http://danjacoby.de/modules/Search/life.html
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
me on this)
1) clamav.reg
2) clamd.conf
3) The freshclam.exe --datadir argument
Matt
On 4/29/2010 4:14 PM, Michael Cummins wrote:
The official download from Clam wouldn't install on my Windows 2003
box. It said it only supports Windows 7, Vista, told me to go pound
sand, yada
into Windows. Unlike CDONTS, CDOSYS
can be pointed at your mail server with or without authentication and
doesn't require MS SMTP to be installed or running on your box. Here's
a link to some example code:
http://www.w3schools.com/asp/asp_send_email.asp
Matt
Hirthe, Alexander wrote
Alligate doesn't filter POP3.
Is that what you wanted to know?
Matt
Uwe Degenhardt wrote:
Hi list, we are a small provider doing some shop-hosting services.
As a side-service we are running one eMail-server for 65 domains and
approximately 270 user.
We tried Alligate (trial) as a gateway
Kevin,
Just to be more specific, if you use the HOLD action, those messages
that are held will not be virus scanned.
On our system, we use a combination of COPYFILE and ROUTETO, and they
are in fact virus scanned when using AVAFTERJM.
Matt
Kevin Bilbee wrote:
Be careful
Some of us believe that it is the IMail1.exe executable that Declude
uses and not the IMail.exe executable that is being discontinued.
Regardless, if Declude stopped using IMail1.exe, it could generate
bounces with a null sender, and that's long overdue.
Matt
Andy Schmidt wrote:
Darrell
It's as easy as creating the spool files from scratch. Declude already
does everything else that is necessary. There's no need for even
something like BLAT.
Matt
Andy Schmidt wrote:
it could generate bounces with a null sender, and that's long
overdue.
Agreed
OLMIMESEGMIMEPRE
ALLOWVULNERABILITYMIMESEGMIMEPOST
ALLOWVULNERABILITYOLLONGFILENAME
ALLOWVULNERABILITYOLBLANKFOLDING
ALLOWVULNERABILITYOBJECTDATA
ALLOWVULNERABILITYOLBOUNDARYSPACEGAP
ALLOWVULNERABILITYOLMIMEHEADER
ALLOWVULNERABILITYOLLONGBOUNDARY
Matt
Mon
encoding, but that flaw was likely patched, or at least it has
not been exploited in mass.
Matt
Mon Mariola - Rubén wrote:
Matt,
So far, the only case where I find this vulnerability is in the mail
sent from the program Incredimail.
If these lines are actually prohibited in RFC, it is safer
scanners can detect a virus in a partial message
and of course there is spam blocking so it wouldn't mean a complete
lack of detection on the server side.
Matt
Andy Schmidt wrote:
Hi,
Actually, the
Partial/Fragmented
Vulnerability is one that ideally should be left in place
Dave,
His logs show however that the AV scanners were called, so this message
didn't hit HOLD or DELETE.
Matt
David Barker wrote:
AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE
to not call the AV in the Declude code. Try switching this OFF to see
if it resolves
BANEXT RAR will block all RAR files, encrypted or not. That wasn't the
issue at hand here. It was related to BANEZIPEXTSON (in my case)
and possibly BANEZIPON.
Matt
Dan Shadix wrote:
BANEXT rar has been working great for me.
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
if not all were blocked as spam. Another saving grace
is the fact that it came out as an encrypted RAR which very few people
have support for.
Be absolutely certain that he will be back.
Matt
Gary Steiner wrote:
Basically that is what ClamAV is doing. It detects it as a phishing spam
there is an executable inside to maintain
proper levels of protection.
Let me know if you would like some more feedback or information.
Thanks,
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus
on occasion. If it is only
loaded once when the service starts, then that's not such a big deal,
but it is definitely better to lose regex than it is to lose Declude as
these systems have to have high availability and should be designed that
way.
Thanks,
Matt
David Barker wrote:
The file
The format is the same as before, but with a different code, i.e.:
CODE YOUR-CODE-GOES-HERE
Matt
Bill Green dfn Systems wrote:
I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid
Key message. According to the Archives, I need to put the Key in the
declude.cfg file
Once you have the CODE in the Declude.cfg, make sure that you restart
the decludeproc service in order to enable it.
