Re: [Declude.Virus] Goodbye
Best wishes in all of your endeavors, Alex! Darin. - Original Message - From: Hirthe, Alexander To: 'declude.virus@declude.com' Sent: Tuesday, June 23, 2009 5:08 AM Subject: [Declude.Virus] Goodbye Goodbye to all of you, I'm leaving the company and I don't think I'll get in touch with declude again. Thanks for all the help in the past years! Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Dr. Peter Baumeister Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Wow, what a way to respond to a long-time, loyal paying customer! Instead of apologizing for the serious problem and relaying what steps are being taken to avoid it happening again (a simple reminder in the calendar system of your choice would suffice), it's being thrown back in the customer's face. Regarding the question of increasing prices for service agreements, that has no bearing on a current customer who has already paid the fees. Such customers should expect the service they paid for to be rendered. Failure to do so is a breach of agreement on Declude's part. While we are all human and problems can occur, this is a serious failure, and the tone of the response being putative instead of apologetic makes customers less forgiving, not more. To be frank, many customers are asking what they are paying for, when fix and feature requests take months to be released, or not at all. I understand the situation may be frustrating, but it's often best to step back for a moment, vent elsewhere if needed, then respond professionally to customers. Clear, open, and honest communication also helps. Please don't take this email as incendiary. It is meant to be constructive. Darin. - Original Message - From: David Barker To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 11:07 AM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having this renewed took longer than usual. b. I am not sure if you are being facetious, but if it makes you feel better, sure you can schedule a reminder for me, please email me at least 3 month prior of the new expiration date 2010-12-31 c. Yes AVG was not working as it should have been since 2009-04-10 I agree with you - this is totally unacceptable, intolerable, painful and should not be brushed aside lightly. You are correct in your observations, we should increase our prices dramatically so we can hire more developers to ensure unfortunate incidents like this don't happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name=Declude, Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didn't obtain a new annual AVG license and had to wait a few days for this transaction to complete? That means the product was unusable for 13% of the year? This can't just be brushed aside quietly. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Virus inoperable for 13% of th year?
My payment history is more like Andy's. We paid $264-$295 annually for our service agreements (JunkMail/Virus) from 2002 to 2006. We never had HiJack. Darin. - Original Message - From: David Barker To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 1:50 PM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Here is the full breakdown. The Good ol' Days EVA - Service Agreement $195.00 JunkMail - Service Agreement $195.00 HiJack - Service Agreement $75.00 Total: $465 Today EVA - Service Agreement JunkMail - Service Agreement HiJack - Service Agreement AVG virus scanner Commtouch ZEROHOUR Antivirus + Spam definitions Total: $395 So you have a whole lot more for less money, and yes you are complaining. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 1:12 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal I think taking a software company to task on their lack of control DOES benefit all users technically! I didn't introduce pricing and staffing into this discussion - YOU did! Now you take me to task for responding to your pricing/staffing issues that YOU raised? Let's not forget you are paying less for the product maintenance today than you were 5 years ago 1/6/2002: $295 1/14/2003: $295 1/23/2004: $295 (after having upgrading to Pro in March 2003) 1/5/2005: $264 12/30/2005: $264 8/18/2006: $309 1/19/2007: $309 3/13/2008: $395 6/2009: $395 Would you like to revise your statement? I'm not paying less, I'm paying 50% more. No complaints - just insisting on the truth. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Breathing and counting to 10 . ;) Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. In coding Utopia yes that is true. I was unaware of this situation till now. I would fire the person who implemented this but we had already let them go over 2 years ago. I get what you are saying, I just don't think you understand when I say I have heard you Andy, you can stop posting to the lists about this Nice try, but to me, money is secondary to function. Nice dodge! I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! Ah the good old days of Scott Perry. Let's not forget you are paying less for the product maintenance today than you were 5 years ago. Dormant ? or not the fixes and features you want? However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! What are you talking about ? Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually enhancing the product we are all paying for and gets as much done as the original author of the product did for YEARS. Once caught up with 3 years of backlog, then sell me the upgrade!) You don't need additional personnel - you to need replace overhead-personnel with production personnel. Wrong. Declude is a separate company from DNSStuff. Our (Declude) revenues are solely committed to maintaining and growing this company. I suspect the problem is not lack of funds but diversion of it. Oh wait. that's a good one. I think the best way to answer this just is to say your suspicion is incorrect. Finaly the purpose for these lists is mostly for tech questions and assisting other users. Your initial posts about AVG were
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Ahh... so the solution is to use Declude Junkmail instead of IMail's poor anti-spam. Then you could use the AVAFTERJM to work effectively with AV scanning. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Saturday, June 14, 2008 9:37 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I have bought declude anti-virus, not declude anti-spam. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Saturday, June 14, 2008 12:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG The reason for it not working is that the scanner doesn't recognize the incorrect parameters, and aborts. We're not seeing the CPU spikes you are, however that may be a difference with running AV over all messages vs. only on messages that spam filtering. I'm curious... you say you don't have Declude, but you're subscribed to the Declude email discussion list, and you previously stated you had an antique version declude and imail??? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:38 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I do not have declude anti-spam, imail already has anti-spam function. Anyway, previous in F-prot 3.0 do not have such issue, and now clamav also work perfectly over the same traffic, only F-prot 6.0 has this issue, I have tried to reduce maxonce to just 1, reduce scanlevel=1 /heurlevel=0, all can not work. Only when I add in noboot or nomem, the CPU immediate get releaf, but this is not working, because with noboot or nomen. the scanner simply not working at all. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 9:10 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 I think VIRUSCODE 1 need to be added too? http://www.f-prot.com/support/windows/fpwin_faq/310.html Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, I do not know the exact reason. I have try to reduce scanlevel, heulevel, archive to 0 or 1, still very slow, I guess it is now scanning memory by default? Another question is , for REPORT=report.txt do we need ? REPORT=report.txt from instruction here, looks like need http://www.f-prot.com/support/windows/fpwin_faq/445.html but most users online post seems is not necessary. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 04, 2008 2:34 AM Subject: Re: [Declude.Virus] F-PROT 6 Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 I think VIRUSCODE 1 need to be added too? http://www.f-prot.com/support/windows/fpwin_faq/310.html Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, I do not know the exact reason. I have try to reduce scanlevel, heulevel, archive to 0 or 1, still very slow, I guess it is now scanning memory by default? Another question is , for REPORT=report.txt do we need ? REPORT=report.txt from instruction here, looks like need http://www.f-prot.com/support/windows/fpwin_faq/445.html but most users online post seems is not necessary. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 04, 2008 2:34 AM Subject: Re: [Declude.Virus] F-PROT 6 Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 11:46 AM Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 I think VIRUSCODE 1 need to be added too? http://www.f-prot.com/support/windows/fpwin_faq/310.html Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, I do not know the exact reason. I have try to reduce scanlevel, heulevel, archive to 0 or 1, still very slow, I guess it is now scanning memory by default? Another question is , for REPORT=report.txt do we need ? REPORT=report.txt from instruction here, looks like need http://www.f-prot.com/support/windows/fpwin_faq/445.html but most users online post seems is not necessary. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 04, 2008 2:34 AM Subject: Re: [Declude.Virus] F-PROT 6 Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 11:46 AM Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
The reason for it not working is that the scanner doesn't recognize the incorrect parameters, and aborts. We're not seeing the CPU spikes you are, however that may be a difference with running AV over all messages vs. only on messages that spam filtering. I'm curious... you say you don't have Declude, but you're subscribed to the Declude email discussion list, and you previously stated you had an antique version declude and imail??? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:38 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I do not have declude anti-spam, imail already has anti-spam function. Anyway, previous in F-prot 3.0 do not have such issue, and now clamav also work perfectly over the same traffic, only F-prot 6.0 has this issue, I have tried to reduce maxonce to just 1, reduce scanlevel=1 /heurlevel=0, all can not work. Only when I add in noboot or nomem, the CPU immediate get releaf, but this is not working, because with noboot or nomen. the scanner simply not working at all. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 9:10 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 I think VIRUSCODE 1 need to be added too? http://www.f-prot.com/support/windows/fpwin_faq/310.html Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, I do not know the exact reason. I have try to reduce scanlevel, heulevel, archive to 0 or 1, still very slow, I guess it is now scanning memory by default? Another question is , for REPORT=report.txt do we need ? REPORT=report.txt from instruction here, looks like need http://www.f-prot.com/support/windows/fpwin_faq/445.html but most users online post seems is not necessary. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 04, 2008 2:34 AM Subject: Re: [Declude.Virus] F-PROT 6 Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE
Re: [Declude.Virus] F-PROT 6
Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 11:46 AM Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6
Yes. It's expensive, but is still a good and efficient scanner. Kaspersky and AVG combined may be a good way to go for lower cost if you can afford the CPU of two scanners, or perhaps just Kaspersky. Not sure if anyone has good stats on the performance, completeness of rulebases, and time from initial reports to detection of a virus for the various scanners, but from what information I was able to find, Kaspersky looked good and wasn't too expensive, and AVG is inexpensive though may be lacking as a single scanner. Darin. - Original Message - From: SJ Stanaitis [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 1:09 PM Subject: RE: [Declude.Virus] F-PROT 6 You've got to buy the server product now. I don't think the cheap version works anymore with Declude. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 11:47 AM To: declude.virus@declude.com Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6
If there's a command line scanner, it shouldn't be too difficult, but I don't know offhand if Trend Micro has one. Darin. - Original Message - From: SJ Stanaitis [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 3:24 PM Subject: RE: [Declude.Virus] F-PROT 6 I had my CheckPoint handling 99.9% of the virus scanning for the mail server which uses Trend Micro, it was very rare that AVG's product caught something that Trend had missed. Not sure if there's a way to tie Trend into Declude though. I've currently got it watching my Exchange box and it again is phenomenal. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, June 03, 2008 2:39 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 Yes. It's expensive, but is still a good and efficient scanner. Kaspersky and AVG combined may be a good way to go for lower cost if you can afford the CPU of two scanners, or perhaps just Kaspersky. Not sure if anyone has good stats on the performance, completeness of rulebases, and time from initial reports to detection of a virus for the various scanners, but from what information I was able to find, Kaspersky looked good and wasn't too expensive, and AVG is inexpensive though may be lacking as a single scanner. Darin. - Original Message - From: SJ Stanaitis [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 1:09 PM Subject: RE: [Declude.Virus] F-PROT 6 You've got to buy the server product now. I don't think the cheap version works anymore with Declude. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 11:47 AM To: declude.virus@declude.com Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: Shayne Embry [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message From: Heimir Eidskrem [EMAIL PROTECTED] Sent: Tuesday, July 31, 2007 2:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] [Invalid ZIP Vulnerability] How do I turn this off. I am having emails held as virus but they are not. They do contain pdfs and doc files. Could not find it in the manual. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
