Re: [Declude.Virus] Where do they come from??
Pardon my language... butDAM... Where are all these virus-infected emails coming from?? Are they coming from home computers, servers or what?? We went through a list of about 60,000 different IPs that were sending Mydoom, and got reverse DNS entries for them, to figure out who was sending them. Most seem to be from home computers (typically cable/DSL), but there are plenty from other sources (colleges, small businesses, government, etc.). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
Would it be possible to E-mail one of the quarantined D*.SMD files to our virustrap@ account? We can then analyze it and should be able to get a better idea of why this is happening. I sent sample d*.smd virus files and postmaster and log file txt to the virustrap account. It looks like Groupshield blocked it. Perhaps you could .ZIP it in a password-protected .ZIP file, which should prevent it from getting blocked? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
I'm using Grisoft's AVG 7.0 professional, and I've been getting this a lot: 02/03/2004 08:44:02 Qb395000802285220 Error 6 in virus scanner 1. 02/03/2004 08:44:02 Qb395000802285220 Scanned: Error in virus scanner. [MIME: 2 800] I already emailed AVG, but haven't heard back. Anyone have any idea what may be causing this? That is actually normal -- it just means that AVG found a virus. To fix the problem, you can add the following line to your \IMail\Declude\virus.cfg file: VIRUSCODE 6 -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Would it be possible to E-mail one of the quarantined D*.SMD files to our virustrap@ account? We can then analyze it and should be able to get a better idea of why this is happening. I sent sample d*.smd virus files and postmaster and log file txt to the virustrap account. It looks like Groupshield blocked it. Perhaps you could .ZIP it in a password-protected .ZIP file, which should prevent it from getting blocked? I resent it last night from my yahoo account. Did you receive it at the virustrap address? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
I resent it last night from my yahoo account. Did you receive it at the virustrap address? No -- the only E-mail to arrive there was the one from GroupShield for Exchange. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] I resent it last night from my yahoo account. Did you receive it at the virustrap address? No -- the only E-mail to arrive there was the one from GroupShield for Exchange. Please check the virustrap mailbox again, hopefully third attempt is a charm... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
Please check the virustrap mailbox again, hopefully third attempt is a charm... It came through -- it looks like the one from last night probably did as well, but got caught here. Are you running 3 virus scanners with Declude Virus? The only thing that I can think of that could account for this happening is if there are 3 or more virus scanners being used with Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot and viruses
I am using F-Prot with Declude Virus and have had something interesting happen today. I currently have Declude Virus set to delete emails with viruses. However, somehow a user was using webmail on my Imail server and sent a message that contained a virus to a user that has his account on our Exchange server. From looking at the headers of the email, the originating IP address is from a place that has had problems with the MyDoom virus. My question is that if I have Declude Virus set to scan all incoming and outgoing emails, then shouldn't F-Prot check email sent from our Imail server to our Exchange server, since the message is originating from someone on the Imail server? Could this just be a fluke that one got through or does it not check messages sent through Imail Web Messaging? Daniel == Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and viruses
I am using F-Prot with Declude Virus and have had something interesting happen today. I currently have Declude Virus set to delete emails with viruses. However, somehow a user was using webmail on my Imail server and sent a message that contained a virus to a user that has his account on our Exchange server. From looking at the headers of the email, the originating IP address is from a place that has had problems with the MyDoom virus. My first question would be was this E-mail *forwarded* from web messaging (meaning that the virus arrived in the user's mailbox, which shouldn't have happened), or did the user attach a file with the Mydoom virus to an E-mail sent from web messaging? My question is that if I have Declude Virus set to scan all incoming and outgoing emails, then shouldn't F-Prot check email sent from our Imail server to our Exchange server, since the message is originating from someone on the Imail server? Could this just be a fluke that one got through or does it not check messages sent through Imail Web Messaging? With IMail v8, E-mails sent from web messaging should be scanned. The best thing to do in this case is look through the Declude Virus log file, to see what it reports. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Please check the virustrap mailbox again, hopefully third attempt is a charm... It came through -- it looks like the one from last night probably did as well, but got caught here. Are you running 3 virus scanners with Declude Virus? The only thing that I can think of that could account for this happening is if there are 3 or more virus scanners being used with Declude Virus. No, just two. We replaced McAfee with TrendMicro. Here are the actual virus scanner config entries: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: # McAfee # SCANFILE2 C:\Progra~1\Common~1\Networ~1\Viruss~1\4.0.xx\scan.exe /ALL /ANALYZE /NOBEEP /NOBOOT /NOBREAK /NODDA /NOMEM /PROGRAM /SILENT /UNZIP /REPORT report.txt # VIRUSCODE2 13 # REPORT2 Found # TrendMicro SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
Are you running 3 virus scanners with Declude Virus? The only thing that I can think of that could account for this happening is if there are 3 or more virus scanners being used with Declude Virus. No, just two. We replaced McAfee with TrendMicro. Here are the actual virus scanner config entries: Were you noticing this at all before the latest interim release? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and viruses
Scott, Thanks for the information. Now that I take a closer look at the subject of the email in question, I don't see FW: in front, meaning that it might not have been forwarded. However, the body of the message in question is just a bunch of garbage, so I would think that it was sent on purpose. I will see if I have any further incidents of this reported. Daniel == Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 2:56 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot and viruses I am using F-Prot with Declude Virus and have had something interesting happen today. I currently have Declude Virus set to delete emails with viruses. However, somehow a user was using webmail on my Imail server and sent a message that contained a virus to a user that has his account on our Exchange server. From looking at the headers of the email, the originating IP address is from a place that has had problems with the MyDoom virus. My first question would be was this E-mail *forwarded* from web messaging (meaning that the virus arrived in the user's mailbox, which shouldn't have happened), or did the user attach a file with the Mydoom virus to an E-mail sent from web messaging? My question is that if I have Declude Virus set to scan all incoming and outgoing emails, then shouldn't F-Prot check email sent from our Imail server to our Exchange server, since the message is originating from someone on the Imail server? Could this just be a fluke that one got through or does it not check messages sent through Imail Web Messaging? With IMail v8, E-mails sent from web messaging should be scanned. The best thing to do in this case is look through the Declude Virus log file, to see what it reports. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