Matt
Bill Green dfn Systems wrote:
Is there an actual set of instructions for a Declude Upgrade for
IMail? The Declude site lists Installation Instructions
I hate autoresponders...but people sometimes tell me that I am too
critical, so I guess I actually love them.
Matt
Colbeck, Andrew wrote:
I think I received 36 of them.
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Craig Edmonds
lude
users that block EXE's and use bannotify.eml to bounce.
Matt
Colbeck, Andrew wrote:
.. I hope that Declude will
agree with Matt's point that backscatter must be avoided. There is
ample precedent,for examplein that the BOUNCE action was renamed to
BOUNCEONLYIFYOUMUST to prevent b
quot;unknown" files in a different way.
We could choose for instance to block them, but not bounce them.
Thanks,
Matt
---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
ched.exe"
in my bannotify.eml to see if that helps, but this should not bounce
such messages by default as if they were EXE's. It makes sense to give
it a unique extension for these conditions and let us determine what to
do with them instead of lumping it together with actions for EXE's.
Mat
to function, typically by having
many GB of data that decompresses from a zip/rar/etc. that is tiny in
comparison.
Matt
Scott Fisher wrote:
I think it is in their to defend against an archive bomb.
Archive bomb:
This is a seemingly small archive file that is actually highly
compressed
MAIL PROTECTED] [outgoing from ##.##.48.210]
07/17/2006 06:32:41.269 q674000a2e465.smd Subject: FW: M341092022 /
M341092023
Thanks,
Matt
---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus&qu
I am running 4.0.9.4
I will also not upgrade to a newer version due to unacceptable
licensing enforcement issues.
Thanks,
Matt
Darrell ([EMAIL PROTECTED]) wrote:
What version are you running Matt in
version 3.0.5.20they fixed a ms-tnef issue with winmail.dat
Thanks. That does help.
Matt
David Barker wrote:
ALLOWVULNERABILITY NONSTANDARDHDR
David B
www.declude.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Friday, July 07, 2006 11:08 AM
To: declude.virus@declude.com
Subject: Re
decoding, WHITELIST IP being
applied before IPBYPASS, and the issue where Declude's headers are
inserted at the bottom of the message when the headers don't use proper
CRLF line breaks?
Thanks,
Matt
David Barker wrote:
I have added the request to the wish list. We are focusing on replicating
, but as they occur in the future.
Thanks,
Matt
David Barker wrote:
Matt,
Headers not using proper CRLF line breaks is currently being tested using
the new vulnerability NONSTANDARDCRLF test.
As for these items they are on the list for engineers to confirm and test
and fix if they are bugs.
1
at
what you are doing. Please.
Matt
David Barker wrote:
Matt,
The CRLF problem has more to do with the email server and not Declude,
emails that are so badly broken should be either rejected by the email
server or these headers should be standardized by the email server.
Eitherway
it is
clear that they are capable of handling the bugs.
Sorry to make an example of you here; that's not the intention of
course. I just thought that it would be constructive to point this
stuff out for the benefit of Declude and it's customers alike.
Matt
John T (Lists) wrote:
I know
environment.
Lots of luck,
Matt
Bob McGregor wrote:
this is a bit off-topic but
we had one of our servers last night have the ebay spoof page loaded on it.
Anyone have info as to how this gets loaded and, more imporantly how to keep it
from happening?
The only things I found was the htm
, there are far more executables that could be legitimate and the
extra heuristics might be unwanted.
Matt
marc wrote:
really rare information about the /AI Switch...
just found this about "Neural network":
http://www.f-prot.com/support/windows/fpwin_faq/17.html
We will not use it, because
by Declude users on the lists, though I am not sure what the manual
might be listing at this time.
Matt
Mark Reimer wrote:
Matt,
My config is similar to yours except you have AI/Packed/SERVER.
What are
the additional benefits to using these switches?
Mark Reimer
IT Project
)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls
Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/917077.mspx
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
Kami,
You might want to post your full Declude Virus log snippet for one such
message and identify both your Declude version and your virus scanners.
Matt
Kami Razvan wrote:
Hi;
We
are having a major problem. A large number of emails are getting
caught with the following
ues if
you change to it:
C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM
/ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txt
I have no virus hits that match what you are showing for F-Prot using
this config.
