RE: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
You are correct -- there is a new interim release v1.76i4 at the same URL that fixes this. Thanks Scott, now it's working. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
Strange, I have not had any problems with that interim release. What I have noticed is that all of the 1.76i* releases have a problem with creating Eicar files in the directory that you run declude -diag in, except the IMail directory. For example, if I run three times at the root C prompt: If you don't have a gateway and don't use ipbypass in Declude JunkMail you probably wouldn't have the problem. I don't have that problem with the Eicar files when I run declude -diag in any directory. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
The same thing is happening here. I have the folder HOLD2 full of messages, most of them are actually infected with Swen.A virus, few are legitimate (sent after the IP was blocked by hijack). We've made a change to the code for interim release v1.76i3 (at http://www.declude.com/release/176i/declude.exe ) that should take care of this issue. Scott, That interim version is seriously broken, none of the Declude JunkMail tests are executed, all messages have 0 as weight, no logs are generated... I have to go back to 1.76i2. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Is Declude Hijack run before Declude Virus
I've seen several messages in Hijack's hold directories that seem to be infected messages, some have attached files with double extensions like xls.pif. I'm worried because sometimes I've to move back to the queue some false positives and as I've seen that once I do it Declude won't see those messages anymore, I could end releasing some messages with viruses. Is there anyway to invert the order, make Declude Virus to run before Hijack? I would like that to happen because of the banned extensions too. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.F
Hello Andy, I used McAfee and it started blocking it since 8:31 EDT (I pull in their daily updates hourly). How do you pull the updates hourly? I use the Instant Updater but it looks that it does the updates just once per day. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Vulnerabilities explained
Hello Markus,
Thank you for your contribution. I'm releasing the hold messages using a
program alias in IMail, so the recipients could just send an email to
the alias address to unblock the email. Following is the little cmd
script, as you can see it uses some of the GNU tools for Win32 that you
could find at http://unxutils.sourceforge.net/
I found it very useful in cases that the end user has access to email
but no the web.
I know that it should have been better to write it in VB script, Perl or
other language, but I don't have skills in those and besides it's
working quite well as a batch file. :-)
As you have discovered when multiple recipients are in place, if one of
then sends the request, the message is released for all of them. In my
opinion I consider it as a minor glitch.
From now on all my vulnerabilities hold notifications will have both
options, send an email to our program alias and the link to your asp
code.
Where are you from? I'm in Bolivia - South America.
Adolfo Justiniano
Santa Cruz BBS
e-mail: [EMAIL PROTECTED]
http://www.scbbs.net
unblock_email.cmd
@echo off
setlocal
rem Paths
set holdpath=d:\imail\spool\virus
set spoolpath=d:\imail\spool
set imailpath=c:\imail
rem The following lines get the sender's address to send the
confirmation
rem if the message has several from: it uses the one that is at the top
(headers)
grep -i from: %1|gawk {for (i=2;iNF+1;i++)print NR,$i}|grep
@|grep 1 |cut -d -f 2-|cut -d -f 1 %1.1
for /f %%i in (%1.1) do set sender=%%i
rem The following lines get the message's subject that is where the
sender should send the spool name
grep -i subject: %1|gawk {print NR,$0}|grep 1 |cut -d : -f
2-%1.1
for /f delims= %%i in (%1.1) do set subject=%%i
rem The following lines get just the spool name without the leading D,
needed to process the D* and the Q* files
rem it also gets rid of any * or ? that a malicious user could have
included (Does your ASP code has provision for that?)
grep -i .smd %1.1|cut -d D -f 2-|grep -v *|grep -v ?%1
for /f %%i in (%1) do set message=%%i
rem Deletes the file passed by IMail and the work file
del %1
del %1.1
rem If the Subject doesn't have a valid spool name or if any of the
files doesn't exist go to the error label
if %message%== goto error
if not exist %holdpath%\D%message% goto error
if not exist %holdpath%\Q%message% goto error
rem Move the files back to the queue
move /Y %holdpath%\D%message% %spoolpath%
move /Y %holdpath%\Q%message% %spoolpath%
rem Send success confirmation. In unblock_email_success.txt write an
small text confirming the unblock.
%imailpath%\imail1 -f %imailpath%\unblock_email_success.txt -s E-mail
unblocked:%subject% -t %sender% -u [EMAIL PROTECTED]
goto end
:error
rem Send failure message. In unblock_email_error.txt write a text
explaining what mistakes the user could have done
%imailpath%\imail1 -f %imailpath%\unblock_email_error.txt -s Error
while unblocking E-mail:%subject% -t %sender% -u
[EMAIL PROTECTED]
:end
endlocal
End
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Wednesday, March 05, 2003 1:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Vulnerabilities explained
BTW: I've attached to this mail a short ASP-Script that requeues a
spoolfile from the virus folder.
Simply set a link in your vulnerability.eml file to
http://www.yourdomain.com/requeue.asp?id=%QUEUENAME%
The recipient of the vuln.warning can simply click on this link to
requeue the hold message.
Note: the anonymous user of this web (IIS) must have read/write access
to declude virus and Imail spoolfolder.
Markus
---
[This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
MISSING_REVERSE_DNS:Re: Re[2]: [Declude.Virus] not storing viruses
I would like to have that option too. Adolfo Justiniano e-mail: [EMAIL PROTECTED] http://www.scbbs.net - Original Message - From: David Dodell [EMAIL PROTECTED] To: R. Scott Perry [EMAIL PROTECTED] Sent: Saturday, October 06, 2001 11:24 AM Subject: Re[2]: [Declude.Virus] not storing viruses Saturday, October 06, 2001, 8:10:04 AM, you wrote: There is no way to have Declude automatically delete them. That's mainly a safety feature, in case of problems with the virus scanner (if it starts reporting that all files have viruses, for example). Would you consider adding a switch for the config file to do this in the next version if others here thing there is a need? David This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
