Re: [Declude.Virus] Unknown virus warnings
I have not "activated" returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? I have had virus code 8 enabled for quite a while, I dont recall any false positives and I didnt have a problem with the latest bagle garbage. Better safe than sorry if you ask me. Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
I have been using Viruscode 8 for more than 6 months and have not received even 1 false positive, But my users are not a very large group and they most likely do not send a lot of attachments via email. I have taught them how to transfer files actually via ftp. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, October 29, 2004 11:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Unknown virus warnings > I have not "activated" returncode 8 for F-prot in Declude yet because > I wasn't sure if we would get to many false positives. Has anyone, or > maybe f-prot themselves, any info on that? Does returncode 8 generate > false positives and if so, how many? Bonno, I don't know how much false positives it would produce but I haven't never heard some customer complaining about it. Until this morning there was not more then 2 or 3 "Unknown Virus" warnings per day with 13000 processed messages/day. But in this case - if I have understand it right - it was very usefull to have viruscode 8 enabled. I've seen the first "Unknown virus" message this morning at 09:30 AM. F-prot has had updates ready 3 hours later. In the meantime there was an average of 10 Bagle.AP infected messages per minute - catched only with viruscode 8. Until I've discovered what's going on here (the "unknown virus" story) and adapted the virus.cfg file with appropriate BANNAME's there was a large number of messages that would be delivered without this setting. Imagine that the breakout happened at 09:30 GMT+1 So I was already at work. People in american timezones was at work when AV-companies has had updates but Mailservers are delivering messages also overnight... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
> I have not "activated" returncode 8 for F-prot in Declude yet > because I wasn't sure if we would get to many false > positives. Has anyone, or maybe f-prot themselves, any info > on that? Does returncode 8 generate false positives and if > so, how many? Bonno, I don't know how much false positives it would produce but I haven't never heard some customer complaining about it. Until this morning there was not more then 2 or 3 "Unknown Virus" warnings per day with 13000 processed messages/day. But in this case - if I have understand it right - it was very usefull to have viruscode 8 enabled. I've seen the first "Unknown virus" message this morning at 09:30 AM. F-prot has had updates ready 3 hours later. In the meantime there was an average of 10 Bagle.AP infected messages per minute - catched only with viruscode 8. Until I've discovered what's going on here (the "unknown virus" story) and adapted the virus.cfg file with appropriate BANNAME's there was a large number of messages that would be delivered without this setting. Imagine that the breakout happened at 09:30 GMT+1 So I was already at work. People in american timezones was at work when AV-companies has had updates but Mailservers are delivering messages also overnight... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Hi, > > I expect that we will change the code to treat these as > > forging, so SKIPIFFORGING would catch 'em. We could also add > > a separate SKIPIF... > > option just to detect these, just to be safe. > > I believe it would be usefull for all users of F-Prot with returncode 8 > enabled to avoid future uneccessary warnings send out if f-prot is fast > catching but not exact naming new virus variants. I have not "activated" returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Markus, a third update now seems to detect ALL bagle variants. --- Franco Celli [EMAIL PROTECTED] - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 29, 2004 2:34 PM Subject: RE: [Declude.Virus] Unknown virus warnings > > Now after renaming all .offline files back to .eml there are again some > NDR's. As Franco allready reported it seems that F-Prot up to now is not > catching 100% of Bagle.AP. So I've not removed the BANNAME's from my config > file and keept .offline the bannotify.eml file. > --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