Matt
Kami Razvan wrote:
Hi Matt..
thanks for your quick r
orwarded.
I suppose that it is possible that one or both of these things could be
exploited, but they aren't currently, they are unlikely to be, and
there is a very real issue with blocking files that shouldn't be
blocked. I am afraid to say that extension blocking is not reliable.
It could e made reliable, and this issue has been know for a long time,
but it's still here.
Please, please, please fix this.
Thanks,
Matt
Canada...home of the ridiculously long disclaimers :)
Matt
Colbeck, Andrew wrote:
Tu peut l'escrite en Francais et Espanol dans la meme recip.eml; je vu
beaucoup de cette technique en Canada, mais c'est en Anglais et
Francais.
Andrew 8)
-Original Message-
From
to be from different causes.
Matt
Kaj Sndergaard Laursen wrote:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee
Sent: 19. februar 2006 08:33
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Running declude 4.x
I am
. In the meantime I
would suggest downgrading to 3.0.5.23 or below since this appears to
have popped up after that.
Matt
Kevin Bilbee wrote:
I guess Declude needs to standup and answer this
thread. It is there software. I can repeate the issue by sending a
message from our Copier. With the 3.x
has a free app that allows for inserting footers into messages,
but I don't believe it supports dynamic content. Look at the footer of
one of Sandy's posts for a link.
Matt
Andrew Peskin wrote:
Hello all ... I am trying to do the following: On each message
scanned by Declude and ClamAV
Thanks for the clarificaiton.
Matt
David Franco-Rocha [ Declude ] wrote:
When scanning for viruses after JunkMail through use of the above
directive, the following rule applies:
All email will continue to be scanned for viruses EXCEPT those emails
having a final JunkMail action
practical to search through all of them.
Matt
Colbeck, Andrew wrote:
On the plus side, there are
mitigating circumstances...
First, let me point out that
although the antivirus companies will lag behind the virus authors, the
antivirus guys aren't sleeping.
For many years, th
DNS to another provider. When I ran
into this a year ago it was an older version of BIND that was causing
issues, but I have heard that old Cisco and SonicWall software can also
block these packets.
Matt
Matt wrote:
Marc,
One other off-topic thing. For some reason, none of my Windows 2003
be wise so long as you had two
virus scanners running.
Note that I'm not dismissing your primary intention of pointing out the
FP issue with virus scanning and a way to deal with it.
Matt
Markus Gufler wrote:
Today I've had a message hold as false positive (unknown virus exit code
8)
F
could cause severe damage to one's enterprise. I cross my
fingers hoping that none of this would be necessary, but that's not
enough to be safe.
Matt
line in your Virus.cfg:
ALLOWVULNERABILITIESFROM [EMAIL PROTECTED]
Matt
Marc Catuogno wrote:
Somebody is
sending e-mail that must get
through (of course) and it is failing the blank folding Vulnerability
test.
What can I tell this person they should do to not have this e-mail get
ALLOWVULNERABILITIESFROM came in 2.0. They never documented ALLOWVULNERABILITY in the release notes, but
I know it works in 2.0.6.14 and higher. I think it came along
somewhere after 2.0.6.0
Matt
Marc Catuogno wrote:
Matt thank
you What version of
Declude is needed
, and I am willing to wait a bit longer
so that a period of stability can be established before I make the jump.
Matt
Marc Catuogno wrote:
So since I
am running 1.82 I can either
allow all vulnerabilities or not
I have been
putting off upgrading till
IMAIL and Declude
message). Maybe they will change to a framed format in 3.0,
but until they do, I have no choice but to keep IMail.
I'm sure that clears a lot of things up :)
Matt
Marc Catuogno wrote:
Matt
thanks again. I cant
get a download off of the declude page other than the latest version
selectively not responding to
queries made from Windows 2003 DNS (including nslookup running on those
boxes). You might want to check into this because this is probably
widespread.
Matt
Marc Catuogno wrote:
Matt
thanks again. I cant
get a download off of the declude page other
e your
opinions. I can't understand how the modified Q file is useful at all,
so I believe the behavior should be changed entirely instead of adding
a switch and further complicating the code. This essentially would
make it just like HOLD, but not a final action, and with the ability to
have JunkMail
messages, ROUTETO about 10%, and
deliver about 20%. I would like to save on scanning what I would
otherwise be deleting with JunkMail.
