Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses
Does anyone else bother to look at the header, do a who is on the IP and notify the responsible party of the possible problem on their IP? I see the IPs in the e-mail headers so if someone was notified do you think they can find the actually infected user? Would they bother? MY experience, I can't get the 4 or 5 people on our service to clean the viruses off their machines, I'm not going to waste my time trying to track who else is infected. A lot of people A: Don't care, or B: Don't know how to operate a computer, much less download a virus update, repair tool, etc. I checked some of my border appliances and saw repeated scans on port 135 - when I tried to tell some of the ISPs who owned the IP block that I thought they might have the blaster worm, I met with hostile abuse bots telling me that I didn't send them enough info or I got no reply at all. I know I'd appreciate it if someone found that one of the systems in my network was compromised. Is anyone doing this at all? I mean could we find some of these computers with sobig and alert the cable company and they can call the user to get it stopped? I know this would be very time consuming, but even if we got a few In the end, all you can do is make sure your stuff is secure, and up to date, and working properly. As long as your virus scanner is catching them entering, your users should be safe. You could email til your hands fall off, I doubt it would make any noticable difference. =) Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sobig F.. mutating..
Title: Message Hi; Interesting... "... Sobig is unusual in that it has the ability to go onto the Internet from its host PC and update itself with new capabilities, Huger said. Those capabilities could include tools for denial-of-service attacks or relaying spam. "It's entirely up to the author (of the virus)," Huger said. "It can download whatever its heart desires." http://www.informationweek.com/story/showArticle.jhtml?articleID=13100787 Regards, Kami
RE: [Declude.Virus] McAfee Enterprise 7.0 not picking up Sobig.F
After reading your post I went in and looked at my server, and the [expletive deleted] McAfee Autoupdater hadn't successfully processed an update since the 19th when it pulled 4286. That meant that we were on 4286 DATs and not the current 4288. I forced an update manually, and it pulled these new definitions just fine, but I have two days worth of failed updates in the activity logs that just give me a sick feeling in the pit of my stomach. I am finally seeing both scanners picking it up. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Newberg Sent: Wednesday, 20 August 2003 6:55 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] McAfee Enterprise 7.0 not picking up Sobig.F I use two scanners, F-Prot and McAfee Enterprise 7.0. F-Prot is picking up Sobig.F, but McAfee is not. I have the latest definitions, 4288, and the latest engine 4.2.60. When I send the test eicar file as a zip, both scanners detect it, so I know both scanners are functioning. Does anyone have any ideas as to why my McAfee is not detecting Sobig.F? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to Get McAfee Daily Updates
I have started using McAfee it looks like the server will reboot every day or so. When installing (Win2k Server), what options are people using. When I installed, I installed netshield and I'm getting the updates with the GUI. I have disable the real time scanning but still seem to have some problems. Andy, Could you send me an attachment of your batch so I can see the correct lines of code? Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, August 19, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] How to Get McAfee Daily Updates I created a batch file that runs hourly - it usually finds updated files several times a day. (The curl.exe is a shareware utility to automate HTTP downloads). kill curl -f curl http://download.nai.com/products/mcafee-avert/daily_dats/SDATDAILY.EXE -o SDATDAILYrun.EXE -s -S -R -z SDATDAILY.EXE SDATDAILYrun.EXE /silent copy SDATDAILYrun.EXE SDATDAILY.EXE erase SDATDAILYrun.EXE Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] notifications issue
Scott, Still the sobig notifications are going out...I've check the postmaster.eml file 3 times already. There is one tab between skipvirusname and sobig. There are no lines, or spaces or tabs before the first line. There are no lines, spaces or tabs between the last skipvirusname and the from line Here is the top of the file SKIPIFVIRUSNAMEHAS Sobig.f SKIPIFVIRUSNAMEHAS Mimail SKIPIFVIRUSNAMEHAS Yaha SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Braid SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Palyh From: [EMAIL PROTECTED] Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to Get McAfee Daily Updates
Hi, NetShield is what I'm running. To install, I had to run: N2Ki45L.zip (Netshield 4.5) NNT45SP1.zip (Netshield 4.5 SP1) And of course then you still need to run the engine upgrade to 4.2.60 (a regular SuperDAT will accomlish that). (I'm not sure why you need the commands as a text file, but I sent it with regular mail as an attachment). Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, August 21, 2003 10:39 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] How to Get McAfee Daily Updates I have started using McAfee it looks like the server will reboot every day or so. When installing (Win2k Server), what options are people using. When I installed, I installed netshield and I'm getting the updates with the GUI. I have disable the real time scanning but still seem to have some problems. Andy, Could you send me an attachment of your batch so I can see the correct lines of code? Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, August 19, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] How to Get McAfee Daily Updates I created a batch file that runs hourly - it usually finds updated files several times a day. (The curl.exe is a shareware utility to automate HTTP downloads). kill curl -f curl http://download.nai.com/products/mcafee-avert/daily_dats/SDATDAILY.EXE -o SDATDAILYrun.EXE -s -S -R -z SDATDAILY.EXE SDATDAILYrun.EXE /silent copy SDATDAILYrun.EXE SDATDAILY.EXE erase SDATDAILYrun.EXE Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Delete or Hold for Viruses?