> I expect that we will change the code to treat these as > forging, so SKIPIFFORGING would catch 'em. We could also add > a separate SKIPIF... > option just to detect these, just to be safe. I believe it would be usefull for all users of F-Prot with returncode 8 enabled to avoid future uneccessary warnings send out if f-prot is fast catching but not exact naming new virus variants. Now after renaming all .offline files back to .eml there are again some NDR's. As Franco allready reported it seems that F-Prot up to now is not catching 100% of Bagle.AP. So I've not removed the BANNAME's from my config file and keept .offline the bannotify.eml file. Comparing scan results in the vir logfile I can see that F-Prot up to now is catching only around 50% of what is catching Mcafee regarding Bagle.AP (or in Mcafee terms Bagle.bb) I'm not sure if Mcafee is catching all Bagle.bb's Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Thanks for the clarrification. Is there anything we can do against this or would it be possible to have some fix for future releases? Something like SKIPIF... ISBLANK I expect that we will change the code to treat these as forging, so SKIPIFFORGING would catch 'em. We could also add a separate SKIPIF... option just to detect these, just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Just a note, the second update of F-PROT still does not detect all joke.* and price.* sign.def and sign2.def both with 10/29/2004 9.59 timestamp waiting for another update next few hours!? --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Just a couple of thoughts...Maybe there is a limitation with strings that involve a space? Alternatively, maybe there was no name reported by the scanner, and this was just simply the value that Declude logged. Matt Markus Gufler wrote: Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the "Unknown virus" string...? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Franco Celli Sent: Friday, October 29, 2004 12:40 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Unknown virus warnings F-PROT updated (29/10) definitions detects them as Bagle.AP. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Unknown virus warnings
> The problem is that F-Prot was detecting it as a "suspicious file" > (VIRUSCODE 8), but not reporting the virus name in the > report.txt file (since it did not detect a virus, it can't > know the name of it). As a result, the name of the virus was > left blank, but Declude Virus would show "Unknown Virus" > where ever you wanted to display the virus name (such as in > virus notifications). But for the SKIPIFVIRUSNAMEHAS option, > it was just seeing a blank string, so it was not seeing > "Unknown Virus". Thanks for the clarrification. Is there anything we can do against this or would it be possible to have some fix for future releases? Something like SKIPIF... ISBLANK Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the "Unknown virus" string...? The problem is that F-Prot was detecting it as a "suspicious file" (VIRUSCODE 8), but not reporting the virus name in the report.txt file (since it did not detect a virus, it can't know the name of it). As a result, the name of the virus was left blank, but Declude Virus would show "Unknown Virus" where ever you wanted to display the virus name (such as in virus notifications). But for the SKIPIFVIRUSNAMEHAS option, it was just seeing a blank string, so it was not seeing "Unknown Virus". -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the "Unknown virus" string...? Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Franco Celli > Sent: Friday, October 29, 2004 12:40 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Unknown virus warnings > > F-PROT updated (29/10) definitions detects them as Bagle.AP. > > --- > Franco Celli > [EMAIL PROTECTED] > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma > Declude Virus] [Quipo ISP - This E-mail was scanned for > viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
A new update (the second as 29/10) is available for F-PROT. With the first one, some samples remain undetected blocked only by BANEXT. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
F-PROT updated (29/10) definitions detects them as Bagle.AP. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
It seems that Declude is handling this "Unknown Virus" not with this string even if showed in the %VIRUSNAME% variable. In the Mailheader for other known viruses I can see X-Declude-Virus: Detected W32/[EMAIL PROTECTED] For this new virus comming in with price/joke.com/exe/cpl/scr attachments the same line is showed up as X-Declude-Virus: Detected . In the message header. So should we use "SKIPIFVIRUSNAMEHAS " And "FORGINGVIRUS " ? In the meantime I've renamed recip , sender_local and sender_remot.eml to .offline extensions to prevent wrong warnings. I've also added BANNAME price.com BANNAME price.scr BANNAME price.cpl BANNAME price.exe BANNAME joke.com BANNAME joke.scr BANNAME joke.cpl BANNAME joke.exe To the virus.cfg file but I'm not sure if this will prevent scanning and warnings of all this messages. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of E. Ballerini > Sent: Friday, October 29, 2004 11:52 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Unknown virus warnings > > Franco Celli wrote: > > >Hi Markus, > >I have no idea, but our server is registering a peak of incoming > >messages, with above-normal banned cpl extension attachments > in virus folder. > > > > > According to F-secure it's the new Bagle virus: > > New Bagle variant, Bagle.AT, has been spotted in several > locations. It sends emails with a smiley ":)" as the message > body. Attachment filename starts with "Price" or "Joke" and > extension is COM, EXE, SCR or CPL. > > Erminio > > -- > Erminio Ballerini [EMAIL PROTECTED] http://www.scp.nl > Social and Cultural Planning Office (SCP) Department of Data > Services and Information Technology (I&A) > P.O. Box 16164 2500 BD Den Haag > Parnassusplein 5Den Haag > > > --- > [This E-mail has been scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Here is one of the messages causing such "Unknown virus" warnings == Received: from CAD22.com [217.199.28.13] by mail.zcom.it (SMTPD32-8.13) id A261113D008C; Fri, 29 Oct 2004 11:50:25 +0200 Date: Fri, 29 Oct 2004 11:53:40 +0100 To: "Watschinger" <[EMAIL PROTECTED]> From: "R.p.rustikal" <[EMAIL PROTECTED]> Subject: Re: Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="gstnxjmuytvkywgecqkl" X-Declude-Sender: [EMAIL PROTECTED] [217.199.28.13] X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: Sent from [EMAIL PROTECTED] - ([217.199.28.13]) incoming. X-Note: Sent to [EMAIL PROTECTED] X-Declude-Virus: Detected . --gstnxjmuytvkywgecqkl Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit :)) --gstnxjmuytvkywgecqkl Content-Type: application/octet-stream; name="Price.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Price.exe" == Seems to be a new Bagle variant but this is all very strange. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Franco Celli > Sent: Friday, October 29, 2004 11:39 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Unknown virus warnings > > Hi Markus, > I have no idea, but our server is registering a peak of > incoming messages, with above-normal banned cpl extension > attachments in virus folder. > > --- > Franco Celli > [EMAIL PROTECTED] > > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, October 29, 2004 10:32 AM > Subject: [Declude.Virus] Unknown virus warnings > > > > Hi all, > > > > Today I can see a large number of non delivery reports > comming back to our > > server containing the original virus warning (recip.eml) > > > > This is the begin of our recip.eml file: > > === > > SKIPIFSENDER [Forged] > > SKIPIFVIRUSNAMEHAS Vulnerability > > SKIPIFVIRUSNAMEHAS MyDoom > > SKIPIFVIRUSNAMEHAS Netsky > > SKIPIFVIRUSNAMEHAS Bagle > > SKIPIFVIRUSNAMEHAS Unknown Virus > > ONLYSENDIFREMOTESENDER > > To: %ALLRECIPS% > > From: [EMAIL PROTECTED] > > > > ... > > > > === > > > > > > All returning NDR's are warnings about a "Unknown Virus" so I can't > > understand why they are send out because the according > SKIPIFVIRUSNAMEHAS > > line is there as we haven't changed any content of this > file in the last 3 > > weeks. > > > > NDR'S are comming back from all around the world. > > > > Any ideas? > > > > Markus > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > [Quipo ISP - Questa E-mail e' stata controllata dal > programma Declude > Virus] > > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > > > > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma > Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Franco Celli wrote: Hi Markus, I have no idea, but our server is registering a peak of incoming messages, with above-normal banned cpl extension attachments in virus folder. According to F-secure it's the new Bagle virus: New Bagle variant, Bagle.AT, has been spotted in several locations. It sends emails with a smiley ":)" as the message body. Attachment filename starts with "Price" or "Joke" and extension is COM, EXE, SCR or CPL. Erminio -- Erminio Ballerini [EMAIL PROTECTED] http://www.scp.nl Social and Cultural Planning Office (SCP) Department of Data Services and Information Technology (I&A) P.O. Box 16164 2500 BD Den Haag Parnassusplein 5Den Haag --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Hi Markus, I have no idea, but our server is registering a peak of incoming messages, with above-normal banned cpl extension attachments in virus folder. --- Franco Celli [EMAIL PROTECTED] - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 29, 2004 10:32 AM Subject: [Declude.Virus] Unknown virus warnings > Hi all, > > Today I can see a large number of non delivery reports comming back to our > server containing the original virus warning (recip.eml) > > This is the begin of our recip.eml file: > === > SKIPIFSENDER [Forged] > SKIPIFVIRUSNAMEHAS Vulnerability > SKIPIFVIRUSNAMEHAS MyDoom > SKIPIFVIRUSNAMEHAS Netsky > SKIPIFVIRUSNAMEHAS Bagle > SKIPIFVIRUSNAMEHAS Unknown Virus > ONLYSENDIFREMOTESENDER > To: %ALLRECIPS% > From: [EMAIL PROTECTED] > > ... > > === > > > All returning NDR's are warnings about a "Unknown Virus" so I can't > understand why they are send out because the according SKIPIFVIRUSNAMEHAS > line is there as we haven't changed any content of this file in the last 3 > weeks. > > NDR'S are comming back from all around the world. > > Any ideas? > > Markus > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.