FWIW - I have have turned off the notifications for Sobig.F and it has been
working fine since this afternoon.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of and
I'm experiencing the same issue...it is only happening with sobig. I did
check the file and it appears to be formatted correctly.
Andy
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 7:27 PM
Subject: RE: [Declude.Virus] Skipping Sob
That's funny I know someone who works there and they were not allowed to
use their computer at all today because of the virus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 7:22 PM
To: [EMAIL PROTECTED]
Subj
Using the logic that all servers on DSL are spammers, then, sure, all linux
servers with mailscanners are guilty by associatio.
> -Original Message-
> From: Fritz Squib
>
>
> So you're saying if I send you an email from my Linux servers... which IS
> running MailScanner, then I am guilty
>
>The first thing to do is make sure that there is only one space (or tab)
>anywhere on the line.
>
>The second thing to do is make sure that there aren't any blank lines
>before that line (that the first blank line in the file is after the
>SKIPIF... lines and the To:/From:/Subject: lines).
>
The Pentagon? REALLY??? That's friggin scary as hell
Yup. They got infected about 1PM yesterday, we found out and notified them
about 8PM, and they responded quickly saying that they were aware of
it. As of a couple hours ago, though, they were still sending them out.
At 02:26 PM 8/20/2003, you wrote:
With this latest Sobig variant, I have been starting to wonder whether it
is still the best idea to be wasting storage space for the 2,000+ viruses
that have been intercepted in the last couple days. What is everyone else
doing? Are you holding viruses interce
The Pentagon? REALLY??? That's friggin scary as hell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 06:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses
I use two scanners, F-Prot and McAfee Enterprise 7.0. F-Prot is picking up
Sobig.F, but McAfee is not. I have the latest definitions, 4288, and the
latest engine 4.2.60. When I send the test eicar file as a zip, both
scanners detect it, so I know both scanners are functioning. Does anyone
have any
Nah, you did fine..
I jumped the gun by far.
But my second statement should be right :)
- Original Message -
From: "Fritz Squib" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 5:17 PM
Subject: RE: [Declude.Virus] X-MailScanner line
Sorry if I came off sou
Does anyone else bother to look at the header, do a who is on the IP and
notify the responsible party of the possible problem on their IP?
We occasionally do so (that's how we found out that Disney and the Pentagon
were infected by Sobig).
I see the IPs in the e-mail headers so if someone was no
Sorry if I came off sounding a little harsh, just didn't want anyone jumping
the gun and getting bitten in the...
I contacted MailScanners author today...
>Julian,
> Just FYI, Did you know that the latest variant of the Sobig virus
>Adds "X-MailScanner: Found to be clean" to the headers of all
Does anyone else bother to look at the header, do a who is on the IP and
notify the responsible party of the possible problem on their IP? I see the
IPs in the e-mail headers so if someone was notified do you think they can
find the actually infected user? Would they bother?
I checked some of my
Uh - thanks. I was afraid that there was some legitimate use for that line.
Darn.
Of course, you COULD change the header to use a different header name and/or
a slightly different message to distinguish your legitimate mails from the
virus generated ones.
Best Regards
Andy Schmidt
H&M Systems So
I guess I jumped the gun on this one but:
If you have the line, an attachment and one of the following subjects:
Subject:
a.. Re: Details
b.. Re: Approved
c.. Re: Re: My details
d.. Re: Thank you!
e.. Re: That movie
f.. Re: Wicked screensaver
g.. Re: Your application
h.. Thank you!
True Fritz, his reply was to general and broad.
Scott explained it best.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Fritz Squib
> Sent: Wed
It is put there by the Sobig.F virus.
So if you see it, that means it is an infected
mail.
- Original Message -
From:
Bonno Bloksma
To: [EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 4:16
PM
Subject: [Declude.Virus] X-MailScanner
line
Hi,
I
So you're saying if I send you an email from my Linux servers... which IS
running MailScanner, then I am guilty by association and it is assumed to be
an infected message to be deleted?
I manage 4 Linux mail servers for different companies and they all run
SendMail/MailScanner/Spam Assassin.
Oh Y
I''ve found this line in some mails but can not determine which program
put it there.
X-MailScanner: Found to be clean
The reason I realy want to know is because this line was in several
virusinfected e-mails. So, which program decided the e-mail was clean, and
it what sense was it clean?
Tha
With this latest Sobig variant, I have been
starting to wonder whether it is still the best idea to be wasting storage space
for the 2,000+ viruses that have been intercepted in the last couple days.
What is everyone else doing? Are you holding viruses intercepted or just
setting Declude t
I'm thinking of leaving the banext in place but want to allert the sender
and/or recipient when a mail is being held. I've downloaded the
BANnotify.eml file but don't see how Declude decides when to use it. Do I
need to put any extra control lines at the beginning?