Is there a way to automate purging of the virus hold directory? Scott, What about putting an option like that in declude to set a storage timeframe for intercepted viruses? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Rich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 4:16 PM Subject: Re: [Declude.Virus] Delete or Hold for Viruses? At 02:26 PM 8/20/2003, you wrote: With this latest Sobig variant, I have been starting to wonder whether it is still the best idea to be wasting storage space for the 2,000+ viruses that have been intercepted in the last couple days. What is everyone else doing? Are you holding viruses intercepted or just setting Declude to delete them? We have a hold directory that is purged every 7 days. The customers know that if they get a message telling them the e-mail was intercepted, that they have 7 days to claim it. Some have actually requested the mail, and ended up infecting their machine... Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems mailto:[EMAIL PROTECTED][EMAIL PROTECTED] -- Rich Griebel [EMAIL PROTECTED] http://www.kendra.com Scanned for Viruses using Declude and F-Prot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee Enterprise 7.0 not picking upSobig.F
I did that with eicar and the On-Demand Scanner picked it up. However, when I did it with Sobig.F, there was no attachment. Then I noticed that it was a bounced message from another server (not using SKIPIFVIRUSNAMEHAS). I'm now wondering if that is why McAfee On-Demand/Declude is not picking it up, because the virus is part of the bounced message and it appears to not be executable. However, F-Prot and McAfee On-Access both detect Sobig.F in the SMD file. ?? Most AV programs will not detect corrupt, non-viable variants, which often includes bounce messages (because those bounce messages are usually truncated). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ERROR 3 in virus scanner 1
Here's the command line from my config file: SCANFILE C:\Progra~1\Fsi\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt Terry On the other hand, if he doesn't have -NOBOOT and it is scanning his boot sector, should he not be concerned that it thinks he as a boot sector virus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry Sent: Thursday, August 21, 2003 12:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] ERROR 3 in virus scanner 1 Terry, do you have the -NOBOOT switch set in your virus.cfg file? If so, F-Prot should not be scanning the boot sector when called by Declude. Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 9:24 AM Subject: RE: [Declude.Virus] ERROR 3 in virus scanner 1 I've double-checked, and found that F-Prot says that an error #3 is A Boot/File virus infection found. Our understanding of that was that it would occur if the whole hard drive was found, and a virus was found on the boot sector of the hard drive. However, that wouldn't be the case here, as only individual files are being scanned, so I'm not sure exactly what it would mean in this context. -Scott At 11:43 AM 8/21/2003, Terry Parks wrote: We're using F-Prot (latest version updated daily). This message is intermittent and not the norm (less than 1%). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, August 21, 2003 8:24 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] ERROR 3 in virus scanner 1 I'm seeing this pop up on my logs. What does this mean? That would depend on the virus scanner -- I don't have any information on the error code 3 for F-Prot or McAfee. If it is occurring for every E-mail, you may have corrupt virus definitions. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Surfside Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Surfside Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fw: Your mail server sent us a virus
John, Here's what I send back to the IMail / Declude Postmasters. - I function as the Postmaster for domain.com domain. An examination of our mail server logs indicates that the e-mail in question was NOT sent from our mail server. The [EMAIL PROTECTED] virus is a Forging Virus which selects the sender name from the address book of the infected machine. Due to this, most anti-virus systems are set to NOT send virus notification messages to the Forged Sender and Domain Postmaster. If you are truly concerned, examine the headers of the incoming e-mail to determine the IP address of the sending server and then use a web site such as www.samspade.org or www.dnsstuff.com to determine the actual source. In this case it was sent from an otherdomain.com user's infected system. It is also a well documented fact that erroneous notifications such as yours are putting large amount of unnecessary traffic on the internet and compounding the problems caused by this virus. Out recommendation is that you set your anti-virus software to not generate sender and sending postmaster e-mail for Forging Viruses. The most common forging viruses are: Bugbear, Fizzer, Klez, Magistr, Sobig (all versions), Palyh, Yaha, Lentin, Bridex, and MiMail. Additionally, since you are using IMail with Declude, you might want to check out the methods for doing this such as replacing the beginning content of your otherpostmaster.eml and sender.eml file with the following or even disabling them for the time being by renaming them: ONLYSENDIFREMOTESENDER SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Fizzer SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Outlook 'CR' vulnerability SKIPIFVIRUSNAMEHAS Palyh SKIPIFVIRUSNAMEHAS Yaha SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS MiMail From: [EMAIL PROTECTED] You might also subscribe to the Declude Virus forum where this has been a major subject of discussion or check out the Forum Archives. To subscribe, send an E-mail to [EMAIL PROTECTED] with a body of subscribe Declude.Virus Firstname Lastname. You will receive an E-mail that you will need to respond to in order to confirm your request. The archives can be found at http://www.mail-archive.com and the forum is declude.junkmail This notice is sent as a courtesy so that you have the option of correcting your virus notification configuration. If your mail server had a better virus protection configuration, it would have caused less work for our server and lessened the amount of unnecessary internet traffic. I don't know if it accomplishes anything (probably not), but I get some satisfaction out of it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, August 21, 2003 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fw: Your mail server sent us a virus Why is it there are mail admins out there running Imail and Declude that are continuing to send out virus notices to forged addresses? I have seen 5 in the last 24 hours. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, August 21, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fw: Your mail server sent us a virus There are only 2 .eml files that I'm using, recip.eml and postermaster.eml. There are no other .eml files in the declude directory. Ah, I think I know what the problem is. That notification is coming from *another* mailserver running Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses
RE: [Declude.Virus] ERROR 3 in virus scanner 1
Here's the command line from my config file: SCANFILE C:\Progra~1\Fsi\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt Actually, it looks like the default configuration for F-Prot includes: VIRUSCODE 3 VIRUSCODE 6 So adding the VIRUSCODE 3 line should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] On Access Question
So I disabled the On-Access scanner and I still get the error when an email is found with a virus 08/21/2003 16:03:46 Q2584064 ERROR: Virus scanner didn't finish after 30 seconds; terminating. 08/21/2003 16:04:03 Q2584064 Couldn't delete C:\IMail\spool\D2584064.vir\0: 32. 08/21/2003 16:04:03 Q2584064 WARNING: Couldn't remove .vir directory C:\IMail\spool\D2584064.vir\: SHARING VIOLATION. 08/21/2003 16:04:03 Q2584064 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 08/21/2003 16:04:03 Q2584064 Scanned: Virus Free [MIME: 2 1128] Notice the last line of this message. The file went from being infected to Virus Free - how? Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darrell LaRock Sent: Wednesday, August 20, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] On Access Question Question is do you still get the error if you disable on-access scan? That's one way to rule it out Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, August 20, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] On Access Question I'm 99.% sure that McAfee is not scanning that directory. If I open the On Access scanner and watch it as I open a file in that directory it does not show the file being opened. Could the permissions on the directory be wrong? If so-- what should it be set to? It isn't a permissions issue. It is definitely a sharing violation. It means that some program besides Declude is accessing the directory, which won't normally happen (how else will a program know that the directory is there? Not even IMail knows). So it would have to be a program that either knows as soon as files are written to the hard drive (as in the case with the virus scanner), or that looks at all the files on the hard drive (such as a backup program). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fw: Your mail server sent us a virus
Yes, that is what I have been doing on some. But I do have other work to do too. Of course, if everyone had their configuration correct... John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of George Kulman Sent: Thursday, August 21, 2003 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fw: Your mail server sent us a virus John, Here's what I send back to the IMail / Declude Postmasters. - I function as the Postmaster for domain.com domain. An examination of our mail server logs indicates that the e-mail in question was NOT sent from our mail server. The [EMAIL PROTECTED] virus is a Forging Virus which selects the sender name from the address book of the infected machine. Due to this, most anti-virus systems are set to NOT send virus notification messages to the Forged Sender and Domain Postmaster. If you are truly concerned, examine the headers of the incoming e-mail to determine the IP address of the sending server and then use a web site such as www.samspade.org or www.dnsstuff.com to determine the actual source. In this case it was sent from an otherdomain.com user's infected system. It is also a well documented fact that erroneous notifications such as yours are putting large amount of unnecessary traffic on the internet and compounding the problems caused by this virus. Out recommendation is that you set