Matt
Keith Johnson wrote:
Markus,
However, Darrell mentioned that the AV scanner still runs once
action is taking agains the SPAM message (i.e. routeto
I thought that AV false positives can occur with definitions for known
virus names. In other words, if a message gets tagged as Bagle, it
might be legit 0.1% of the time. So would this really be a
complete solution?
Matt
Colbeck, Andrew wrote:
Markus would find this handy (as would
, one could use the HEADER action or WARN action to tag the
headers and then use IMail rules to move these messages into a special
folder or delete them from the spam capture accounts if that was
preferred.
Would people agree that this is accurate?
Matt
Darrell ([EMAIL PROTECTED]) wrote:
HOLD
or not the COPYFILE action happens before or
after virus scanning with AVAFTERJM ON, so that would need to be
verified, but it might be a good workaround if this is a problem.
Matt
Dan Horne wrote:
IIRC, the HOLD action was where the risk came in. Messages that are
held by Declude using
Correction. COPYFILE wouldn't work with HOLD, so you would need to
ROUTETO null.
Matt
Matt wrote:
Dan,
You might try COPYFILE which is essentially HOLD, but it adds the
Declude headers to the messages. COPYFILE won't block the E-mail
however, so you might want to either ROUTETO null
by E-mail systems
since macro viruses don't mass mail. I think it's safe therefore to
assume that even if a virus wasn't forged (some use the infected
computer's user instead of a random or predefined one), that it wasn't
user initiated and avoid notifying them for fear of creating
backscatter.
Matt
are sent to local accounts, you can't make a good
argument for changes there.
Matt
Colbeck, Andrew wrote:
I agree completely.
I use the postmaster
notification only, so only internal notifications happen. I use the
FORGINGVIRUS statements to limit what we have to see.
Recently, we
reason for using
two scanners.
Matt
Colbeck, Andrew wrote:
Easy way to check if your Declude Junkamil is catching your viruses.
Check for the subject lines and see if you held those messages (or
whatever you do with your spam).
I just sorted out the subject lines for the sober.z only messages
. Symantec Corporate is a killer desktop solution because of
the manageability, and if you go that direction, I would put a
different vendor on the servers just so you have the protection of two
completely separate solutions.
Matt
Dean Lawrence wrote:
Thanks Scott,
So the Symantec product has
client.
If you are looking for just one server, I would strongly consider
another option with better licensing. AVG is probably up to the task,
and F-Prot might be. The needs for a Web server scanner are not big
when it comes to timely detection, so focus on configuration options
and price.
Matt
is about. I'm thinking that it might be inaccurate. I don't
know though, but the best solution if you are concerned about security
is to install a hardware based firewall which could be a device that
calls itself a firewall or just a router that can block ports as
described above.
Good luck,
Matt
it.
At the same time, you might want to check what the current recommended
command line should be for your virus scanner(s) since there have been
some changes in the last year that could result in missed viruses if you
haven't updated your command line and/or definition downloads.
Matt
McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still
missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and
McAfee seems to have had this one tagged prior to the outbreak starting
since none have slipped through yet.
Matt
Rick Davidson wrote:
heads
where Clam-AV in daemon mode was tested and
found to be a very close second to F-Prot.
Matt
John Carter wrote:
This raises a question(s): Has anyone done any real testing of which AVs
(in relation to Declude) perform the best, use the least resources, what is
the best scanning order, and how
that these are mostly clean IP's and they come from all over
the place.
Matt
John Carter wrote:
We are currently getting hit with a blast of emails with ZIP attachments.
They are showing clean, at least with F-Prot and ClamAV under Declude, plus
a manual scan by Trend Micro. They fake our
Since this appears to be the beginnings of a me too thread...me too!
Matt
Scott Fisher wrote:
I would consider 3.0.5.10/11 interim releases... Scott would never
have documented them.
I too would like to see the release notes updated with each and every
version...
but it's a long long
Same servers, but this time it has a Regis.info.zip
attachment and the subject is "Registration Confirmation".
Basically I converted to blocking any zips below 200 KB that come from
these providers with some filtering and it seems to be working.
