Re: DUL: Re: [Declude.Virus] v1.15 Released
So, in the case of Imail with a real mail server (MX10 name) and a virtual
server:
1) the new variables of senderhost and reciphost will reflect the real mail
server; and,
2) the existing variables of localhost and remotehost will reflect the
virtual server.
Correct?
At 10:59 AM 3/15/01 -0500, you wrote:
What is the difference between %REMOTEHOST% vs %SENDERHOST% and between
%RECIPHOST% vs %LOCALHOST%
%LOCALHOST% and %REMOTEHOST% are a local domain on your IMail server, and
a remote domain. These come from the To/From addresses, and could be
either from the sender or recipient. They determine which domain of yours
was used, and what the remote domain was (regardless of whether the E-mail
is going to the remote domain or coming from it).
The %SENDERHOST% and %RECIPHOST% variables are the domain that the sender
of the E-mail is from, and the domain the recipient is from.
As an example, if I send an E-mail from "[EMAIL PROTECTED]" to
"[EMAIL PROTECTED]" ("declude.com" being a local domain here),
you would have:
%LOCALHOST% = declude.com
%REMOTEHOST% = list.ipswitch.com
%SENDERHOST% = declude.com
%RECIPHOST% = list.ipswitch.com
On the other hand, if "[EMAIL PROTECTED]" sends an E-mail to
"[EMAIL PROTECTED]", you would see:
%LOCALHOST% = declude.com
%REMOTEHOST% = list.ipswitch.com
%SENDERHOST% = list.ipswitch.com
%RECIPHOST% = declude.com
-Scott
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]http://www.inetconcepts.net
PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049
Providing Internet Solutions Worldwide - An eDataWeb Affiliate
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
[Declude.Virus] BANnotify.EML
Does BANnotify.EML get sent to the intended recipients or to the sender. The example of BANnotify.EML doesn't show a from or to address. Are these addresses configurable, like with the other templates? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
[Declude.Virus] TempDir
Scott, What is the advantage, if any, of specifying a Temporary directory for AV to scan files? They're are scanned in the spool directory by default, aren't they? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Declude v1.30 released (beta) Delete Virus
Yes. DELETEVIRUSES ON is in the config file. Well, I was wrong. It is e-mail with banned attachments which is being quarantined. Can you add a similar config option to delete them, as well? At 09:33 PM 12/20/01 -0500, you wrote: It looks like 1.30 broke the Delete Virus option. The virus files are going to the virus directory, instead of being deleted. It's working here. Do you have a line: DELETEVIRUSES ON in the \IMail\Declude\virus.cfg file? If you don't have that line, you can use the Declude debug mode to help track down the problem. To do this, change the LOGLEVEL LOW line in the virus.cfg file to LOGLEVEL DEBUG. Then, send the test eicar.com file through, and then switch back to LOGLEVEL LOW. You can then send me the \IMail\Declude\vir.log file, and I can take a look at it to see what the problem is. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: MISSING_REVERSE_DNS:Re: [Declude.Virus] Kudos from Customers!!
