Great part of Bugbear-Warnings send to the given sender returns as NDR.
So I added today a line SKIPIFVIRUSNAMEHAS Bugbear to the
sender.eml-file.
Markus
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] Im Auftrag von
ISPhuset Visual Web Norge
Everyone other noticed that there are no more bugbear's today?
Normaly we catched a lot of this worm, but today 0. For other viruses
the rate is normal...?
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus
Hi Doug,
Thanks for your information about this.
We've found a simply solution for this, so that nobody must update his
DecludeUpdater. Scott now has changed the order in the version.txt file
from beta-release to release-beta so if you start again the
update-process it should put the right
Hi Scott,
Is there a information page where you explain the different
vulnerabilities and what are tipical causes of this?
We have here a lot of hold messages with:
Outlook 'Blank Folding' Vulnerability
Outlook 'CR' Vulnerability
Outlook 'Boundary Space Gap' Vulnerability
Hi Scott,
Is there a certain reason why there is no variable containing the single
recipient of the message?
I've created a ASP-Script to requeue a spoolfile hold by an
vulnerability.
Now there is the following problem:
A send a message with a vulnerability to B and C
B is a user on our server,
The problem is that while there is always only a single
sender, there are
often multiple recipients. So for the E-mail with a
vulnerability sent to
B and C, and there was a variable to produce a single
recipient, would you
want it to be B or C? Therein lies the problem.
From where
That is added by IMail, when the E-mail is being delivered.
At that point, IMail has the single E-mail with multiple
recipients, and it
goes through each recipient and stores a copy of the E-mail in
their mailbox. Since it has access to the individual
mailbox at that
time, it is
%ALLRECIPS% will only include the sender if the sender sent a copy to
himself, through your mailserver.
If you are not running an open relay, that means that the %ALLRECIPS%
notification would only go to the sender if the sender was a
user of yours.
I intended to send the warning to
I'm guessing you would want the link to go to the recipient,
rather than
the sender (since the sender will obviously want the E-mail
to go through
if he intended for the vulnerability to be there).
Yes. Exactly what I've said 2 mails before.
(Probably my english is not good enough :-)
If this will be a future feature please also provide a posibility to add
a custom message.
Thanks
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jack Taugher
Sent: Friday, March 14, 2003 4:32 PM
To: [EMAIL PROTECTED]
Subject:
Hi all,
Anyone else noticed a high virus traffic today?
We can see here a lot of different viruses (Klez, Fizzer and by far most
Bugbear.b) coming from all around the world.
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from
Sophos and McAfee just minutes ago announced a new variant of
Bugbear,
which apparently started spreading yesterday. They both have
reported that
it is spreading fast.
It's 3:00 PM now here, and we are already on more then 300% of a
normal day.
Strange: The new version is Bugbear.C
We
... are you sure that there is a C variant out now?
Both RAV and F-Prot released updates to catch the new B variant:
Hmmm, strange!
After Scott's posting that Nai and Sophos has released new information
I've read this on Nai's Virus-Lab.
Now the last update has changed and the C is now a B
I can't believe that the big messagelabs are not able to filter out
virus-warnings for forging email worms.
BTW: Scott, on days like this we have to disable the recipient-warning
because our customers are not very satisfied recieving 40+
virus-warnings in a single hour. Even if the warnings are
Title: Nachricht
Hi all,Today I've found 5 temporary
directories in our spool folder created by declude virus.All 5 directories
contains the same 11 MB zip-file containing a single .DWG-file (I think it's a
vector grafic file format)
In the logfile I've found the lines:06/13/2003 05:08:01
/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, June 13, 2003 09:38 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Scanner performance difference
Hi all,
Today I've found 5 temporary directories in our spool folder created by
declude
Ok, thanks for the info.
I'l give a try to pestpatrol...
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
Hermann,
Have you tried to remove the two following spacers/tabs between
SKIPIFVIRUSNAMEHAS and the reported virusname?
mfg
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just
A customer asked me if our virus-filter protects also for
Macintosh-viruses.
Now I'm not 100% sure what I should answer.