The point is you may let some not-yet-detected viruses through, but in any case you can do that with a switch in the virus.cfg. Darin. - Original Message - From: Heimir Eidskrem To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 6:23 PM Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] They are neither virus or spam but legit email. Shayne Embry wrote: Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message From: Heimir Eidskrem [EMAIL PROTECTED] Sent: Tuesday, July 31, 2007 2:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] [Invalid ZIP Vulnerability] How do I turn this off. I am having emails held as virus but they are not. They do contain pdfs and doc files. Could not find it in the manual. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml file to specify the vulnerability you don't want to notify on. Darin. - Original Message - From: Jared Pickerell [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 6:49 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] Thanks. That's great! I've not blocked these before because of a large number of legitimate emails needing to get through that would have been blocked. This lets me block them if I want, but still let the legits get through. I'm a newbie when in comes to Declude configs. I've pretty much left a lot of defaults, but can this (the customized vulnerability.eml) be limited to only be sent for certain vulnerabilities? I don't want this sent for all blocked vulnerabilities and have the users get notifications for things they don't need to. Thanks! Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 5:34 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We use this vulnerability.eml -- Begin vulnerability.eml SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: Suspected malicious email blocked Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please click on the link below to have the message released for delivery. Otherwise, the e-mail will be deleted automatically after seven days. http://www.example.com/requeue.asp?msgid=%QUEUENAME% Please note that the email could contain dangerous content. Use at your own risk. Original message information follows FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% DATE: %DATE% @ %TIME% %HEADERS% -- End vulnerability.eml You'll want to replace the link in the email with one appropriate for you. and the following requeue.asp script. -- Begin REQUEUE.ASP [EMAIL PROTECTED] % // --- // requires IUSR permissions to the following directories // --- var virusdir=c:\\imail\\spool\\virus\\; var spooldir=c:\\imail\\spool\\; var file=+Request.QueryString(msgid); file=file.substr(1); fso = new ActiveXObject (Scripting.FileSystemObject); if (fso.FileExists(virusdir+D+file)) { fso.MoveFile(virusdir+D+file, spooldir+D+file); fso.MoveFile(virusdir+Q+file, spooldir+Q+file); Response.Write(Please check your e-mail in a few minutes for the message you requested.); } else { Response.Write(Message does not exist, or has already been released for normal delivery.); } % -- End REQUEUE.ASP You'll need to change the path to the path for your IMail spool directory. This inserts the message back into the queue for the next queue run. Others have gone a step further to call SMTP32.exe with the queue file name to delivery it immediately. Hope this helps, Darin. - Original Message - From: Jared Pickerell [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 6:02 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] How would you go about setting up the ability to include a link to a script to re-queue the message for delivery? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: Shayne Embry [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit
Re: [Declude.Virus] Virus or Junk?
Yep... spammers are now using PDFs for their payload. Darin. - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 26, 2007 10:48 AM Subject: [Declude.Virus] Virus or Junk? Hey Everyone - Last night I received a junk mail with no body and a small PDF attachment. This morning I received two more from different people, and differently named small PDF attachments. Anyone else seeing this, know what it is, and doing anything special yet to combat it? I would certainly hate to ban PDF files... Thanks, Todd --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Feature request - Notification emails generated on vulnerabilities
It would be wonderful to be able to send out notifications on vulnerabilities like the current notifications on virus found/banned files. We still have to process the virus queue due to legit email that may be held due to vulnerabilities that we do not want to turn off in the config. For legit email in virus/banned file scanning notifications are sent and the requeue message link we include in our notifications allows the users to receive the message without us touching it. But since this notification does not get sent for vulnerabilities, we still have to manually review this queue. Being able to send out notifications on vulnerabilities would keep us from having to touch the virus hold queue at all, saving us time very day. Thoughts? Darin. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities
Well... because I didn't know it existed g. Thanks, John. Darin. - Original Message - From: John T (lists) To: declude.virus@declude.com Sent: Friday, May 25, 2007 12:32 PM Subject: RE: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities Why not use vulnerability.eml? SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: We blocked a suspected malicious email sent to you! Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please reply to this notification, and we will review and requeue the message for delivery. (Note, there may be a delay until the message is delivered to you.) Otherwise, the e-mail will be deleted automatically after 5 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, May 25, 2007 6:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities It would be wonderful to be able to send out notifications on vulnerabilities like the current notifications on virus found/banned files. We still have to process the virus queue due to legit email that may be held due to vulnerabilities that we do not want to turn off in the config. For legit email in virus/banned file scanning notifications are sent and the requeue message link we include in our notifications allows the users to receive the message without us touching it. But since this notification does not get sent for vulnerabilities, we still have to manually review this queue. Being able to send out notifications on vulnerabilities would keep us from having to touch the virus hold queue at all, saving us time very day. Thoughts? Darin. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee
Slightly OT, but can anyone recommend a good source for the command line version of McAfee? Darin. - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 11:09 AM Subject: RE: [Declude.Virus] Clam AV vs. AVG vs. McAfee That's my experience too. I update McAfee hourly - which helps with new outbreaks. It's the last scanner in sequence and always manages to catch viruses that the internal didn't. (Of course, I don't know if there are virus that the internal caught that McAfee might have missed.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, March 06, 2007 10:45 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee Wolf, I use McAfee, CLAM, Internal AVG, and at one time (before licensing changes) F-Prot all at the same time. If you have extra CPU there is no reason not to use multiple scanners. One thing though when I switched to processing AV last I seen a dramatic drop in viruses due to them being caught as spam. 50-60K a month down to less than 2K. FWIW - I have McAfee as my last scanner and every now and than I see it grab a few viruses that the others miss. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Wolf Tombe To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 10:16 AM Subject: [Declude.Virus] Clam AV vs. AVG vs. McAfee The discussion on the current version of Clam AV and Clam being able to detect some image spam got me thinking. Prior to Declude version 4.0, I always used McAfee AV to scan all incoming messages. When I upgraded to Declude 4 I decided to try it's built in AV which seems to work fine. I'm curious though as to the opinions of others on this list as to the merits of using Clam or other anti-virus scanners either in place of the Declude built in AV or in addition to it. Any opinions people would like to share will be appreciated. Thanks! Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] pay-pal phishing
Isn't that basically what the spamdomains test does? Specifies what domains a mail server can be in that sends for a particular domain... Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, February 15, 2007 7:22 PM Subject: RE: [Declude.Virus] pay-pal phishing One way you could do this is to use the following lines in a filter #PAYPAL REVDNS END ENDSWITH .paypal.com MAILFROM 20 ENDSWITH @paypal.com Also as far as I know the genuine paypal IP's are listed with BONDEDSENDER David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Thursday, February 15, 2007 5:17 PM To: Declude-List Subject: [Declude.Virus] pay-pal phishing Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] pay-pal phishing
Message Sniffer does a pretty good job. You can also use the spamdomains and SPF tests, though their SPF policy is only soft fail at the moment, which Declude does not check. Darin. - Original Message - From: Bob McGregor [EMAIL PROTECTED] To: Declude-List Declude.Virus@declude.com Sent: Thursday, February 15, 2007 5:16 PM Subject: [Declude.Virus] pay-pal phishing Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
75 over 45 minutes. Dumb... Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, January 04, 2007 4:12 PM Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I think I received 36 of them. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, January 04, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Importance: High Is it me or did everyone get this autoresponder about 300 times? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roconnor Sent: Thursday, January 04, 2007 9:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Ok, this makes it over a hundred received this afternoon. Declude, would you kindly remove him from the list so we don't all get inundated with more autoreplies? Also, this is a gentle reminder to be a good list netizen and don't use autoresponders for addresses that you use to subscribe to lists. If you need to use autoresponders, just set up a separate email address for list subscriptions and don't use one there. All the best, Darin. - Original Message - From: roconnor [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, January 04, 2007 4:24 PM Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Evidently they are also interfering with the list. My other post at 74 count just now showed up over an hour later. Darin. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, January 04, 2007 5:42 PM Subject: Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Ok, this makes it over a hundred received this afternoon. Declude, would you kindly remove him from the list so we don't all get inundated with more autoreplies? Also, this is a gentle reminder to be a good list netizen and don't use autoresponders for addresses that you use to subscribe to lists. If you need to use autoresponders, just set up a separate email address for list subscriptions and don't use one there. All the best, Darin. - Original Message - From: roconnor [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, January 04, 2007 4:24 PM Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I posted virustotal results a half hour ago... did you see them? Darin. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, October 10, 2006 2:17 PM Subject: RE: [Declude.Virus] New Virus? It does have a .zip file that contains a .exe file inside it. The message says it contains a .pdf file, but it is really an .exe file. I am running it thru virustotal.com now. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, October 10, 2006 1:32 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Tuesday, October 10, 2006 10:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus? Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Changes @ Declude
So what will happen to customers on SAs at that time? See why we're asking the questions? Darin. - Original Message - From: Barry Simpson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, February 12, 2006 9:58 AM Subject: RE: [Declude.Virus] Changes @ Declude Don, You are correct, it would be better to have only one product and that is why we are making the offer to customers to move to the highest level of the software at special pricing. We also recognize that some customers don't want to do that so for the foreseeable future we are maintaining the two code bases. We are not going to force customers to move. At some point in the future V3 will go onto maintenance but that date has not yet been decided. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Sunday, February 12, 2006 9:47 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Changes @ Declude Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee [EMAIL PROTECTED] wrote: KB [Snip] KB KB On the buying issue what do you get, the two products will be kept in parity feature wise. KB KB Kevin Bilbee KB KB [Snip] If that is truly the case, then it makes sense to have only one version, 4.0. Then, the only difference will be that some customers are on an annual maint agreement and others pay an annual subscription. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Changes @ Declude
