I have informed the fine folks at MailScanner of this.
For those of you supporting MailScanner on a Linux box, MailScanner has a
couple of options in the config file for the headers:
Append the new data to the existing header
Add a new header
Replace the existing header
I have set mine to
Hello,
It seems I am getting the Sobig email coming throught to my users
but with ot a payload. In other words tey are getting the message
with all chaistics of SoBig.f but no attachment.
Anyone know why this maybe. I can not filter on some of the subject
such as 'd e t a i l s ...
I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
success:
SKIPIFVIRUSNAMEHAS W32/Sobig.F
SKIPIFVIRUSNAMEHAS Sobig.F
There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
What is everyone else using? Also, for the next time, will the
vulnerability name
just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook
Sent: 20. august 2003 14:45
To: Declude Virus Mailing list (E-mail)
Subject: [Declude.Virus] Skipping Sobig.F virus notifications
I
What configuration file do you put 'SKIPIFVIRUSNAMEHAS Sobig' in and
what exactly does it do with the message.
New ISP owner,
Tim Collins
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
Sent: Wednesday, August 20, 2003 7:00 AM
To:
you put it in every .eml file in the declude folder
as the first line
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Collins
Sent: 20. august 2003 15:08
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
What
I understand that SoBig comes with a .pif attachment. I have .pif files
among my banned extensions but haven't seen a single incident of this virus
coming in. It hasn't been caught as a virus or a banned extension. Are we
just extremely lucky or should I be worried I'm missing something? No
While everyone was reporting catching them starting yesterday morning, I did
not see the first one until mid afternoon. Go figure.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.Virus-
Virus Log Analyzer http://www.csonline.net/imailstuff/viruslog.htm
Works very well.
Jeff
*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027 - [EMAIL PROTECTED]
Please excuse this if it has already been answered-
Just like everyone else, we are getting hammered by Sobig.F. Declude seems
to be catching and holding the virus e-mails with the attachments because of
the BANEXT option. The potential exists to overload our hard drive. There
were over 3,000
Just like everyone else, we are getting hammered by Sobig.F. Declude seems
to be catching and holding the virus e-mails with the attachments because of
the BANEXT option. The potential exists to overload our hard drive. There
were over 3,000 held messages today (that is about 2x what we would
Oh please...
We don't need no stenkin program, we kick it old school and count them
manually :)
This is a nice program: http://www.csonline.net/imailstuff/viruslog.htm
- Original Message -
From: Keith Johnson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 2:27
I thought BANEXT worked before the scanner? DAMN... maybe my f-protect.exe
is old and not catching viruses?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 04:03 PM
To: [EMAIL PROTECTED]
Subject: Re:
I just ran a manual scan on the spool virus directory with F-protect and it
identified all the held viruses as [EMAIL PROTECTED] - BUT I did run an update
immediately before that even though I ran it this morning.
Marc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Hmmm...
I'm only seeing one flavor fo Sobig as of 4:30PM Eastern
Count Inbound/OutboundName
2,504 2,504 / 0 W32/Sobig.F
97 14 / 83 W32/[EMAIL PROTECTED]
57 57 / 0 W32/[EMAIL PROTECTED]
33
I thought BANEXT worked before the scanner?
Both are done on all E-mail, and if a virus is found, it takes priority
over the banned file extension.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude
Hi,
I'm thinking of leaving the banext in place but
want to allert the sender and/or recipient when a mail is being held. I've
downloaded the BANnotify.eml file but don't see how Declude decides when to use
it. Do I need to put any extra control lines at the beginning?
Groetjes,
Bonno
Twice today I have been sitting at local users machines for unrelated tasks,
and in both cases I noticed notifications in their local email inboxes
warning about inbound sobig messages. I didn't give it a lot of notice at
the time, I knew we got a zillion of them already. The problem is that I
I'm thinking of leaving the banext in place but want to allert the sender
and/or recipient when a mail is being held. I've downloaded the
BANnotify.eml file but don't see how Declude decides when to use it. Do I
need to put any extra control lines at the beginning?