My opinion is yes, but does a DOS-scanner really check for viruses
written for another plattform?
Markus
---
[This E-mail was scanned for viruses by Declude Virus
(for example, I know that F-Prot can detect Unix
viruses).
Haven't found anything on F-prot's homepage talking about macintosh.
:-|
On the Mcafee virus library I've found the following explanation in a
MacOS-Virus description:
Please use the latest updates of Virex for cleaning. If this
Samantha,
If you're the responsable person for your mailserver and virus
protection in your company or for your users please subscribe to some
newsletters offered from different AV companies.
Try to read and understand any single message comming from this lists.
The Declude-Virus list is also a
Finally caught my first W32/Mimail virus tonight using the
new F-Prot 3.14a / new defs ... I'm so relieved sigh
Returned from holidays I haven't seen any MiMail message in our virus
folder. (?)
Neither F-Prot nor Mcafee has found something. (??)
*panic*
Also there was no noticeable increase
You can try www.zcom.it/decludeupdater/ictcleaner.zip
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
Sent: Thursday, August 21, 2003 5:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Delete or Hold for Viruses?
vir0819.log 437 437
vir0820.log 2,939 2,939
vir0821.log 3,937 3,937
vir0822.log 2,755 2,755
vir0823.log 275 275
vir0824.log 91 91
vir0825.log 8,525
Hi Virus-fighters :-)
Before I will contact IPSwitch I would ask other declude virus users if
they can confirm this possible issue:
In the past 3 days I've seen multiple hold messages infected with
W32/[EMAIL PROTECTED] and having a long, coma-separated list of recipient
email addresses. At
Title: Nachricht
I was
in contact with Bitdefender (www.bitdefender.com)
They're offering the MS DOS version for free. The
problem at the moment is, that it doesn't return any utilizable returncode if a
virus was found.
The
support answered me, that it will be added in a future release and
He's got the date on his computer wrong.
Declude-Users please create a new eml-file to send out a warning like:
==
SKIPIFVIRUSNAMEDOESNOTHAVE Sobig
Your computer's date is set wrong and you're infected with Sobig.
Please set the correct date or close
Hi
Anyone else has seen a swen-message succesfull delivered to the final
recipient behind imail and declude virus?
I've noticed that the delivered message has had an 10 kB exe-attachment.
All hold viruses on our server have around 150 kB so the original
attachment should be greater then 10 kB.
Did it have a 10KB .exe attachment, or 10KB worth of
attachments? I've
seen quite a few copies going out that have .gif/.jpg attachments
(totalling about 10KB), but without the actual .exe file attached.
The message was only forwarded to my, so i don't have the entire
original message.
Very likely,
most users in Italy have more than one mailbox with different
ISP, so even if we filter messages for viruses it is possible
they get infected through other mailboxes.
Franco,
Some of our customers have also old mailboxes from other ISPs
(something like [EMAIL PROTECTED])
We
Not a single person in the domains hosted on our
server has received a single incident.
I am getting approximately 40 to 50 of these a day,
while the rest of my users, combined, have received
no more than 20.
From begin of this month on we've disabled recipient virus warnings
Ciao Piero,
I've received a mail which contain the follow italian text:
Subject: Il momento è catartico
Ricevo e cortesemente inoltro, un premio per la
genialità hanno reso mitico un salva schermo scaricalo,
poesie catartiche, che non sai cosa ti perdi
Important!!
1.) As I've seen
Today we've hold some mails containing Bagle, a new Mailworm
http://vil.nai.com/vil/content/v_100965.htm
Please update your virus.cfg file with
FORGINGVIRUS Bagle
Looks like Symantec's name is Beagle, not Bagle.
AVG, Symantec, Nai, F-Secure, Trend and Sophos has updates.
Markus
---
[This
Wouldn't you want to also update your otherpostmater.eml and
sender.eml
with:
SKIPIFVIRUSNAMEHASBagle
SKIPIFVIRUSNAMEHASBeagle
No, because I've set in this files:
SKIPIFSENDER [Forged]
So I have to maintain only the forgingvirus-list in the virus.cfg file.
Markus
---
[This
By far the largest amount of virus I have ever received.
Percent of Emails Infected
to Total Emails Scanned: 14.7613%
On 08/26/2003 we've seen 27,84% of virus messages. This was our top day.
Yesterday we've had 12,76%. The 1-year average value is 2,01%
Markus
---
We hold messages failing the vulnerability tests. Our local customer
receives an alert containing a link where he can requeue the hold message.
The remote user receives an alert that the message was blocked temporaly
because the message was formated in a manner like Mail-worms will do.
Thanxs!
Some more infos on http://vil.nai.com/vil/content/v_101030.htm
Tanx (or Panda's name: YourId ) is a forging virus.
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, February 17, 2004 4:01 PM
To:
F-Prot calls it w32/[EMAIL PROTECTED]
You mean Bagle and not Bagel ?!
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
Symantec labeled it [EMAIL PROTECTED] HA.. I just label it an
exe attachment virus and carry on.
Well, you can try to add
FORGINGVIRUS exe attachment virus
...but I expect this will not change anything.
Markus ;-)
---
[This E-mail was scanned for viruses by Declude Virus
Would it work to put
SKIPIFSENDER [Forged]
in the top of the bannotify.eml file?
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
No. If a virus is detected, the bannotify.eml file won't be
sent out (virus scanning takes priority over banned file
extensions). Without knowing the name of a virus, it is not
possible to determine if it is a forging virus.
Ok, I understand.
Today I've had the following NDR in the
We're seeing the same thing David did - random error 5's on
the newest F-prot. I backed off to the previous version.
Same thing here. While going back to 3.14b I've noticed that the missing
fpcmd.exe causes the following lines in the logfile: (3.14c must be removed
before reinstalling
could this be with the i4 release of Declude or it just
happens that both of our scanners are now returning error.
Running 1.78 beta here.
Shows also error 5 in f-prot 3.14c.
Using Fprot 3.14b hasn't caused any error 5.
Markus
---
[This E-mail was scanned for viruses by Declude Virus
Following NAI's website they detect Bagle.F in passworded
zip files with 4330 defs.
The saem website states also that any Bagle-F message with
passworded zip attachment contains "archive
password", "password:" or "pass:" in the
body.
Unfortunately I can't find any message with this
We've also blocked zip attachments and inform the sender in
the bannotify.eml that this is a temporary issue and if he want to send a zip
archive he can rename it to something like "filename.zix"
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mailing
I've seen that NAI's engine is now able to detect Bagle.h even if contained
in passworded zip files.
03/02/2004 17:29:04 Qb64d05700068a0de Scanner 2: Virus=W32/Bagle.h!pwdzip
virus !!! Attachment=Readme.zip [18] I
03/02/2004 17:29:04 Qb64d05700068a0de File(s) are INFECTED [[Encrypted .ZIP
file]:
Title: I've officially given up
Makes you wonder what sort of people have no life that they
have to do this.
People like http://www.heise.de/english/newsticker/news/44879making
28,000.- USD per month by selling their zombies to spammers.
Markus
The top 10 is:
uu.net
chinanet-gd
kornet.net
above.net
chinanet-cq
level3.net
exodus.net
hinet.net
cw.net
interbusiness.it
So position 10 for Interbusiness in the top10 network provider list and pos
1,4,6,7,9 for the USA.
Can someone explain me why I can't find any source of
interesting because NAI is not catching for us... we're at
defs version
4.0.4331 and scan engine 4.3.20
Same status here.
Do you have anything special in your config?
Nothing special.
I'm running the latest declude interim and can see 3 banned EZIP atachments
in the latest 20 hours. All
I've had the same error. Installing it on the preconfigured
directory (c:\clamav-devel) solved thisproblem.
After this there was another error, that I've solved after
Terry's tipp to create the c:\tmp folder.
At them moment I've a problem with freshclam (MD5
error)
So I downloaded all the
The undeleted .vir folders are not caused by the new interim releases.
Anyone who has added shortly ClamAV as second or third AV engine should
check his virus logfiles for the following lines:
ERROR: Virus scanner 3 didn't finish after 30 seconds; terminating.
WARNING: Couldn't remove .vir
... we have discovered that their products would detect these
viruses if they were executed on a system,
I strongly hope that every AV-engine installed on a local machine is able to
detect any known virus, if this virus was extracted from the encrypted zip
file after the (dumb) user has
This morning I've seen several Proxy-Cidra Trojans hold on our server. The
discovery date of this trojan is 12/27/2003 and so every AV engine should be
able to detect it.
http://vil.nai.com/vil/content/v_100939.htm
All infected messages I've seen are comming from different IPs.
Markus
---
Ops, I forget: looks like this is a forgin virus because all warnings are
comming back as NDR's
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL
Please read the old posts about this problem.
I STRONGLY agree!!
Short Summary:
Antivirus programs and declude can't open password protected
zip files ...
Good summary, but the problem is that if people knows that there is a short
summary even after an already 100 times asked and
Tried to install McAfee but it squaked because Trend is
installed on the computer and that it must be uninstalled,
anybody know of a work around or fix?
Download the latest SDAT file and extract the content. This should contain
anything you need to run the command line scanner.
On
But this seems to entail that I have a *nix box.
?
This is a batch file that you can run from any Windows command line.
I'm not sure if you know or don't know this already, but if you don't know
it it's likely that you don't be able to adapt it for your needs.
Markus
---
[This E-mail was
It looks like the BitDefender Free Edition includes the
command line scanner and excludes on-demand scanning. Just
what's needed for this application.
Unfortunately the free DOS edition does not return any error code. So it's
not possible to use it at the moment.
I've asked Bitdefender
Scanner Avg. TimeAvg.Processor% Peak%
F-Prot...0.1 seconds...0.482%.4.688%
AVG..0.5 seconds...0.934%52.316%
McAfee...0.6 seconds...0.900%73.433%
We've several local competitors without any virus protection whose mailboxes
work fine to send viruses around the world ;-)
I believe in Imail below v8 you can send such files trough the webmail
interface.
Markus
From: [EMAIL PROTECTED]
I can see also a lot of this unknown virus reports. (Se attched
admin-notify message)
All are comming from , [EMAIL PROTECTED] or are NDRs.
F-Prot reports an unknown virus. I don't know why, but from the message
headers I can see that practically all of this NDRs are useless because
they are
I believe the spaces in the BANNAME was fixed in 179i6 and higher.
I have successfully blocked Deleted Attachment
I'm running 1.79i7 now and messages containing an attachment like Norton
AntiVirus deleted1.txt still pass our virus filter.
?
Markus
---
[This E-mail was scanned for
For sure!
I tried now with different files and found why certain
files ar not blocked with BANNAME.
At the moment it's not possible to block file attachments
if the name contains special characters.
For example "Norton Antivirus gelöscht1.txt" the german
version of "Norton Antivirus
http://vil.nai.com/vil/content/v_126242.htm
Please update the forging list to prevent false warnings.
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
http://vil.nai.com/vil/content/v_126242.htm
Please update the forging list to prevent false warnings.
Our forging virus database has now been updated to include Zafi
We've received back some wirus warnings send to the recipients because the
recipients name of the address was not walid
Ahh and here I thought that you would have some sort of fancy
program that would do this.
Yes some vbscripts, but that wouldn't run out of the box on your system.
This scripts are part of our CRM and read/write data from a big database.
It would took some hours to prepare it for public
OT- Anyone know about this latest attack reported by
CNN?know about this latest attack reported by CNN?
Here is what CNN says:
http://www.cnn.com/2004/TECH/internet/06/24/internet.attack.a
p/index.ht
ml
Sharyn
I read somewhere that it only infects IIS 5 but I haven't
heard much
UNTIL NOW??
You are infected now?
No, but since I can't see in the future as most other people on this world
please ask again any 5 minutes because I don't know if the server will be
infected in the meantime
Please tell me if you're 100% sure that it will not happen on your (whatever
OS)
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, June 25, 2004 10:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] OT- Anyone know about this
latest attack
reported by CNN?
OT- Anyone know about this latest attack reported by
CNN
I'm sometimes getting this error with F-Prot
07/09/2004 00:54:11 Qd08844ad00207366 Could not find report
file C:\IMAIL\spool\Dd08844ad00207366.vir\report.txt.
07/09/2004 00:54:11 Qd08844ad00207366 Error -1073741819 in
virus scanner 1.
07/09/2004 00:54:12 Qd08844ad00207366 Scanned:
not OT
have you read yesterdays messages on this
list?
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan
GeiserSent: Tuesday, July 20, 2004 3:29 PMTo:
[EMAIL PROTECTED]Subject: [Declude.Virus] OT: "Animal"
Messages with Viruses?
Hello, All,
Right now there IS a vast network of
zombies being used to send spam. If the virus writers sell
or give access to spammers, they could be giving access to
anyone and these compromised computers could be used just as
easily to launch DDOS attack on infrastructure as they can to
send
It seems to be a new virus/variant. People are going to open
it because it looks to them like a domain name
(example.com) rather than filename (puppy.com).
Up to now I can't find any com.zip in the vir0726.log file
But in the meantime I've banned .zip attachments on our server.
BANEXT
I'm not sure but in
the last few minutes I can see in increased number of "unknown virus" reports
from my F-Prot 3.14e scan engine.
Anyone else can see
this too?
Markus
When running multiple scanners is their a way to prevent the other
configured virus scanners from scanning the message if the
first virus
scanner finds a virus?
No, there is not. Given that all non-virus E-mails will be
sent through all scanners, the extra time used is minimal
Actually, it's close to 100% if Declude Virus Pro isn't being
used (since HTML has to be checked, even if there is no
attachment, and most people now send HTML E-mails even if
their E-mail is in plain text).
Ok, my mistake.
But how much would it cost to implement such an option? More
http://www.gordano.co.uk/kb.htm?q=2297talks
about virus definitions from 28 July 2004 and Mabuto, so it can't be a new one
from today.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bonno
BloksmaSent: Monday, August 09, 2004 12:23 PMTo:
[EMAIL
2) Is this a forging virus we need to add to the list? If so, does
Declude allready have it in his forging virus list?
It appears to be a forging virus, although we do not have
enough information yet to determine that for certain (we
have, however, added it to the forging virus database
I've seen several
JS/IllWill messages in the past 20 minutes on our system
Looking at http://vil.nai.com/vil/content/v_99242.htmit's
an old virus (2001) and I can't remember another one in the
past.
But now I can see
them comming from all different IP-Adresses.
Mailfrom looks like
real
In the last hour
I've seen some JS/Zerolin
Virus warnings are
comming back as NDR's
Mailfrom looks
random or at least forged.
Markus
In the next release, %DATE% will indeed be changed to DD MMM
(12 Aug 2004), and %USDATE% will have the old
U.S.-style date format (08/12/2004), %EURDATE% will have
the European-style date format (12/08/2004), and %ISODATE%
will have the standard date format (2004-08-12).
Thank you
In the last minutes I've seen some messages containing JS/[EMAIL PROTECTED]
Virus warnings are comming back as NDR's.
Looking at the content I can see that this messages are not worms but send
as spam to our server.
The AV-engines detect some obfusticating JS-code at the end of this message
as
I can see some few appearances of JS/IFromot.A.
Looks like this are spam messages containing suspicious code and the
sender-adress is forged.
So if other people is also seeing IFromot, maybe it should be added to the
forged-list.
Markus
---
[This E-mail was scanned for viruses by Declude
I expect we'll have a new version on Monday to take care of
this (unless some start spreading before then, in which case
we would have a new version ready ASAP).
Well after reading http://www.heise.de/newsticker/meldung/51459 (german) I
think it's time to release something!
In short:
There
My complete setup for F-Prot is now:
SCANFILE c:\progra~1\fsi\f-prot\FPcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE=5 /NOBOOT /DUMB /SERVER /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
VIRUSCODE 8
REPORTInfection:
REPORTContains the exploit named
I was wondering what everyone does with the Imail\spool\virus
directory. Do you delete all the files regularly? I've got
7000 files in there since I installed Declude (2 weeks ago).