No. That is not what it means. We notify the intended recipient (and include the headers) whenever we catch a virus or quarantine an e-mail and attachment. Both the email and the attachment are quarantined. Wednesday, January 30, 2002, 1:38:26 PM, gf [EMAIL PROTECTED] wrote: g Do you mean that is it possible to quarantine just the attachments and let g the message to be delivered? g If yes how can I apply this function? g Thank you g Giuseppe g - Original Message - g From: Don Brown [EMAIL PROTECTED] g To: [EMAIL PROTECTED] g Sent: Wednesday, January 30, 2002 8:14 PM g Subject: [Declude.Virus] Kudos from Customers!! I just thought I would share this with the group. It is little things like this that can really make my day. Below is one, of many, unsolicited kudos from customers, which is a direct result of running Declude. This one is particular to quarantining attachments, which helped us block the new party virus until the virus companies had identified it and incorporated its signature into the definition file. Not 2 or 3 hours ago Mark and I talked about how we appreciated the g service you provide in helping guard against viruses. You do what you think is best. Thanks again Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus g (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . = [This message has been scanned for viruses and it is virus-free] [Questo messaggio e' stato analizzato ed e' esente da virus] g = g [This message has been scanned for viruses and it is virus-free] g [Questo messaggio e' stato analizzato ed e' esente da virus] g --- g [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] g This E-mail came from the Declude.Virus mailing list. To g unsubscribe, just send an E-mail to [EMAIL PROTECTED], and g type unsubscribe Declude.Virus. You can E-mail g [EMAIL PROTECTED] for assistance. You can visit our web g site at http://www.declude.com . Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Problem with FreeMail
Why did these get a Freemail weight of 4? 01/30/2002 15:24:40 Q6475032 BADHEADERS:4 SPAMHEADERS:4 nFREEMAIL:4 . Total weight = 12 01/30/2002 15:24:40 Q6475032 Msg failed WEIGHT10 (Weight of 12 exceeds the limit of 10.). 01/30/2002 15:24:40 Q6475032 Subject: omain Transfer Request for xxx 01/30/2002 15:24:40 Q6475032 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/30/2002 15:24:40 Q6475032 Message FAILED: Deleting message! 01/30/2002 15:24:41 Q6475148 BADHEADERS:4 SPAMHEADERS:4 nFREEMAIL:4 . Total weight = 12 01/30/2002 15:24:41 Q6475148 Msg failed WEIGHT10 (Weight of 12 exceeds the limit of 10.). 01/30/2002 15:24:41 Q6475148 Subject: omain Transfer Request for xxx 01/30/2002 15:24:41 Q6475148 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/30/2002 15:24:41 Q6475148 Message FAILED: Deleting message! Global Config: FREEMAILfromfilex:\imail\declude\freemail.lst x x 4 0 FreeMail.lst: @yahoo.com @hotmail.com @excite.com Running Version 1.35 Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] DELIVERERRORS
Scott, Does DELIVERERRORS apply to incoming mail, outgoing mail or both incoming and outgoing? Does this variable have any impact upon a scanner time-out? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] korea.services.net blacklist
What a great idea! Spam routing works great, too. Tuesday, August 13, 2002, 8:31:26 PM, R. Scott Perry [EMAIL PROTECTED] wrote: I think I'm OT here .. but I don't think I'm subscribed to the Junkmail list. Is there a separate one? RSP Yes -- you can send an E-mail to [EMAIL PROTECTED] with subscribe RSP declude.junkmail your name in the body to subscribe. Either way, is anyone using korea.services.net for an RBL? By the sounds of it, it's pretty much every ARIN block registered in korea. It might be alright for a weighted rule .. any success or deny stories to tell? RSP FWIW, we're working on an automatic IP-country lookup in Declude JunkMail RSP that would allow for weighting based on countries the E-mail passed through. RSP -Scott RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.Virus mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.Virus.The archives can be found RSP at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Manifest
Hi Scott, I like the idea of an e-mail notification when a dangerous attachment is quarantined and when a virus is killed. They remind the customers of the services we are providing them. However, these notifications became a significant impact during the recent outbreak and now, I'm wondering about the possibility of incorporating a daily manifest, as an option. Do you think that a manifest option is a possibility for the future? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Mime Segments
Over the last few days, the majority (about 98%) of entries in our Virus log look like this: 11/18/2003 04:10:10 Qeff80ed6013007fe 50 is too many MIME levels to recurse 11/18/2003 04:10:10 Qeff80ed6013007fe 50 is too many MIME levels to recurse 11/18/2003 04:10:10 Qeff80ed6013007fe 50 is too many MIME levels to recurse Could it be true that 98%+ of our inbound traffic has too many mime levels? We're running Declude PRO 1.76i9, F-Prot 3.14b under W2k3 Server, web edition. Any ideas? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
You might want to use the 32b version of the scanner, as well. # F-PROT - 1st scanner SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1 Infection: Thursday, March 18, 2004, 9:57:41 AM, R. Scott Perry [EMAIL PROTECTED] wrote: We have been running the latest interims for a couple of weeks (since the EZIP stuff came out). We are seeing the following error in the virus logs: 03/18/2004 07:25:33 Qa32252df006a099c Could not find parse string Infection: in report.txt 03/18/2004 07:25:33 Qa32252df006a099c Error 8 in virus scanner 1. 03/18/2004 07:25:33 Qa32252df006a099c Scanned: Error in virus scanner. [MIME: 3 23481] RSP That is normal. The Error 8 indicates that F-Prot detected a suspicious RSP file, in which case it will not know the name of the virus (since it didn't RSP detect one). We have f-prot 3.14e and Declude v1.78i27. Running on Imail 7.15. Here is the Scan line from the virus.cfg: SCANFILEC:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /SERVER /REPORT=report.txt RSP The /SERVER is not recommended, and will cause the Error 8's. RSP -Scott RSP --- RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers RSP since 2000. RSP Declude Virus: Ultra reliable virus detection and the leader in mailserver RSP vulnerability detection. RSP Find out what you've been missing: Ask for a free 30-day evaluation. RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.Virus mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.Virus.The archives can be found RSP at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address
Get a command prompt and type ipconfig (without the quotes) and a carriage return. To get a command prompt, Select Start/Run and type CMD (without the quotes) in the box and click the ok button. If you need to change the IP address, then Select Start/Settings/Network Connections. Select something other than make a new network connection. Next, click properties, choose Internet Protocol (TCP/IP) and click Properties. You should be able to find your way around from there. HTH Thanks, Sunday, May 23, 2004, 12:05:12 PM, Jeff Pereira [EMAIL PROTECTED] wrote: JP Windows..sorry I left that out. JP JP jeff JP - Original Message - JP From: Rich JP To:[EMAIL PROTECTED] JP Sent: Sunday, May 23, 2004 11:57 AM JP Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address JP What OS? JP - Original Message - JP From: Jeff Pereira JP To:[EMAIL PROTECTED] JP Sent: Sunday, May 23, 2004 8:22 AM JP Subject: Possible Spam: [Declude.Virus] OT - Need IP from MAC address JP Sorry for the OT post, but I am in need of help. JP JP I have a piece of equipment that I inherited that was JP assigned a fixed IP address, but I do not know what it is. JP JP I am pretty sure that there is a way to determine the IP JP by way of the MAC address, but I am unable to figure out how. JP JP Any help will be appreciated. JP JP jeff JP Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot 3.15b break Declude Virus?
I read the thread about this, but I didn't determine the final conclusion. Does F-Prot 3.15b break Declude virus? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude and Linux?
Both have merit and there is a place for both, AFAIC. They don't have to agree or even like each other, as long each product just works :-) Wednesday, March 30, 2005, 4:05:48 PM, Dan Horne [EMAIL PROTECTED] wrote: DH I'd definitely like to see Declude plug into postfix. But then wouldn't DH that be kind of like Len and Scott holding hands? ~Shudder~ DH -Original Message- DH From: [EMAIL PROTECTED] DH [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha DH Sent: Wednesday, March 30, 2005 4:52 PM DH To: Declude.Virus@declude.com DH Subject: Re: [Declude.Virus] Declude and Linux? DH That is definitely in the stack of cards, Jeff. But we cannot yet DH project a release date. We will, however, keep you informed as we get DH closer to formulating that project. We would be interested in hearing DH any input you would care to provide, such as: your Linux platform, the DH mail server(s) you would like to see targeted, etc. DH David Franco-Rocha DH - Original Message - DH From: Jeff Kratka [EMAIL PROTECTED] DH To: Declude.Virus@declude.com DH Sent: Wednesday, March 30, 2005 4:29 PM DH Subject: [Declude.Virus] Declude and Linux? Will there be a version of Declude for Linux? Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. DH --- DH This E-mail came from the Declude.Virus mailing list. To DH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DH type unsubscribe Declude.Virus.The archives can be found DH at http://www.mail-archive.com. DH --- DH This E-mail came from the Declude.Virus mailing list. To DH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DH type unsubscribe Declude.Virus.The archives can be found DH at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update
Wednesday, May 25, 2005, 3:42:59 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [SNIP] BD Customer Information BD We have migrated a large portion of our customer accounts from the older BD system. The majority of customers can now view their Host information at the BD foot of the 'My Account' page on www.declude.com. Please review it and let BD us know of any discrepancies, missing hosts, wrong names, etc. BD Barry Merchant Card Service is listed on our account, but they should have their own account. We sold the initial product to them, but we will not be involved in maintenance. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 10:50:32 PM, Matt [EMAIL PROTECTED] wrote: M David, M With 2.0.6.16, which is available from the Declude site, you can turn M off the Outlook CR Vulnerability. I have turned off all but a couple of M these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thanks. Friday, August 12, 2005, 9:47:16 AM, Matt [EMAIL PROTECTED] wrote: M Here's what I turned off: M ALLOWVULNERABILITYOLCR M ALLOWVULNERABILITYOLSPACEGAP M ALLOWVULNERABILITYOLMIMESEGMIMEPRE M ALLOWVULNERABILITYOLMIMESEGMIMEPOST M ALLOWVULNERABILITYOLLONGFILENAME M ALLOWVULNERABILITYOLBLANKFOLDING M ALLOWVULNERABILITYOBJECTDATA M ALLOWVULNERABILITYOLBOUNDARYSPACEGAP M This only works with 2.0.6.14+. There are more that are listed when you M log into your account on declude.com and go to the page for 2.0.6.16. M All of the above were producing repeated false positives from multiple M sources, and ones like OLCR were especially problematic. M Matt M Don Brown wrote: Thursday, August 11, 2005, 10:50:32 PM, Matt [EMAIL PROTECTED] wrote: M David, M With 2.0.6.16, which is available from the Declude site, you can turn M off the Outlook CR Vulnerability. I have turned off all but a couple of M these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. M --- M This E-mail came from the Declude.Virus mailing list. To M unsubscribe, just send an E-mail to [EMAIL PROTECTED], and M type unsubscribe Declude.Virus.The archives can be found M at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus Config Update
Wednesday, November 23, 2005, 2:55:34 PM, David Barker [EMAIL PROTECTED] wrote: Snip DB The complete SCANFILE config would be something like this: DB SCANFILEC:\Progra~1\Grisoft\AVG7\avg.exe /NOBOOT /NOMEM /NOSELF /ARC Is it avgscan.exe or avg.exe in the above for the 32 bit scanner? Snip DB David B DB www.declude.com DB --- DB This E-mail came from the Declude.Virus mailing list. To DB unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DB type unsubscribe Declude.Virus.The archives can be found DB at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG Maybe someone has already requested it: MG Why not allow commands like MG DELETEVIRUSNAME Netsky MG DELETEVIRUSNAME Bagle MG ... MG in the virus.cfg file? MG I won't and can't delete all viruses on our server because there is always MG the possibility that a scanner is catching something as suspicious or MG generic MG But commands to delete certain virusnames should be very easy to implement MG and allow us to eliminate 95% of all hold viruses on out servers. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew [EMAIL PROTECTED] wrote: CA[SNIP] CA Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM CA to cut down on the work, and this definitely leaves a gap in my CA statistics. Similarly, it follows that I wouldn't want to scan my whole CA SPAM folder. Even reading the directory of the filenames is a disk CA workout. [SNIP] How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a practical matter, about what percent fall into the category of the Virus Scanner making a false positive? IOW, aren't you out hunting mosquitos with hand grenades? Friday, January 27, 2006, 8:58:25 AM, Markus Gufler [EMAIL PROTECTED] wrote: Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? MG This is another possible solution but my intention is to clean my server MG from messages containing certain viruses. Thus are the well know top viri MG like Sober, Netsky and Co. MG Deleting them immediatly there will remain only a little crowd of viruses MG and suspicious files. Whatever will happen in the future I have them on my MG server and can keep it there also for one or two weeks in the case it turns MG out that some user is missing a legit message. In this cas I can find the MG message in my virus-folder on the server and requeue it even if it was MG false positive-identified by some scanner as a fiften year old MG tequila-Virus. MG Andrews idea to parse the virus logfile instead of the content from each MG virus-message is definitively an excellent idea. However there is a more MG simplier and efficient possibility if we could delete infected messages by MG the virus name. MG Markus Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG Maybe someone has already requested it: MG Why not allow commands like MG DELETEVIRUSNAME Netsky MG DELETEVIRUSNAME Bagle MG ... MG in the virus.cfg file? MG I won't and can't delete all viruses on our server because there is MG always the possibility that a scanner is catching something as MG suspicious or generic MG But commands to delete certain virusnames should be very easy to MG implement and allow us to eliminate 95% of all hold viruses on out servers. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Your first and second message seem to be contradictory or I'm dense. #1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. #2 It still gets virus scanned. So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Seems there is some confusion about whether or not AVAFTERJM prevents AV from running. Some say it does and some say it doesn't matter - AV still runs on all messages. So, I guess we first need to have someone from Declude tell us, FOR SURE, which it is. There isn't much in either section 9.1 or elsewhere in the JM manual and I didn't find anything in the AV manual about AVAFTERJM. So, DECLUDE, does, under any circumstances, AVAFTERJM cause AV not to be ran on a message? In the event that Declude responds that AV is prevented from running under some or all circumstances by using AVAFTERJM, then: 1. It seems to me that if you are holding messages which were not AV scanned and which could later be dropped into the queue for processing, that eventually Murphy will make sure that a virus infected message is released to an end-user. 2. You are putting a bandaid on a gunshot wound or treating the symptom rather than the disease. If you are starved for cycles, plan to scale up or use gateways to separate the processes and reduce the bottleneck. FWIW Friday, January 27, 2006, 11:02:32 AM, Markus Gufler [EMAIL PROTECTED] wrote: So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). MG Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. MG We know too that resource usage of one or two scan-engines is way above the MG entire spam filtering even if you use 5-6 external applications like MG sniffer, inv-uribl, spamchk, ... MG So if you're spam filters are set up properly they will filter out at least MG 50% of all incomming messages before they will reach the av-engines. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature. Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had bagal hard coded to be deleted and that was the buggy one in the signature file. How often does this really happen - does it happen more than 1% of the time? It hasn't shown to be an issue in our case, but I think we'd all be interested in your statistics which show it as a significant exposure to false positives. You said, or because a legit message unexpected contains something sospicious. My previous comment was to hold all of those tagged as suspicious. Do you have good statistics on these, which show a significant false positive rate? I think we'd all be interested in your finding . . . Thanks, Friday, January 27, 2006, 10:56:56 AM, Markus Gufler [EMAIL PROTECTED] wrote: aren't you out hunting mosquitos with hand grenades? MG If the mosquito is a very nasty but important customer it's bether using MG tank's, mg's and whatever you can organize in order to prevent painfull MG stings... MG On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in MG order to keep the server disk clean. But what happens if tommorow turns out MG that one of the scan engines has catched many legit messages as viruses due MG to a new buggy singature or because a legit message unexpected contains MG something sospicious. How do you explain to customers that the messages MG are already deleted? MG F-Prot's exit code 8 (suspicious files) has catched a lot of new unknow MG viruses before singatures was available. So I use this exit code in my MG config to hold messages. But suspicous could also be something legit we MG don't know at the moment. MG As I can understand a feature like DELETEVIRUSNAME wouldn't require more MG then 30 lines of code and 3 hours of work and it would eliminate any need MG for own scripts on each server. This is not what I consider a hand MG grenade... MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thanks. We use both hold and delete, but not routeto. I don't mind saving cycles. I guess that instead of using HOLD we could ROUTETO the Spam Hold folder and mitigate the risk of dropping a virus infected message back into the queue. Comments about this?? Thanks, Friday, January 27, 2006, 12:51:41 PM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Don, Dsic Messages that are HOLD or DELETE are not virus scanned. ROUTETO gets Dsic virus scanned. In summary you have to look at your situation and if it Dsic makes sense for you. We don't do much ROUTETO so it makes sense for us and Dsic saves a signifigant amount of CPU. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Don Brown writes: Your first and second message seem to be contradictory or I'm dense. #1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. #2 It still gets virus scanned. So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Friday, January 27, 2006, 1:12:04 PM, Dan Horne [EMAIL PROTECTED] wrote: DH [SNIP] DH IMO, AVAFTERJM should be changed so that only deleted emails, not held DH ones, by pass the AV scan. In other words, all messages should be DH first scanned for spam, then the ones that are not DELETED should all be DH scanned for viruses. This would close the security risk from re-queued DH messages. DH [SNIP] DH --DH [SNIP] I agree. However, as a work-around for now, could we use ROUTETO and a mailbox, but on the 'directory' tab for that user/mailbox, change to specify the Spam hold folder? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG I hav no stat's or numbers. MG Only the fact that AV-Engines has introduced a suspicious category that is MG catching more and more new outbreaks. Additionaly it seems that the scanning MG process is becoming more and more complex. Each variant (we have up to MG two-letter versions!) seems to need complete new definitions. Another more MG alarming: certain virus-signatures seems catching only a part of one single MG but polymorphic and encrypted virus variant. MG Try to send a vb-script containing one single call of the filesystem-object MG even if zipped or with renamed file extension trough some av-engines. MG DELETEVIRUS ON will delete the entire message and you will have to tell some MG fairy story to the customer who call you because he misses some messages. MG Don't deleting messages immediately as many of us do is one way. MG Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very simple MG possibility to keep clean and small the virus folder. And I repeat: It MG should be something very very simple to implement. Anyone who doesn't want MG or need it could simply not turn it on. MG Regarding the allready existing FORGINGVIRUS DNS lookup feature and a MG possible enhancement like AUTODELETEKNOWNWORMS. MG I wouldn't say that I don't trust declude's FORGINGVIRUS list. But first of MG all I realy want to know what I categorize FORGING and what not an my MG server. Beside the fact that since we don't send out notfications to MG customers anymore my personal FORGINGVIRUS list is simply a good way to MG filter out 99% of all postmaster notifications, and so a wave of thus MG notifications is an excellent indicator that something new is around that I MG should give a look. MG An additional DNS lookup for each hold virus in my eyes is not really MG usefull if the number of forging viruses is so small as it is today. Ok it's MG a nice thing for someone who doesn't want daily care his server. MG Another unclear aspect is how this DNS-based list handles different virus MG names. We have seen in the last months that there is no more consistent MG naming between AV-Companies. Does Declude maintain and serve forging virus MG names for all AV-Engines? MG I still consider Declude my swiss army knife for handling SMTP-traffic and MG keep our customer mailboxes usable for the daily work. And even if I know MG that some tools in my knife can be dangerous I want to have them when it MG will become neccessary. MG Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, January 27, 2006 8:24 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature. Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
We are also running the latest release of v 3. We only have one open question to Declude Tech support as to why Base64 does not trigger sometimes. No crashes or other problems with either AV or JM. It is a lot faster. Thanks, Sunday, January 29, 2006, 4:06:28 AM, Markus Gufler [EMAIL PROTECTED] wrote: I'm still on Declude v2.x and am comfortable there, as Don points out, many of us are waiting for the v3.x to be utterly stable and to have desired new features before going to it. As the software is maturing, so is much of the userbase; there used to be a lot of early adopters when the releases were coming out fast and furious. MG I've running it on 3 different servers and except the strangenes with the MG declude.cfg file on one if this servers that was solved be recreating it I'm MG very impressioned from stability and performance of v3. The amount of MG incomming messages is growing rapidly and so the number of hold viruses and MG spam too. (v3 can process much more messages the previous versions!) MG So I search for something simple to clean out all this stuff as fast as it's MG comming in. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Encoded viruses...worried
severe MG damage to one's enterprise. I cross my fingers hoping that MG none of this would be necessary, but that's not enough to be safe. MG Matt MG Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Changes @ Declude
Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee [EMAIL PROTECTED] wrote: KB [Snip] KB KB On the buying issue what do you get, the two products will be kept in parity feature wise. KB KB Kevin Bilbee KB KB [Snip] If that is truly the case, then it makes sense to have only one version, 4.0. Then, the only difference will be that some customers are on an annual maint agreement and others pay an annual subscription. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0
Saturday, February 11, 2006, 9:47:07 AM, David Barker [EMAIL PROTECTED] wrote: DB [Snip] DB 5. With regards to Version 3.0 and 4.0 there is NO major difference in DB functionality except that 4.0 runs as a single product with Declude EVA PRO, DB Junkmail PRO and Hijack. Where as Version 3.0 still supports 3 individual DB products. DB [Snip] DB 7. I am pulling together some additional release notes on a comparison DB between version version 3.0 and 4.0 which I hope to have available next DB week. DB David B DB www.declude.com DB [Snip] Items 5 7 are contradictory, to the extent that no comparison, as promised in 7, would be needed, if the only difference was, as quoted in 5. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0
think most of us expect that you will eventually try to force us out of SAs DB into annual licensing, which we don't want. Moreover, most of us worry that DB your new pricing scheme will not be accepted by your customer base, and that DB could lead to the death of Declude. So while I may not be directly impacted DB by version 4.0, I have good reason to worry about the future success of DB Declude and whether I can expect you to continue to provide a growing and DB satisfactory product. I may have to look at alternatives just to protect my DB future. DB The third problem that you haven't addressed at all is your poor timing. DB You know that the vast majority of your users are current/former IMail users DB who are still stinging from their fiasco, and yet you walk into the same DB stupid trap, with the same lack of forethought and customer communications. DB You also do this at a time when a lot of your clients are upset about a lack DB of true improvements (how about just a stable, current product??). So you DB have all of these customers who are losing patience over your upgrades, who DB are still upset at Ipswitch, and then you ambush them with this new scheme. DB Any wonder people are upset? DB I really suggest you take a good, long look at the troubles experienced by DB Ipswitch over the last year, and decide if you really want to go through all DB that. And if you do, then change the names to something besides 3.0 and DB 4.0. DB Ben Bednarz DB BC Web DB - Original Message - DB From: David Barker [EMAIL PROTECTED] DB To: Declude.JunkMail@declude.com; Declude.Virus@declude.com DB Sent: Sunday, February 12, 2006 8:37 AM DB Subject: RE: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0 Let me quote myself on point 5. EXCEPT that 4.0 runs as a single product with Declude EVA PRO, Junkmail PRO and Hijack. Where as Version 3.0 still supports 3 individual products. As to NO major differences, there are NO major differences in functionality but rather minor differences which have to do with integration into SmarterMail 3.0 which makes it a little easier for New Customers which I will explain in greater detail with the notes I promised in point 7, but again these differences do NOT effect existing customers. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Sunday, February 12, 2006 11:23 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: Re: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0 Saturday, February 11, 2006, 9:47:07 AM, David Barker [EMAIL PROTECTED] wrote: DB [Snip] DB 5. With regards to Version 3.0 and 4.0 there is NO major difference DB in functionality except that 4.0 runs as a single product with DB Declude EVA PRO, Junkmail PRO and Hijack. Where as Version 3.0 still DB supports 3 individual products. DB [Snip] DB 7. I am pulling together some additional release notes on a DB comparison between version version 3.0 and 4.0 which I hope to have DB available next week. DB David B DB www.declude.com DB [Snip] Items 5 7 are contradictory, to the extent that no comparison, as promised in 7, would be needed, if the only difference was, as quoted in 5. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. DB --- DB [This E-mail was scanned for viruses by Declude EVA www.declude.com] DB --- DB This E-mail came from the Declude.Virus mailing list. To DB unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DB type unsubscribe Declude.Virus.The archives can be found DB at http://www.mail-archive.com. DB --- DB [This E-mail was scanned for viruses by Declude EVA www.declude.com] DB --- DB This E-mail came from the Declude.Virus mailing list. To DB unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DB type unsubscribe Declude.Virus.The archives can be found DB at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list
[Declude.Virus] Vulnerability Flag Codes = 862
I think there used to be a way to lookup the meaning of a vulnerability code on the Declude web site, but I can't find it. I need to figure out what 862 means. Can anyone point me to the lookup or tell me the translation? Thanks. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: SPAM-WARN: Re: [Declude.Virus] On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
If the root of the problem is that they are unbalanced, then why should I care if there are more Lf than Cr or more Cr than Lf? What am I missing? Sunday, October 22, 2006, 11:28:14 AM, Michael Thomas - Mathbox [EMAIL PROTECTED] wrote: MTM Don, MTM CrLf indicates only that they are not balanced. LfCr and CrLf indicates MTM which is missing, so one can choose their own poison and apply different MTM weights. If you were to test a sample batch of messages, you would find that MTM one is more prevalent than the other, by a large factor. MTM Michael Thomas MTM Mathbox MTM 978-683-6718 MTM 1-877-MATHBOX (Toll Free) MTM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Sunday, October 22, 2006 6:03 AM To: declude.virus@declude.com Subject: SPAM-WARN: Re: [Declude.Virus] On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Michael, Why is it necessary to run two tests (failing on CrLf and on LfCR)? Why not just one test (failing on CrLf)? Thursday, October 19, 2006, 9:49:07 PM, Michael Thomas - Mathbox [EMAIL PROTECTED] wrote: MTM Hi All, MTM[SNIP] MTM Finally, if you want to test for these RFC violations, see MTM http://www.mathbox.com/NoCrTest/NoCrTest.zip MTM Michael Thomas MTM Mathbox MTM 978-683-6718 MTM 1-877-MATHBOX (Toll Free) Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. MTM --- MTM This E-mail came from the Declude.Virus mailing list. To MTM unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MTM type unsubscribe Declude.Virus.The archives can be found MTM at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sender.eml was sent even though forging virus?
