they are different! Declude doesn't ever look at the "From:" header in the E-mail. The envelope MAIL FROM is that address that "bounce" messages should be going to. The "From:" in the E-mail headers is less likely to be correct. But, this is something we will also look into. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] 1.28 - Sender Notification
Hi: The BADTRANS virus has uncovered a few shortcomings that we could improve with Declude Virus. I am enclosing my current SENDER.EML file. The BADTRANS virus uses different "FROM:" data in the message envelope (from the SMTP conversation) vs. what's in the SMTP "From:" headers. I've had several people who seemingly got mail from themselves (e.g., the FROM in the envelope was my customer, so was the TO.) However, in EACH case, the SMTP "From:" header contained a different person's email address. Furthermore, it was confusing, because the %ALLRECIPS% seems to show BOTH the original recipient AND the ultimate recipient - something that my clients do NOT wish to publish. Thus - I have the following suggestions: a) if SENDER and RECIPIENT are one and the same - don't send TWO notifications. Suppress the SENDER notification. b) ALLRECIPS should only show the ORIGINAL recipient c) There should be a way to show the ENVELOPE "from" and the HEADER "from" - and there should be a way to notify EITHER - IF they are different! Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.hm-software.com/ -Original Message- From: [EMAIL PROTECTED] To: %MAILFROM% Subject: Our Virus Firewall has Rejected Your Email! Argos Networks' Virus Firewall has rejected an %INOROUT% message sent by %MAILFROM% to: %ALLRECIPS%. The message with the subject of "%SUBJECT%" carried a virus: File: "%VIRUSFILE%" Result: Found%VIRUSNAME% For more information see http://vil.mcafee.com/. Please note that many viri will send automated messages to every person in your address book, even without your knowledge. This is how they propagate themselves and it explains why you may not recall to ever having sent such a message. Other viri attach themselves to any email formatted in "HTML" format. In that case you have to resend your message in "PLAIN TEXT" format. Consult your email software on how to send messages in "PLAIN TEXT". If the virus was embedded in a document attachment, then try saving or exporting your orgininal document to a generic format that does not include macro code. E.g., instead of saving your documents in MS-WORDS format, save your documents in "RTF" format before attaching it to your email. This will exclude any hidden macro virus. Ultimately, you are advised to urgently install (or upgrade) a virus scanning software to identify the specific virus on your system and to avoid further complications. It may also be appropriate for you to notifiy other persons in your address book and warn them about possible infections by any past email originating from your PC. TRACKING INFORMATION Your Server: %REMOTEHOST% for %SENDERHOST% Message ID:%MSGID% Our Server:%LOCALHOST% for %RECIPHOST% Queue ID: %QUEUENAME% For security reasons, you cannot respond to this email directly. If you need to contact us, please compose a new message addressed to [EMAIL PROTECTED] Sincerely, Argos Networks http://www.ArgosWeb.net/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] 1.28
>Does 1.28 include the option to only send to local rcpt ? Where do I get the >info / instructions ? Yes, actually, it does. You can add "ONLYSENDIFLOCALRECIPIENT" as the first line on any of the .eml files, and Declude will only send the notification if the recipient is a local user of yours. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] 1.28
Does 1.28 include the option to only send to local rcpt ? Where do I get the info / instructions ? Thanks - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 02, 2001 8:02 PM Subject: Re: [Declude.Virus] 1.28 > > >Any word on when the full release of 1.28 will happen? > > v1.28 has been released, and is a beta version. > > The way our releases work is that we come out with new releases typically > every few weeks on average, and either label them as betas or public releases. > > Sometimes, after a beta version has proven to be stable, we'll just > re-label it as a public release (IE if 1.28 proves to be stable, and we > don't have any new features to add to it, it could become the next public > release). Other times, we come out with a new version number for the > public release. > > Another thing that is different about our beta cycle is that we don't add a > ton of new features in one release, and then spend a bunch of new releases > fixing the bugs. We'll typically add a few new features to each of the > beta releases, while fixing bugs at the same time. >-Scott > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] 1.28
>Any word on when the full release of 1.28 will happen? v1.28 has been released, and is a beta version. The way our releases work is that we come out with new releases typically every few weeks on average, and either label them as betas or public releases. Sometimes, after a beta version has proven to be stable, we'll just re-label it as a public release (IE if 1.28 proves to be stable, and we don't have any new features to add to it, it could become the next public release). Other times, we come out with a new version number for the public release. Another thing that is different about our beta cycle is that we don't add a ton of new features in one release, and then spend a bunch of new releases fixing the bugs. We'll typically add a few new features to each of the beta releases, while fixing bugs at the same time. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] 1.28
Scott, Any word on when the full release of 1.28 will happen? Thanks, Craig. This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .