RE: [Declude.Virus] Manifest
I was just thinking along the same lines and have given instructions to my tech to produce stats for each local address to send to them when this is all over. Remember, we not only have to do our job, but also be seen to do it. :-) Erik > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Sunday, August 24, 2003 13:12 > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Manifest > > > > >However, these notifications became a significant impact during the > >recent outbreak and now, I'm wondering about the possibility of > >incorporating a daily manifest, as an option. > > > >Do you think that a manifest option is a possibility for the future? > > That's an interesting idea, that would be very nice for > accounts that get a > lot of viruses (and in times like this, with Sobig.F). I'm > not sure if > this is something we will get to do, but it is something we > have in the > works for Declude JunkMail, so it might be easy to add to > Declude Virus at > the same time. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you have been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Manifest
However, these notifications became a significant impact during the recent outbreak and now, I'm wondering about the possibility of incorporating a daily manifest, as an option. Do you think that a manifest option is a possibility for the future? That's an interesting idea, that would be very nice for accounts that get a lot of viruses (and in times like this, with Sobig.F). I'm not sure if this is something we will get to do, but it is something we have in the works for Declude JunkMail, so it might be easy to add to Declude Virus at the same time. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Manifest
Hi Scott, I like the idea of an e-mail notification when a dangerous attachment is quarantined and when a virus is killed. They remind the customers of the services we are providing them. However, these notifications became a significant impact during the recent outbreak and now, I'm wondering about the possibility of incorporating a daily manifest, as an option. Do you think that a manifest option is a possibility for the future? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] No wonder viruses spread
>>Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP >> (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 >>Received: from mail pickup service by guava.uch.edu with Microsoft >>SMTPSVC; >> Sat, 23 Aug 2003 14:06:33 -0600 >>Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu >>with >>Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 >>Received: by uchaex2.uch.ad.pvt with Internet Mail Service > (5.5.2653.19) I understand everyone's logic that this might indeed be a bounce, however, this is the part that keeps confusing me ... The header shows 168.200.2.27 sent it to me, but guava.uch.edu (which is their SMTP machine MX) got it from 168.200.32.18 about 11 seconds earlier (if their clocks are accurate). 168.200.32.18 is in their block too, so I'm assuming that is the machine that originate the message. If 168.200.2.27 is their inbound SMTP server, wouldn't you just see that as the only IP number, and not the second IP number? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ooops, I was wrong
Just sent a test message to the domain, and the headers are the same: Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A882145022C; Sun, 24 Aug 2003 10:40:18 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sun, 24 Aug 2003 11:40:18 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sun, 24 Aug 2003 11:40:10 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id ; Sun, 24 Aug 2003 It appears the uch.edu uses one IP for inbound, must due some processing at 168.200.32.18 and then 168.200.2.37 for outbound traffic. Now I feel like a real idiot ... I wish the LAN administrator would have just told me that and it all would have made more sense. Or it is easier just to keep out of everyone's else's problem. I been hit for 3 days now by a DSL circuit with the Sobig virus. I sent off email to the BellSouth Abuse department, don't ever expect to see an answer. I would block the IP, but it keeps jumping to a new one every 6 hours or so. I assume this is BellSouth way of reassigning ip's so DSL circuits don't get static numbers for free. David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE:No wonder viruses spread
-- Original Message -- From: "R. Scott Perry" <[EMAIL PROTECTED]> >Comparing it to the headers generated by the copies of Sobig.F we've looked >at, it appears that it was indeed a bounce message. Then I'm confused .. to me it appeared from the headers that it was received from another internal IP number, then sent to their exchange server ... am I missing something when I see the two IP numbers in the header? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] No wonder viruses spread
But since the subject that you are receiving is "undeliverable : RE: Details" isn't that his server is just returning the message Unless the virus has more subjects then the list of subjects that I am aware of. Comparing it to the headers generated by the copies of Sobig.F we've looked at, it appears that it was indeed a bounce message. However, the fact remains that there was a virus in the bounce message, so they were spreading the virus. Fortunately, IMail won't do this. If an E-mail is sent to an address that doesn't exist, IMail will reject the E-mail. It would then be up to the remote mailserver to generate the bounce message. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] No wonder viruses spread
But since the subject that you are receiving is "undeliverable : RE: Details" isn't that his server is just returning the message Unless the virus has more subjects then the list of subjects that I am aware of. Looks like the original message had the virus attached and that was Declude detected when his server bounced it back to you. Maybe? I'm hoping someone else jumps in -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Sunday, August 24, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] No wonder viruses spread >Um - I'm not sure, but I think he may be right. The declude virus catch >looks like a bounce from his server, not sent through his server. As >you said the e-mail address is forged - so if an infected computer has a >user from your domain and a bad address from his, once his server can't I don't think so. The only reason is there is another IP address showing received past his server, another IP from their block that shows that the message originated there. David >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of David Dodell >Sent: Saturday, August 23, 2003 6:01 PM >To: [EMAIL PROTECTED] >Subject: [Declude.Virus] No wonder viruses spread > >Here is a snipet of some on going email I'm having with a LAN >administrator at a university hospital. I forwarded a copy of the >Declude virus catch, to show them the IP #'s of the machine that sent >the Sobig virus. I can't get it through his head that the headers >are forged, and irrevelant. > >My last message to him pleaded to have him establish a telephone >dialog with me so I could explain the message to him ... I politely >told him if he wants to take the chance that a workstation is infected >within their LAN based on the assumption that he might really be >wrong, he was welcomed to the havoc it will cause. > > > > >David Dodell > > > >===Original message text=== >David, > >In looking at the header you sent Marcy, the subject of the message is >"Undeliverable: Re: Details" which means our e-mail system was sending >you a >message back that it couldn't deliver a message from you. > >My best guess is that Sobig may be on your pc, and you have a contact >somewhere to someone at uch that is no longer here or valid. Not too >uncommon for we changed our domain last year. > >Furthermore, our e-mail system doesn't allow .pif or .scr attachments >and >will strip them if attempted whether infected or not. > >We appreciate the heads up, but based upon the header it looks like it >was a >bounced message from you that was infected and thus the hit by your >antivirus. > >If you have any additional questions, comments, or concerns don't >hesitate >to let me know. > > >-Original Message- > > >This came from David who said this came from one of our computers. He >said >he was this stat technology. > >Marcy > >-Original Message- >From: David Dodell [mailto:[EMAIL PROTECTED] >Sent: Saturday, August 23, 2003 2:22 PM >To: >Subject: Fwd: Virus Notification > > > > >===Original message text=== >Declude Virus v1.75i2 caught the following: > >Virus Name: W32/[EMAIL PROTECTED] >Virus File: movie0045.pif > >From: [Forged] >To : [EMAIL PROTECTED] >Date: 08/23/2003 13:06:35 >Subject:Undeliverable: Re: Details >Spool File: Dc94a00d300be355a.SMD >RemoteIP: 168.200.2.37 >SenderHost: Unknown > > > >Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP > (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 >Received: from mail pickup service by guava.uch.edu with Microsoft >SMTPSVC; > Sat, 23 Aug 2003 14:06:33 -0600 >Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu >with >Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 >Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) >id >; Sat, 23 Aug 2003 14:06:23 -0600 >Message-ID: ><[EMAIL PROTECTED]> >from: "System Administrator" <[EMAIL PROTECTED]> >to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >subject: Undeliverable: Re: Details >Date: Sat, 23 Aug 2003 14:06:22 -0600 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2653.19) >X-MS-Embedded-Report: >Content-Type: multipart/mixed; >boundary="_=_NextPart_000_01C369B2.066CB0EC" >Return-Path: >X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) >FILETIME=[07029210:01C369B2] > > > >End of original message text=== > >End of original message text=== > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-ar
RE: [Declude.Virus] No wonder viruses spread
>Um - I'm not sure, but I think he may be right. The declude virus catch >looks like a bounce from his server, not sent through his server. As >you said the e-mail address is forged - so if an infected computer has a >user from your domain and a bad address from his, once his server can't I don't think so. The only reason is there is another IP address showing received past his server, another IP from their block that shows that the message originated there. David >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of David Dodell >Sent: Saturday, August 23, 2003 6:01 PM >To: [EMAIL PROTECTED] >Subject: [Declude.Virus] No wonder viruses spread > >Here is a snipet of some on going email I'm having with a LAN >administrator at a university hospital. I forwarded a copy of the >Declude virus catch, to show them the IP #'s of the machine that sent >the Sobig virus. I can't get it through his head that the headers >are forged, and irrevelant. > >My last message to him pleaded to have him establish a telephone >dialog with me so I could explain the message to him ... I politely >told him if he wants to take the chance that a workstation is infected >within their LAN based on the assumption that he might really be >wrong, he was welcomed to the havoc it will cause. > > > > >David Dodell > > > >===Original message text=== >David, > >In looking at the header you sent Marcy, the subject of the message is >"Undeliverable: Re: Details" which means our e-mail system was sending >you a >message back that it couldn't deliver a message from you. > >My best guess is that Sobig may be on your pc, and you have a contact >somewhere to someone at uch that is no longer