ICTCleaner (www.zcom.it/decludeupdater/ictcleaner.zip) can be scheduled as
daily task to delete all files
Thank you Matt, no I've to write much less :-)
I've tested with F-prot and Mcafee on our server and can see exactly the
same results as reported by Matt.
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, September 28,
I had a JPG held by declude as:
X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability].
However, this was a JPG sent from one of my users to another.
I seriously doubt it was infected with anything. The only
thing was that it was sent from a MAC.
After looking in the
For example there is a message showing up in the logfile as
09/29/2004 16:02:55 Qc07307e2007404eb [Microsoft GDIPlus.DLL JPEG
Vulnerability]
09/29/2004 16:02:55 Qc07307e2007404eb [Microsoft GDIPlus.DLL JPEG
Vulnerability]
09/29/2004 16:02:55 Qc07307e2007404eb [Microsoft GDIPlus.DLL JPEG
Now that 1.80 does not delete vulnerabilities even with
DELETEVIRUSES ON, what is the best way of deleting them?
You can try out
www.zcom.it/decludeupdater/ictcleaner.zip
It's small, easy to use and freeware.
Markus
---
[This E-mail was scanned for viruses by Declude Virus
Title: V1.81?
Sharyn,
I've installed v1.81 last Saturday and can't find any trace
of "GDI" or "JPEG" in the vir logfile from this point on.
So I assume all previuos "Microsoft GDIPlus.DLL JPEG
Vulnerabilities" was false positives.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL
I've seen some messages identified by declude.virus as
Virus: HTML/[EMAIL PROTECTED]
File: [HTML segment]
From: [EMAIL PROTECTED]
Other from-adresses are:
From: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Remotehost in any case is the same as the mailfrom
Today I've seen that one of my two scanners (I believe it was McAfee) has
catched a message as Phish-BankFraud.eml trojan
Expecting that they will add more such patterns would it be best to add
Phish- to the forging virus list?
Markus
---
[This E-mail was scanned for viruses by Declude Virus
Hi all,
Today I can see a large number of non delivery reports comming back to our
server containing the original virus warning (recip.eml)
This is the begin of our recip.eml file:
===
SKIPIFSENDER [Forged]
SKIPIFVIRUSNAMEHAS Vulnerability
My F-prot/Mcafee scanners are detecting a hug enumbers of Unknown Viruses
this morning.
Looking at the original message headers there are always HELO strings like
Beatrix.net
Arianna.net
Margareth1.org
Margareth1.com
This moment I've received a warning from my own server that I has send a
of
incoming messages, with above-normal banned cpl extension
attachments in virus folder.
---
Franco Celli
[EMAIL PROTECTED]
- Original Message -
From: Markus Gufler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 29, 2004 10:32 AM
Subject: [Declude.Virus
It seems that Declude is handling this Unknown Virus not with this string
even if showed in the %VIRUSNAME% variable.
In the Mailheader for other known viruses I can see
X-Declude-Virus: Detected W32/[EMAIL PROTECTED]
For this new virus comming in with price/joke.com/exe/cpl/scr attachments
the
Now the F-prot update is arrived also here. Catching it as Bagle.AP from
12:30 GMT+1 on.
Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on.
But I still can't understand what's happened with the Unknown virus
string...?
Markus
-Original Message-
From: [EMAIL PROTECTED]
I expect that we will change the code to treat these as
forging, so SKIPIFFORGING would catch 'em. We could also add
a separate SKIPIF...
option just to detect these, just to be safe.
I believe it would be usefull for all users of F-Prot with returncode 8
enabled to avoid future
I have not activated returncode 8 for F-prot in Declude yet
because I wasn't sure if we would get to many false
positives. Has anyone, or maybe f-prot themselves, any info
on that? Does returncode 8 generate false positives and if
so, how many?
Bonno,
I don't know how much false
1 - 100 of 198 matches
Mail list logo