Hmmm... Barry, that is exactly what I was asking before when I asked So what will happen to customers on SAs at that time [when v3 is discontinued] ? and you told me You are asking a question that I don't have an answer to at this moment. When the time arrives we will make a business decision that will be in the best interests of both our customers and ourselves. This is not a decision that will be made lightly or in the near future. We will not just announce one week that the next week we will be discontinuing support for V3. We will ensure that all customers have an upgrade path of one form or another. No customer needs to be concerned at this time that we are going to abandon them, that is not the way we do business. This answer to Kevin is what I was hoping for, and obviously needed to know before I would budget any additional funds for Declude maintenance. Darin. - Original Message - From: Barry Simpson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, February 12, 2006 3:26 PM Subject: RE: [Declude.Virus] Changes @ Declude All existing customers who choose to move to Version 4 will continue to pay Service Agreements. If they opt not to pay for the Service Agreement the software will continue to operate. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Sunday, February 12, 2006 3:01 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude I noticed looking at my account the my version 4 license states Declude Imail Perpetual License Since v4 is the Subscription modle. If we are customers running on the Maintenance modle and we decide to not renew maintenance and have upgraded to version 4 will version 4 ever stop functioning for us? Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Simpson Sent: Sunday, February 12, 2006 7:22 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude Darin, You are asking a question that I don't have an answer to at this moment. When the time arrives we will make a business decision that will be in the best interests of both our customers and ourselves. This is not a decision that will be made lightly or in the near future. We will not just announce one week that the next week we will be discontinuing support for V3. We will ensure that all customers have an upgrade path of one form or another. No customer needs to be concerned at this time that we are going to abandon them, that is not the way we do business. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Sunday, February 12, 2006 10:04 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Changes @ Declude So what will happen to customers on SAs at that time? See why we're asking the questions? Darin. - Original Message - From: Barry Simpson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, February 12, 2006 9:58 AM Subject: RE: [Declude.Virus] Changes @ Declude Don, You are correct, it would be better to have only one product and that is why we are making the offer to customers to move to the highest level of the software at special pricing. We also recognize that some customers don't want to do that so for the foreseeable future we are maintaining the two code bases. We are not going to force customers to move. At some point in the future V3 will go onto maintenance but that date has not yet been decided. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Sunday, February 12, 2006 9:47 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Changes @ Declude Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee [EMAIL PROTECTED] wrote: KB [Snip] KB KB On the buying issue what do you get, the two products will be kept KB in parity feature wise. KB KB Kevin Bilbee KB KB [Snip] If that is truly the case, then it makes sense to have only one version, 4.0. Then, the only difference will be that some customers are on an annual maint agreement and others pay an annual subscription. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Re: [Declude.Virus] Changes @ Declude
I didn't receive it either. I checked the logs and nothing came in from Declude. Darin. - Original Message - From: Scott Fisher To: Declude.Virus@declude.com Sent: Friday, February 10, 2006 2:24 PM Subject: Re: [Declude.Virus] Changes @ Declude -Barry, I did not receive the email sent to every customer (and I have Declude whitelisted). That irks me even more. Not having received the email, this all comes straight out of left field for me. If I had received the email, perhaps it wouldn't be such an unpleasant shock. It certainly is ruining my day off, I'll tell you that. As for two continuing with two different version levels, I'll tell you my comfort level for running the lower version definitely isn't high. Today you are committed to the version 3 customers, but just with the version numbers, I'm feeling I have a lesser product. Declude version 3 is a dead end on the Declude product tree. It is just a matter of when. Will all future enhancements be going into version 3? What are the planned enhancements? Tell us how Declude is planning to improve the product. - Original Message - From: [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, February 10, 2006 12:47 PM Subject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
By running AVAFTERJM, you can use spam filtering to eliminate banned files that you would otherwise have to review in the virus hold queue. The drawback is that marginal emails are not identified as banned files, but on our system at least, running AVAFTERJM means less to review. Darin. - Original Message - From: Don Brown [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 9:45 AM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew [EMAIL PROTECTED] wrote: CA[SNIP] CA Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM CA to cut down on the work, and this definitely leaves a gap in my CA statistics. Similarly, it follows that I wouldn't want to scan my whole CA SPAM folder. Even reading the directory of the filenames is a disk CA workout. [SNIP] How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Interesting, Andrew. We've run AVAFTERJM for the same reasons, and have been considering doing something to remove the viruses from the spam hold queue as well. Speaking of which, I'd like to re-request a feature from Declude to be able to selectively notify on detected vulnerabilities. We have notification on banned files, but I don't believe vulnerabilities notify. Adding that would make virus detection system manual maintenance almost non-existent. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, January 26, 2006 3:33 AM Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus, I found that a pretty fun bit of sarcasm. But I have a dry sense of humour. It sounds like you're not using AVAFTERJM so that you catch viruses as viruses and spam as spam. In this scenario I'm pretty confident that you could automate grepping your virMMDD.log file hourly, look for a pre-set list of virus names, cut up the Q* column to derive the filename, and delete the Q*.SMD and D*.SMD file, for example, this line: 01/24/2006 18:54:38 QE867AAFA0144EA71 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Is quite easy to parse. Let me share something similar I've done. I've remarked on it vaguely before... I wanted to nail down some of my statistics, and as that evolved, I wanted to know how much of the inbound mail that is blocked as spam was actually viral. It turned out that I block a lot of viruses as spam because they have the same IP source characteristics, malformed headers, fake source domains and so forth as zombie spam (no surprise, they're much the same machines). Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM to cut down on the work, and this definitely leaves a gap in my statistics. Similarly, it follows that I wouldn't want to scan my whole SPAM folder. Even reading the directory of the filenames is a disk workout. During our slow period (nightly) I do a scheduled run of a .cmd script that uses the GNU utilities to check my Declude logs for the held spam for that day only, I weed out ones that triggered SNIFFERMALWARE or my own Declude filter tests for viruses, then from that subset I have a list of Q* names. From that Q* column, I can form the filename. I then grep each one of those files for strings that would indicate that there is a possibly viral attachment (it's not perfect), and then on the remainder of the filenames, I invoke my F-Prot scanner and check the result code for each file. This isn't ideal, but I found that invoking it every time with specific filenames was far, far faster than scanning a folder. Windows certainly caches the fpcmd and pattern files, so that definitely helps. How much am I saving? Well, I am scanning all the files in some fashion, but I'm doing grep for some spam and grep plus antivirus for the minority of it, and I'm doing it outside of our busy hours. It takes *two hours*, and produces results like this in a day: Viruses caught by Declude Virus after using AVAFTERJM: 1 Messages caught by filters or Sniffer: 349 Messages scanned after hours: 25,000 Viruses found after hours: 378 So, I time-shifted away from normal hours the CPU and disk hit of doing the scanning, and I still get my virus statistics without causing a performance problem at night. The resulting logs are easily grepped for virus names and counts if I want. I use another set of scripts to compile the stats at the end of the month, with little to no maintenance. It's awful code, but if a non-programmer like me can do this, your virMMDD.log can be used to delete the messages for viruses you don't want to keep on disk. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 10:13 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA
[Declude.Virus] [EMAIL PROTECTED] customer
Please turn off your postmaster notifications for detected virii, or utilize the ability to avoid sending notifications for forging viruses. Thanks, Darin.
Re: [Declude.Virus] Another Sober out. (= idea)
Yeah, maintaining BANNAMEs is not a good long-term solution. I've tripled my list in the last week with the new variants. Since filenames are becoming more dynamic, and we will most likely start seeing significant overlap with legitimate filenames soon, I would amend this by having the DNS-based lookup use parameters that describe the file instead, like maybe filesize and CRC. I don't know if Declude is interested in this, but if not it shouldn't be too hard to whip up an external test that determined these and looked up against either a specialized DNS lookup, or a downloadable list. Seems like AV companies need to start using more advanced pattern matching to catch these variants, rather than relying on specific signatures. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, November 25, 2005 3:20 AM Subject: RE: [Declude.Virus] Another Sober out. (= idea) Thank you John but, BANNAME mailtext.zip ...is this really the only name used by this variant? I'm feeling a little bit bad, while adding and adding BANNAMEs to the virus.cfg file. First as sayd yesterday I feel there are many many BANNAME entries that are not more accurate or spreading in the wild and so unneccessary load in my and our config files. Second it's always the two steps behind if we have to adapt our config files manualy after someone else has discovered a new variant. Wouldn't be possible to write a junkmail external test, or maybe also an AV-Engine that does nothing else then looking at a central database for filenames that are suspsicious. I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a DNS-server containing TLD-zones like .zip .exe .com Then some of us can act as operators and add additional zones like mailtext Looking at the case two days ago that I reported with the new bagle variant it would also be possible to add something like 1.exe.ester.zip 12.exe.ester.zip 1.exe.emanuel.zip ... Are maybe also with wildcards like *.exe.mailtext.zip By having bitmasked result codes it would maybe also possible to entries like *.exe*.zip with a suspicious result code and other more concrete definitions with an accurate result code. so admins can use it at they want. Our administrative work should decrease while new banname definitions will be available as soon the first of the operators will detect and add it to the database. +as having one (or more replicated) central points we should be able to notice a relativ high increase of request for exe in zips and so know that something seems going on. What do you think? My opinion is that last week av-companies showed that they are not able to provide accurate detection-quality. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
We have enough customers using those that we can't block them. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, November 24, 2005 4:51 AM Subject: RE: [Declude.Virus] Blocking PIF Files To add to Darin's list, I also block PPS files. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, November 23, 2005 7:00 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blocking PIF Files Here's a list compiled over the years of extensions we ban. The top two you will want to consider your userbase before banning, the rest should be fine. Note that we couple this with a banned file notification to the intended recipient, which includes a link to requeue the file for delivery if it is legitimate. BANEXT EZIP BANEXT rar BANEXT bas BANEXT bat BANEXT ceo BANEXT chm BANEXT cmd BANEXT com BANEXT cpl BANEXT exe BANEXT hta BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT msp BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT sct BANEXT shb BANEXT shs BANEXT vb BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsc BANEXT wsf BANEXT wsh Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 9:26 AM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a pif extension like your_letter.pif? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] how is Declude 3.x?
Totally agree with you there, Sandy. We're trying to decide whether to renew the service agreement. We paid for a year and haven't upgraded at all due to the stability problems and bugs with 2.x and 3.x, though we are considering upgrading to IMail 2006 and 3.0 soon. Things seem to have settled down a bit. What are you running? 2.06 with IMail 8.15? We're still running IMail 8.05 and 1.82 currently. Darin. - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, November 24, 2005 3:23 PM Subject: Re: [Declude.Virus] how is Declude 3.x? 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Only works in Virus Pro. He said he has Virus Standard. Darin. - Original Message - From: Info Wind [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 9:47 AM Subject: Re: [Declude.Virus] Blocking PIF Files virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a pif extension like your_letter.pif? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
Here's a list compiled over the years of extensions we ban. The top two you will want to consider your userbase before banning, the rest should be fine. Note that we couple this with a banned file notification to the intended recipient, which includes a link to requeue the file for delivery if it is legitimate. BANEXT EZIP BANEXT rar BANEXT bas BANEXT bat BANEXT ceo BANEXT chm BANEXT cmd BANEXT com BANEXT cpl BANEXT exe BANEXT hta BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT msp BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT sct BANEXT shb BANEXT shs BANEXT vb BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsc BANEXT wsf BANEXT wsh Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 9:26 AM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a pif extension like your_letter.pif? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list
Re: [Declude.Virus] OT: Virus Backscatter
Sorry... didn't realize that's what you were asking... Darin. - Original Message - From: marc catuogno [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 11:27 AM Subject: Re: [Declude.Virus] OT: Virus Backscatter Actually I was talking about the notices from other postmasters - I have almost no bounce messages, I don't notify on banned files and so on for just that very reason. -- Original Message -- From: Darin Cox [EMAIL PROTECTED] Reply-To: Declude.Virus@declude.com Date: Wed, 23 Nov 2005 10:02:38 -0500 We went with AVAFTERJM ON to minimize this. That way most get held as spam instead of being detected by Virus as a banned files, and don't generate banned file notifications. Others may have better ways to handle filtering these out, but that worked well for us. Darin. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 9:12 AM Subject: [Declude.Virus] OT: Virus Backscatter The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
The second part of that list has been updated BANNAME Alice.zip BANNAME Androw.zip BANNAME Ann.zip BANNAME Christian.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Ellen.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Isabell.zip BANNAME James.zip BANNAME Josias.zip BANNAME Judeth.zip BANNAME Katheryne.zip BANNAME Margerye.zip BANNAME Marie.zip BANNAME Martha.zip BANNAME Marye.zip BANNAME Nathaniel.zip BANNAME Nathanyell.zip Darin. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 3:56 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently
Re: [Declude.Virus] New Virus Strain Pounding my systems
For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
Thanks, Uwe. I'm sure there will be more. Darin. - Original Message - From: Info Wind [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:52 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? We get one with foto.zip and word-text.zip Uwe P.S.: Thank you, Darin for the list. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 2:33 PM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EADVSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 6:05 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
Re: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Yep...seeing them here as well. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 14, 2005 7:57 PM Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ? Well, I am not sure about tomorrow, but in the last hour I have started to see some messages being caught with banned ZIP-EXE with a subject line of Thanks for your registration and a file name of reg_text.zip and a D file size of 184 Kb that I have not seen before. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, November 14, 2005 3:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? Hmmm, now that's interesting. http://www.f-secure.com/weblog/#0705 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ban exe in zip file
See "15. Banning files based on extension in the manual" http://www.declude.com/Version/Manuals/EVA/EVA_2.0.6.asp Note that banning files inside zips is only available in EVA Pro. Darin. - Original Message - From: Schmeits, Roger To: Declude.Virus@declude.com Sent: Thursday, November 03, 2005 5:44 PM Subject: [Declude.Virus] ban exe in zip file In light of the latest Beagle variant how can I ban a zip that has a exe inside a zip file? Thanks. ##Roger SchmeitsSr. Network EngineerClarkson Collegehttp://www.clarksoncollege.edu(402) 552-2542##Disclaimer:The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you.