Matt
. This virus was designed to not only get past
virus scanners, but also spam blocking. I haven't seen any other
viruses that have done anything to mask their true source like this one
does.
Matt
Darin Cox wrote:
We're seeing a lot of emails with
pword_change.zip attached. May want
,
however it would be whitelisted in JunkMail if you followed that procedure.
Matt
David Sullivan wrote:
Thursday, September 22, 2005, 9:01:37 AM, you wrote:
Dsic AVAFTERJM ON goes in the virus.cfg file and it makes AV run after JM as
Dsic you suspected. Several of us run this mode for the reason
Don and Jim,
I believe this is an issue with IMail's listserv functionality. I
believe that it desires a plain text response. Try sending the
commands in a plain text message.
Matt
Don Duffy wrote:
Jim,
If you figure how to get off of this list, please let me know. I must
have
back into the spool and then calling the Q*.smd file from where ever you
were storing it (using the COPYFILE operative I presume).
Matt
David Sullivan wrote:
Friday, September 23, 2005, 12:17:32 PM, you wrote:
M You could write something to the message that Declude JunkMail was set
M
a custom
filter that whitelists with a HEADERS WHITELIST STARTSWITH
X-Reprocess: Reprocessed
Matt
David Sullivan wrote:
Matt,
Is it possible to call declude.exe with the path to another folder
containing the Q/D?
M The one issue with calling declude.exe directly is that you don't want
I can confirm that F-Prot was again missing the Bagle zips this
morning, however McAfee seems to have caught every one of them with a
generic Bagle definition unlike yesterday. As of 2 p.m., F-Prot was
still missing these Bagles.
Matt
Colbeck, Andrew wrote:
FYI, Kaspersky reports
Oops, McAfee just slipped. Since 1:09 p.m. EST on my system we
received 52 undetected zips (just over an hour). We caught these all
with a custom filter.
Matt
Colbeck, Andrew wrote:
FYI, Kaspersky reports that
they're now up to something like 20 new variants of Bagle between
di+wflODDvEBIwXsI0c4OxQRiKEsAY/MQXHuRnIeExqF8NZUWFIjkO+S3TDjEMLpDBx+KEZie4IihtKBBGpVha7xVZwGGhhlOwlOhw4Jg+VwGa2ig
Matt
Darin Cox wrote:
With Declude 1.82, we haven't had any trouble with decoding and blocking
viruses or banned attachments in attached .eml or .msg files. We wouldn't
block them separate
or not is is better to see the plain text source or the rendered
message. I guess I am used to seeing the plain text and it is easier
for me to figure out what the rule matched that way without a Ctrl+U to
view the source (shortcut in Thunderbird/Netscape).
Matt
Darin Cox wrote:
Yep... banning 1
, and there's none of that magic stuff that hides
important things from you the way that Outlook does. And of course
hardly any known vulnerabilities for auto-execution.
Matt
Darin Cox wrote:
Plain
text would be my preference as well, to see headers and message at once.
Hmmm...may
an
initial setup? Maybe you could be more specific about the speed issues.
Matt
Darin Cox wrote:
Just loaded it (1.5.1 beta). Seems
to be almost identical to OE for the way I use it...except slower.
Speed is one of the reasons I use OE instead of Outlook. :(
Darin.
-
Original
slightly faster as far as the stats go, but I
don't think that makes a difference. Maybe the newer versions do
things differently. I would doubt that the developers would accept a
noticeable slowdown in a final version.
Matt
Darin Cox wrote:
According to the Thunderbird web
page
filter that I had put together for it:
HEADERSENDNOTCONTAINSboundary=
BODYENDNOTCONTAINSattachment; filename=
BODYENDNOTCONTAINS.zip Content-Transfer-Encoding
BODY15CONTAINS price
Matt
---
This E-mail came from
/products/mcafee-avert/daily_dats/DailyDAT.zip.
Thanks,
Matt
John Tolmachoff (Lists) wrote:
OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?
John T
eServices For You
-Original
that you provided and it does in
fact work just great...so far :)
Thanks,
Matt
Scott Fisher wrote:
Great catch Matt.
Mine's gone too since August 2
Thank you Declude for multiple virus
scanner option.
Try:
http://download.nai.com/products/mcafee-avert/beta_packages
site for McAfee updates. You will want to change those before
anyone new adds it in to their system.