Perhaps there is some marketing value to notifying the client. It reminds them of the valuable service which is being delivered behind the scenes. We stopped sending to the sending parties, some time ago. It was useless noise. At some point, long ago, we also killed the client notification because it had become spam, to a certain extent. At that time, I thought a daily or weekly manifest or report to the client would have been better. Friday, December 22, 2006, 7:04:55 PM, Douglas Cohn [EMAIL PROTECTED] wrote: DC Isn't it better to just remove all the eml files so as to be more of the DC solution and less of the problem. DC It just seems that is all of us stopped sending eml's that millions of DC useless messages would be stopped. DC What am I missing? What value do these messages possibly have? DC Doug DC -Original Message- DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy DC Schmidt DC Sent: Wednesday, December 13, 2006 1:45 PM DC To: declude.virus@declude.com DC Subject: RE: [Declude.Virus] Sender.eml was sent even though forging virus? DC Oh? DC I've never had the problem with my external McAfee scanner. DC Could this be a problem with Declude's internal AVG scanner? DC Best Regards DC Andy Schmidt DC Phone: +1 201 934-3414 x20 (Business) DC Fax:+1 201 934-9206 DC -Original Message- DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary DC Steiner DC Sent: Wednesday, December 13, 2006 01:11 PM DC To: declude.virus@declude.com DC Subject: re: [Declude.Virus] Sender.eml was sent even though forging virus? DC I've seen similar behavior with viruses found by AVG. DC Original Message From: Andy Schmidt [EMAIL PROTECTED] Sent: Wednesday, December 13, 2006 12:42 PM To: 'Declude Virus List' declude.virus@declude.com Subject: [Declude.Virus] Sender.eml was sent even though forging virus? Hi, My sender.eml has the line: SKIPIFFORGING And my virus.CFG has: AUTOFORGE ON FORGINGVIRUS Anonymous Driver FORGINGVIRUS Antiman FORGINGVIRUS Avril FORGINGVIRUS Bagle Yet, declude virus just sent the sender.eml for the following details: File:Unknown File Result: FoundI-Worm/Bagle Message ID:[EMAIL PROTECTED] Our Domain:Schmidt.AS for Schmidt.AS Queue ID: D324e0153b795.smd Based on these headers: -Original Message Headers- Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500 Date: Wed, 13 Dec 2006 18:03:11 +0100 To: Andy [EMAIL PROTECTED] From: Webmaster [EMAIL PROTECTED] Subject: price 13-Dec-2006 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=oibzhbgyvnajpcxfwpdt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. DC --- DC This E-mail came from the Declude.Virus mailing list. To unsubscribe, just DC send an E-mail to [EMAIL PROTECTED], and DC type unsubscribe Declude.Virus.The archives can be found DC at http://www.mail-archive.com. DC --- DC This E-mail came from the Declude.Virus mailing list. To DC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DC type unsubscribe Declude.Virus.The archives can be found DC at http://www.mail-archive.com. DC --- DC This E-mail came from the Declude.Virus mailing list. To DC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DC type unsubscribe Declude.Virus.The archives can be found DC at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] bloodhound exploit 163 - Slipping Through
A customer running Norton reports receiving several infected e-mails today. We are only running the built-in AVG scanner at this time, which isn't catching this new virus. The Symantec site is not too helpful about the characteristics, which would better enable writing a filter. http://www.symantec.com/security_response/writeup.jsp?docid=2007-102318-0451-99 Our customer reports they show: From: Lorena Bernal, Subject: Statement of retained earnings However, no doubt there are other variants. They are caught upon receipt by his Norton anti-virus and quarantined, so he really can't (and I don't want him to) supply more info. Anyone else noticing this virus slipping through? Any suggestions appreciated. Thanks, Don Brown - Dallas, Texas USA Internet Concepts® [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