here or valid. Not too >uncommon for we changed our domain last year. > >Furthermore, our e-mail system doesn't allow .pif or .scr attachments >and >will strip them if attempted whether infected or not. > >We appreciate the heads up, but based upon the header it looks like it >was a >bounced message from you that was infected and thus the hit by your >antivirus. > >If you have any additional questions, comments, or concerns don't >hesitate >to let me know. > > >-Original Message- > > >This came from David who said this came from one of our computers. He >said >he was this stat technology. > >Marcy > >-Original Message- >From: David Dodell [mailto:[EMAIL PROTECTED] >Sent: Saturday, August 23, 2003 2:22 PM >To: >Subject: Fwd: Virus Notification > > > > >===Original message text=== >Declude Virus v1.75i2 caught the following: > >Virus Name: W32/[EMAIL PROTECTED] >Virus File: movie0045.pif > >From: [Forged] >To : [EMAIL PROTECTED] >Date: 08/23/2003 13:06:35 >Subject:Undeliverable: Re: Details >Spool File: Dc94a00d300be355a.SMD >RemoteIP: 168.200.2.37 >SenderHost: Unknown > > > >Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP > (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 >Received: from mail pickup service by guava.uch.edu with Microsoft >SMTPSVC; > Sat, 23 Aug 2003 14:06:33 -0600 >Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu >with >Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 >Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) >id >; Sat, 23 Aug 2003 14:06:23 -0600 >Message-ID: ><[EMAIL PROTECTED]> >from: "System Administrator" <[EMAIL PROTECTED]> >to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >subject: Undeliverable: Re: Details >Date: Sat, 23 Aug 2003 14:06:22 -0600 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2653.19) >X-MS-Embedded-Report: >Content-Type: multipart/mixed; >boundary="_=_NextPart_000_01C369B2.066CB0EC" >Return-Path: >X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) >FILETIME=[07029210:01C369B2] > > > >End of original message text=== > >End of original message text=== > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail scanned for viruses by Declude Virus] > > > >--- >[This E-mail scanned for viruses by Declude Virus] > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list.
RE: [Declude.Virus] No wonder viruses spread
Um - I'm not sure, but I think he may be right. The declude virus catch looks like a bounce from his server, not sent through his server. As you said the e-mail address is forged - so if an infected computer has a user from your domain and a bad address from his, once his server can't deliver the mail to the bad address it returns the e-mail to the postmaster at what the server assumes is the domain from the forged address. I guess it is returning the whole message, virus included and then Declude it catching it and notifying you. I hope my server isn't doing that, bouncing infected messages from bad or expired address. If it is, is there a way to shut down? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Saturday, August 23, 2003 6:01 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] No wonder viruses spread Here is a snipet of some on going email I'm having with a LAN administrator at a university hospital. I forwarded a copy of the Declude virus catch, to show them the IP #'s of the machine that sent the Sobig virus. I can't get it through his head that the headers are forged, and irrevelant. My last message to him pleaded to have him establish a telephone dialog with me so I could explain the message to him ... I politely told him if he wants to take the chance that a workstation is infected within their LAN based on the assumption that he might really be wrong, he was welcomed to the havoc it will cause. David Dodell ===Original message text=== David, In looking at the header you sent Marcy, the subject of the message is "Undeliverable: Re: Details" which means our e-mail system was sending you a message back that it couldn't deliver a message from you. My best guess is that Sobig may be on your pc, and you have a contact somewhere to someone at uch that is no longer here or valid. Not too uncommon for we changed our domain last year. Furthermore, our e-mail system doesn't allow .pif or .scr attachments and will strip them if attempted whether infected or not. We appreciate the heads up, but based upon the header it looks like it was a bounced message from you that was infected and thus the hit by your antivirus. If you have any additional questions, comments, or concerns don't hesitate to let me know. -Original Message- This came from David who said this came from one of our computers. He said he was this stat technology. Marcy -Original Message- From: David Dodell [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 2:22 PM To: Subject: Fwd: Virus Notification ===Original message text=== Declude Virus v1.75i2 caught the following: Virus Name: W32/[EMAIL PROTECTED] Virus File: movie0045.pif From: [Forged] To : [EMAIL PROTECTED] Date: 08/23/2003 13:06:35 Subject:Undeliverable: Re: Details Spool File: Dc94a00d300be355a.SMD RemoteIP: 168.200.2.37 SenderHost: Unknown Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sat, 23 Aug 2003 14:06:33 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id ; Sat, 23 Aug 2003 14:06:23 -0600 Message-ID: <[EMAIL PROTECTED]> from: "System Administrator" <[EMAIL PROTECTED]> to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> subject: Undeliverable: Re: Details Date: Sat, 23 Aug 2003 14:06:22 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary="_=_NextPart_000_01C369B2.066CB0EC" Return-Path: X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) FILETIME=[07029210:01C369B2] End of original message text=== End of original message text=== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