Thanks,
Matt
David Barker wrote:
I have been monitoring
everything that has been said and I agree - there is a place I had
setup on the front page for these kinds of alerts and currently
the possibility of losing E-mail.
I would recommend the HTTP link that Scott provided unless the beta
DAT's are available over FTP.
Matt
William Stillwell wrote:
The
Proper method to update the dat would be to pull the "ini" file
http://download.nai.com/products/da
\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P
C:\Progra~1\McAfee\update\
http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
Matt
Scott Fisher wrote:
-Matt,
Does the wget -N command work for
you with Mcafee.
I also use the -N and get
Maybe someone should reboot the Internet.
Matt
Keith Johnson wrote:
I am seeing this as we attempting to get to certain websites and they
can't be displayed.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch
Sent: Friday
OLBOUNDARYSPACEGAP
This only works with 2.0.6.14+. There are more that are listed when you
log into your account on declude.com and go to the page for 2.0.6.16.
All of the above were producing repeated false positives from multiple
sources, and ones like OLCR were especially problematic.
Matt
. If my colo was over 75F, I would definitely complain.
The guy next to me with 25 TB's of 15,000 RPM SCSI drives would
probably complain louder :)
Matt
Doug Traylor wrote:
We just looked at the operating spec
of our servers from the Manufacturer's (Dell) website. The max is
listed as 95
wonder why good backup software costs more
than the OS?
Matt
Doug Traylor wrote:
I agree that the room should be much
cooler, I hatecoming in on the weekends here,but the management has
an "if it ain't broke don't fix it" attitude and point out that we have
had no significan
that Microsoft has long since patched
the flaw, though it can certainly cause parsing issues in virus scanners
that could lead to missing the payloads due to a message that was
improperly formatted.
Matt
David Dodell wrote:
Had email from a company today (Photodex) rejected due to the Outlook
since it's the formatting that really matters here.
Matt
System Administrator wrote:
We are developing an ecommerce web site but we are having problems with the
e-mail associated with the buying experience. The e-mail message contains a
text part and a base64 part. Declude is catching
To: [EMAIL PROTECTED]
MIME-Version: 1.0
X-Mailer: PHP/4.3.8
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: BASE64
It appears that the first set is wrong and should be removed if
possible.
Matt
System Administrator wrote:
on 8/4/05 2:29 PM,
be trapping more spam with fewer
false positives if you weight things optimally.
Matt
Douglas Cohn wrote:
My desktop IP was erroneously listed on CBL. It seems that declude is
checking autheticated users sending mail for CBL and according to CBL this
is wrong. SEE below
Here is the header
headers when shared because those that might help out
would often benefit from this information. Sometimes it doesn't really
matter of course, and Doug did give enough information to figure this
out, but the three received headers were confusing without a careful read.
Matt
Colbeck, Andrew
Sniffer and
reducing weights on such things I think is still the best overall
solution.
Matt
Colbeck, Andrew wrote:
That's a good point, Matt.
I glossed over analyzing the hops, but wouldn't Declude skip running any
test with DYNA in the name if the message was received via AUTH? I
remember
If you restart your server without first stopping IMail SMTP service,
it will leak messages for several seconds. Also, if you restart the
IMail Queue Manager service it will steal messages from Declude. Both
situations can lead to messages being passed without headers.
Matt
Daniel Ivey
. All encoding of file names should be
decoded before any checks for extensions are made.
Matt
Paul Crouch wrote:
Need some help for a part
time sys admin!
Declude Virus/Junkmail
Standard 2.0.6.16/F-prot.
We have very limited bandwidth so have expanded the banned extensions
definitions as has been evidenced a
couple of times, and of course it was developed originally for Linux.
Matt
Douglas Cohn wrote:
Mcafee is a CPU HOG. Uses double the CPU of Fprot. I have a low powered
machine and cannot even run Mcafee but fprot is no problem. Both is unreal
are never
exploited in E-mail viruses, so there is probably no reason to not
treat all of them the same. I see no reason why virus scanners
wouldn't detect the infected attachments once they were updated with
definitions for known threats.
Matt
John Tolmachoff (Lists) wrote:
Since I am pressed
1 - 100 of 275 matches
Mail list logo