your anti-virus software to not generate sender and sending postmaster e-mail for Forging Viruses. The most common forging viruses are: Bugbear, Fizzer, Klez, Magistr, Sobig (all versions), Palyh, Yaha, Lentin, Bridex, and MiMail. Additionally, since you are using IMail with Declude, you might want to check out the methods for doing this such as replacing the beginning content of your otherpostmaster.eml and sender.eml file with the following or even disabling them for the time being by renaming them: ONLYSENDIFREMOTESENDER SKIPIFVIRUSNAMEHASBugbear SKIPIFVIRUSNAMEHASFizzer SKIPIFVIRUSNAMEHASKlez SKIPIFVIRUSNAMEHASMagistr SKIPIFVIRUSNAMEHASVulnerability SKIPIFVIRUSNAMEHASSobig SKIPIFVIRUSNAMEHASOutlook 'CR' vulnerability SKIPIFVIRUSNAMEHASPalyh SKIPIFVIRUSNAMEHASYaha SKIPIFVIRUSNAMEHASLentin SKIPIFVIRUSNAMEHASBridex SKIPIFVIRUSNAMEHASMiMail From: [EMAIL PROTECTED] You might also subscribe to the Declude Virus forum where this has been a major subject of discussion or check out the Forum Archives. To subscribe, send an E-mail to [EMAIL PROTECTED] with a body of subscribe Declude.Virus Firstname Lastname. You will receive an E-mail that you will need to respond to in order to confirm your request. The archives can be found at http://www.mail-archive.com and the forum is declude.junkmail This notice is sent as a courtesy so that you have the option of correcting your virus notification configuration. If your mail server had a better virus protection configuration, it would have caused less work for our server and lessened the amount of unnecessary internet traffic. I don't know if it accomplishes anything (probably not), but I get some satisfaction out of it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, August 21, 2003 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fw: Your mail server sent us a virus Why is it there are mail admins out there running Imail and Declude that are continuing to send out virus notices to forged addresses? I have seen 5 in the last 24 hours. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, August 21, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fw: Your mail server sent us a virus There are only 2 .eml files that I'm using, recip.eml and postermaster.eml. There are no other .eml files in the declude directory. Ah, I think I know what the problem is. That notification is coming from *another* mailserver running Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
[Declude.Virus] McAfee Enterprise 7.0 not picking upSobig.F
Scott, Unfortunately (actually a good thing), all the virus e-mails I have left in the \virus directory are bounces from other servers. I don't have a Sobig.F attachment available to test. Once I receive one, I'll re-test. Thanks, Bill -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 21 Aug 2003 14:59:18 -0400 I did that with eicar and the On-Demand Scanner picked it up. However, when I did it with Sobig.F, there was no attachment. Then I noticed that it was a bounced message from another server (not using SKIPIFVIRUSNAMEHAS). I'm now wondering if that is why McAfee On-Demand/Declude is not picking it up, because the virus is part of the bounced message and it appears to not be executable. However, F-Prot and McAfee On-Access both detect Sobig.F in the SMD file. ?? Most AV programs will not detect corrupt, non-viable variants, which often includes bounce messages (because those bounce messages are usually truncated). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fw: Your mail server sent us a virus
Of course, if everyone had their configuration correct... John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com Amen, I didn't get nearly enough sleep last night and had received this auto-response from another declude user that had received a virus from a forged address at my domain... The Declude Virus software on our mail server detected the W32/[EMAIL PROTECTED] virus that appears to have come from your mail server. It was sent in an attachment your_details.pif, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject Re: Thank you!. The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. The part that set me off was them telling people that if their mail server had better protection it would cause theirs less work!!! Arg...My response was... If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. #1 Our mail server does have better virus protection(in fact the same yours does), and it does prevent our users from infection. #2 If you had better administration you would turn off notifications to postmasters and senders as it is well known the Sobig Virus and all variants of this virus forge email addresses. I am sure I am one of many that has received this in the wrong. #3 Your auto response comes off unnecessarily rude, and makes your technical staff look ignorant. I would hope this is not a reflection of how your company does business. If you would like to cause your mail server less work take our suggestion in #2 Received: from DTS-ORL02 ([66.35.177.66]) Not my IP Thank you for your time, the intention of this email is only to educate. I am sure your technical staff is competent. --- [This E-mail was scanned for viruses by QuestNet.net (http://www.QuestNet.net)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] On Access Question