Declude knows by the name of
With this latest Sobig variant, I have been
starting to wonder whether it is still the best idea to be wasting storage space
for the 2,000+ viruses that have been intercepted in the last couple days.
What is everyone else doing? Are you holding viruses intercepted or just
setting Declude to
I''ve found this line in some mails but can not determine which program
put it there.
X-MailScanner: Found to be clean
The reason I realy want to know is because this line was in several
virusinfected e-mails. So, which program decided the e-mail was clean, and
it what sense was it clean?
So you're saying if I send you an email from my Linux servers... which IS
running MailScanner, then I am guilty by association and it is assumed to be
an infected message to be deleted?
I manage 4 Linux mail servers for different companies and they all run
SendMail/MailScanner/Spam Assassin.
Oh
It is put there by the Sobig.F virus.
So if you see it, that means it is an infected
mail.
- Original Message -
From:
Bonno Bloksma
To: [EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 4:16
PM
Subject: [Declude.Virus] X-MailScanner
line
Hi,
True Fritz, his reply was to general and broad.
Scott explained it best.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.Virus-
[EMAIL PROTECTED] On Behalf Of Fritz Squib
Sent:
I guess I jumped the gun on this one but:
If you have the line, an attachment and one of the following subjects:
Subject:
a.. Re: Details
b.. Re: Approved
c.. Re: Re: My details
d.. Re: Thank you!
e.. Re: That movie
f.. Re: Wicked screensaver
g.. Re: Your application
h.. Thank
Uh - thanks. I was afraid that there was some legitimate use for that line.
Darn.
Of course, you COULD change the header to use a different header name and/or
a slightly different message to distinguish your legitimate mails from the
virus generated ones.
Best Regards
Andy Schmidt
HM Systems
Does anyone else bother to look at the header, do a who is on the IP and
notify the responsible party of the possible problem on their IP? I see the
IPs in the e-mail headers so if someone was notified do you think they can
find the actually infected user? Would they bother?
I checked some of my
Does anyone else bother to look at the header, do a who is on the IP and
notify the responsible party of the possible problem on their IP?
We occasionally do so (that's how we found out that Disney and the Pentagon
were infected by Sobig).
I see the IPs in the e-mail headers so if someone was
Nah, you did fine..
I jumped the gun by far.
But my second statement should be right :)
- Original Message -
From: Fritz Squib [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 5:17 PM
Subject: RE: [Declude.Virus] X-MailScanner line
Sorry if I came off sounding
I use two scanners, F-Prot and McAfee Enterprise 7.0. F-Prot is picking up
Sobig.F, but McAfee is not. I have the latest definitions, 4288, and the
latest engine 4.2.60. When I send the test eicar file as a zip, both
scanners detect it, so I know both scanners are functioning. Does anyone
have any
The Pentagon? REALLY??? That's friggin scary as hell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 06:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses
At 02:26 PM 8/20/2003, you wrote:
With this latest Sobig variant, I have been starting to wonder whether it
is still the best idea to be wasting storage space for the 2,000+ viruses
that have been intercepted in the last couple days. What is everyone else
doing? Are you holding viruses
The Pentagon? REALLY??? That's friggin scary as hell
Yup. They got infected about 1PM yesterday, we found out and notified them
about 8PM, and they responded quickly saying that they were aware of
it. As of a couple hours ago, though, they were still sending them out.
The first thing to do is make sure that there is only one space (or tab)
anywhere on the line.
The second thing to do is make sure that there aren't any blank lines
before that line (that the first blank line in the file is after the
SKIPIF... lines and the To:/From:/Subject: lines).
Using the logic that all servers on DSL are spammers, then, sure, all linux
servers with mailscanners are guilty by associatio.
-Original Message-
From: Fritz Squib
So you're saying if I send you an email from my Linux servers... which IS
running MailScanner, then I am guilty by
That's funny I know someone who works there and they were not allowed to
use their computer at all today because of the virus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 7:22 PM
To: [EMAIL PROTECTED]
FWIW - I have have turned off the notifications for Sobig.F and it has been
working fine since this afternoon.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
37 matches
Mail list logo