Declude knows by the name of
Twice today I have been sitting at local users machines for unrelated tasks,
and in both cases I noticed notifications in their local email inboxes
warning about inbound sobig messages. I didn't give it a lot of notice at
the time, I knew we got a zillion of them already. The problem is that I
hav
Hi,
I''ve found this line in some mails but can not
determine which program put it there.
X-MailScanner: Found to be clean
The reason I realy want to know is because this
line was in several virusinfected e-mails. So, which program decided the e-mail
was clean, and it what sense was it
Hi,
I'm thinking of leaving the banext in place but
want to allert the sender and/or recipient when a mail is being held. I've
downloaded the BANnotify.eml file but don't see how Declude decides when to use
it. Do I need to put any extra control lines at the beginning?
Groetjes,
Bonno B
I'm running late catching up on my Declude lists today, so forgive me for
jumping in here - not only late but in the middle of the thread.
Twice today I have been sitting at local users machines for unrelated tasks,
and in both cases I noticed notifications in their local email inboxes
warning abo
I thought BANEXT worked before the scanner?
Both are done on all E-mail, and if a virus is found, it takes priority
over the banned file extension.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus
Hmmm...
I'm only seeing one flavor fo Sobig as of 4:30PM Eastern
Count Inbound/OutboundName
2,504 2,504 / 0 W32/Sobig.F
97 14 / 83 W32/[EMAIL PROTECTED]
57 57 / 0 W32/[EMAIL PROTECTED]
33
I just ran a manual scan on the spool virus directory with F-protect and it
identified all the held viruses as [EMAIL PROTECTED] - BUT I did run an update
immediately before that even though I ran it this morning.
Marc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] B
I thought BANEXT worked before the scanner? DAMN... maybe my f-protect.exe
is old and not catching viruses?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 04:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude
Oh please...
We don't need no stenkin program, we kick it old school and count them
manually :)
This is a nice program: http://www.csonline.net/imailstuff/viruslog.htm
- Original Message -
From: "Keith Johnson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003
Just like everyone else, we are getting hammered by Sobig.F. Declude seems
to be catching and holding the virus e-mails with the attachments because of
the BANEXT option. The potential exists to overload our hard drive. There
were over 3,000 held messages today (that is about 2x what we would no
I am running Fprot and I am wanting to know how I can put the virus name in
the Declude LogFile when it reports in the log file.
If you use LOGLEVEL MID, it should get recorded in the log file.
-Scott
---
Declude JunkMail: The advanced anti-spam
Please excuse this if it has already been answered-
Just like everyone else, we are getting hammered by Sobig.F. Declude seems
to be catching and holding the virus e-mails with the attachments because of
the BANEXT option. The potential exists to overload our hard drive. There
were over 3,000 he
Virus Log Analyzer http://www.csonline.net/imailstuff/viruslog.htm
Works very well.
Jeff
*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027 - [EMAIL PROTECTED]
*
While everyone was reporting catching them starting yesterday morning, I did
not see the first one until mid afternoon. Go figure.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
I understand that SoBig comes with a .pif attachment. I have .pif files
among my banned extensions but haven't seen a single incident of this virus
coming in. It hasn't been caught as a virus or a banned extension. Are we
just extremely lucky or should I be worried I'm missing something? No
rep
you put it in every .eml file in the declude folder
as the first line
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Collins
Sent: 20. august 2003 15:08
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
What co
What configuration file do you put 'SKIPIFVIRUSNAMEHAS Sobig' in and
what exactly does it do with the message.
New ISP owner,
Tim Collins
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
Sent: Wednesday, August 20, 2003 7:00 AM
To: [EMA
just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook
Sent: 20. august 2003 14:45
To: Declude Virus Mailing list (E-mail)
Subject: [Declude.Virus] Skipping Sobig.F virus notifications
I hav
I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
success:
SKIPIFVIRUSNAMEHAS W32/Sobig.F
SKIPIFVIRUSNAMEHAS Sobig.F
There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
What is everyone else using? Also, for the next time, will the
vulnerability name b
Hello,
It seems I am getting the Sobig email coming throught to my users
but with ot a payload. In other words tey are getting the message
with all chaistics of SoBig.f but no attachment.
Anyone know why this maybe. I can not filter on some of the subject
such as 'd e t a i l s ... o
I have informed the fine folks at MailScanner of this.
For those of you supporting MailScanner on a Linux box, MailScanner has a
couple of options in the config file for the headers:
Append the new data to the existing header
Add a new header
Replace the existing header
I have set mine to replac
42 matches
Mail list logo