So I disabled the On-Access scanner and I still get the error when an email is found with a virus 08/21/2003 16:03:46 Q2584064 ERROR: Virus scanner didn't finish after 30 seconds; terminating. ... 08/21/2003 16:04:03 Q2584064 Scanned: Virus Free [MIME: 2 1128] Notice the last line of this message. The file went from being infected to Virus Free - how? That's part of Declude's failsafes. If Declude Virus quarantined E-mail whenever the virus scanner didn't finish in time, a lot of legitimate E-mail would get caught. In this case, you have serious problems. You are running software that is interfering with files on the hard drive. And, your virus scanner is breaking when you disable the on-access virus scanner (most likely, it is waiting for user input). If you use LOGLEVEL DEBUG, you should see the virus scanner windows during the 30 seconds they are up, and they should explain what the problem is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] On Access Question
I just upgraded to the latest version let's see if that fixes the problems. Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Greg Foulks Sent: Thursday, August 21, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] On Access Question So I disabled the On-Access scanner and I still get the error when an email is found with a virus 08/21/2003 16:03:46 Q2584064 ERROR: Virus scanner didn't finish after 30 seconds; terminating. 08/21/2003 16:04:03 Q2584064 Couldn't delete C:\IMail\spool\D2584064.vir\0: 32. 08/21/2003 16:04:03 Q2584064 WARNING: Couldn't remove .vir directory C:\IMail\spool\D2584064.vir\: SHARING VIOLATION. 08/21/2003 16:04:03 Q2584064 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 08/21/2003 16:04:03 Q2584064 Scanned: Virus Free [MIME: 2 1128] Notice the last line of this message. The file went from being infected to Virus Free - how? Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darrell LaRock Sent: Wednesday, August 20, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] On Access Question Question is do you still get the error if you disable on-access scan? That's one way to rule it out Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, August 20, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] On Access Question I'm 99.% sure that McAfee is not scanning that directory. If I open the On Access scanner and watch it as I open a file in that directory it does not show the file being opened. Could the permissions on the directory be wrong? If so-- what should it be set to? It isn't a permissions issue. It is definitely a sharing violation. It means that some program besides Declude is accessing the directory, which won't normally happen (how else will a program know that the directory is there? Not even IMail knows). So it would have to be a program that either knows as soon as files are written to the hard drive (as in the case with the virus scanner), or that looks at all the files on the hard drive (such as a backup program). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. - [This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Delete or Hold for Viruses?
You can try www.zcom.it/decludeupdater/ictcleaner.zip Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska Sent: Thursday, August 21, 2003 5:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Delete or Hold for Viruses? Is there a way to automate purging of the virus hold directory? Scott, What about putting an option like that in declude to set a storage timeframe for intercepted viruses? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Rich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 4:16 PM Subject: Re: [Declude.Virus] Delete or Hold for Viruses? At 02:26 PM 8/20/2003, you wrote: With this latest Sobig variant, I have been starting to wonder whether it is still the best idea to be wasting storage space for the 2,000+ viruses that have been intercepted in the last couple days. What is everyone else doing? Are you holding viruses intercepted or just setting Declude to delete them? We have a hold directory that is purged every 7 days. The customers know that if they get a message telling them the e-mail was intercepted, that they have 7 days to claim it. Some have actually requested the mail, and ended up infecting their machine... Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems mailto:[EMAIL PROTECTED][EMAIL PROTECTED] -- Rich Griebel [EMAIL PROTECTED] http://www.kendra.com Scanned for Viruses using Declude and F-Prot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] NoMaxQueProc
I just updated my Declude Virus to v1.75 and ran DECLUDE -DIAG to confirm. At the top of the text display I saw NoMaxQueProc. I don't recall seeing this before. Is this okay? Alan Walters Director of I.T. Royce Medical --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] TCP WAIT TIME
Reply to: Adrian Hauri Re: [Declude.Virus] TCP WAIT TIME on Thursday 7:48:49 PM Thanks! Yes. I think this is part of my problem. Also, someone from Ipswitch was asking if I was getting lots of wait times in HTTP service.. so I would like to experiment with this.. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - A Has anyone of you guys ever had this problem? It could be helpful during the A high traffic time that the Sobig Virus causes: A http://www.stalker.com/CommuniGatePro/Scalability.html#TimeWait A Adrian -- ActivatorMail(tm) ver.00811031 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.