Re: [Declude.Virus] 3.0.5.10
On that note, I would also like to reraise the need for documentation on reported/known issues with a particular release. A simple page with a quick note about each reported issue would be very beneficial. Also, I would think each release would be reported on the Declude Releases list like Scott used to do. Now we have to go check the website for new releases. Very inefficient. Darin. - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Sent: Saturday, October 22, 2005 12:27 AM Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
Totally agree... there are not enough announcements of bugs and fixes/releases especially when there's an unused list for that purpose. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, October 22, 2005 4:52 PM Subject: RE: [Declude.Virus] 3.0.5.10 Well, that's just plain wrong. When there's enough time to update versions and a web site, it should be time enough to either send an email to the Declude announcement list - or to update a simple what's new page with 3 or 4 lines of text. It's important to know what was wrong with a release I just installed a day earlier by looking at whatever is fixed in the new release. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Saturday, October 22, 2005 12:28 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
True... but it's not about Scott anymore. Declude is a larger company, with more resources, and should be documenting this stuff... especially in light of all of the issues trying to get a new version to market. This kind of documentation will go a long way towards making the user community more comfortable with the new product. And let's face it folks... we're not asking for a lot here. Just a quick posting to the list to let everyone know a new release is available, and a quick statement on the website as to what it fixes or doesn't fix. A known issues list with the latest release would be extremely helpful as well. Would save many of us a ton of time. This would take very little time, and has to be documented internally in the software development process, so why not make it available to help the user community? This is not about blame, so don't take it wrong. We all understand there were a lot of factors involved in the new release because of architectural changes by Ipswitch. This is entirely about helping users stay current, get any problems they might be experiencing resolved, and stabilize the product. Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, October 22, 2005 8:54 PM Subject: Re: [Declude.Virus] 3.0.5.10 I would consider 3.0.5.10/11 interim releases... Scott would never have documented them. I too would like to see the release notes updated with each and every version... but it's a long long standing issue. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, October 22, 2005 7:36 AM Subject: Re: [Declude.Virus] 3.0.5.10 On that note, I would also like to reraise the need for documentation on reported/known issues with a particular release. A simple page with a quick note about each reported issue would be very beneficial. Also, I would think each release would be reported on the Declude Releases list like Scott used to do. Now we have to go check the website for new releases. Very inefficient. Darin. - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Sent: Saturday, October 22, 2005 12:27 AM Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Possible BANnotify.EML problem with Declude 1.82
Just ran across a possible problem with the BANnotify.EML in Declude Virus 1.82. If a SKIPIFFORGING line is in it, it doesn't send the notification. Is this an inappropriate setting? i.e. If virus checking is done first then SKIPIFFORGING would not apply.Darin.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possible new virus
Another possible variant overnight at 4:30AM ET. Same routing as the new Sober variant from yesterday, but different attachment: screen_photo.zip Darin. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
[Declude.Virus] Possible new virus
We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
My first hit was right around that time as well. That's a quick catch by FProt. Darin. - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:46 PM Subject: Re: [Declude.Virus] Possible new virus Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Virus directory
Are they viruses, or are they vulnerabilities and banned files? Best method is to set up notifications to the intended recipient for banned files with a link for them to requeue the message if it was legit, and have a scheduled script to clear out files older than X days. This has been discussed previously in the archives. Darin. - Original Message - From: Harry Vanderzand [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 04, 2005 1:33 PM Subject: [Declude.Virus] Virus directory Declude puts all e-mails with viruses into a separate directory I find I always have to go there and delete files. Is there a way to set the system to just delete those e-mails rather than move them into a separate directory? Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Info Wind Sent: Friday, September 30, 2005 8:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Version 3.0.5.5 same to me, there seams to be problems when not uninstalling. I had the same issue. Thanks John for the proper procedure, that helped me. Bye, Uwe - Original Message - From: Harry Vanderzand To: Declude.Virus@declude.com Sent: Friday, September 30, 2005 1:50 PM Subject: RE: [Declude.Virus] Version 3.0.5.5 that is what I thought, but I had to go into add remove programs and remove the service before I could use the install procedure. If I had the decludeproc.exe file then I could likely have copied the new file Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, September 29, 2005 6:09 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 The proper procedure is: Stop Imail SMTP Stop Imail Queue Manager Make sure spool\proc and spool\proc\work are empty of files. If not, wait until they are processed. Stop Decludeproc Copy in the new file Start Decludeproc Start Imail SMTP Start Imail Queue Manager John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, September 29, 2005 2:07 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 You need to stop SMTP and queuemanager. It probably got started back up. By the stub program. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harry Vanderzand Sent: Thursday, September 29, 2005 1:59 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 I downloaded this update stopped decludeproc ran the update got message: Another version is already running, cannot update what's up with that? Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Thursday, September 29, 2005 2:53 PM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Version 3.0.5.5 Declude Version 3.0.5.5 is available on the website for download. There are two changes from version 3.0.5.3 Fix for special character scanning causing abnormal termination. Special thanks to John Tolmachoff for identifying and helping us fix this nasty. For SmarterMail only. Correctly handle parsing the XML file for the email installation path. SY, Bill Billman Declude -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 9/26/2005 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Anyone have any outstanding issues with the 3.0.5 release?
I see 3.0.5 was released today. Anyone know if this fixes the reported performance and stability issues reported here with the 3.0.x betas? Darin.
Re: [Declude.Virus] blocking eml and msg attachemtns
With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
According to the Thunderbird web page and download filename, Thunderbird has a 1.5.1 beta 1. Check the website. However, when I installed it, it said it was installing 1.4. Startup speed for Thunderbird is way faster than OE at just a few seconds compared to 20-30seconds for OE, however I leave email open all day every day, so startup isn't much of an issue for me. What I am seeing much slower in Thunderbird is moving from one message to another in the preview window. In OE it's very snappy with ~1/2 second response, but in Thunderbird I'm seeing 1-3 seconds before I can read the message. Also, double-clicking to open the message is between 0.5 and 1 second in OE, but 3-4 seconds in Thunderbird. So, for reading mail quickly, it's much slower for me on a 3GHz P4 laptop with 1GB RAM. I haveabout 1GB of email in a couple hundred folders. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 3:47 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Darin,I'm confused. FireFox, the Web browser is at 1.5.1 beta, but Thunderbird, the E-mail client, is at 1.0.6.I'm also not clear on what you mean regarding speed. I am very happy, and it seems to me that an empty OE or Outlook is much slower to launch, and Thunderbird seems faster when there is a ton of E-mail in a folder. Thunderbird is meant to be a fairly lean application. It is also very stable, at least on my system. I have about 7 E-mail accounts going, and I over 2 GB of E-mail dispersed through them.You might be running into issues with indexing folders following an initial setup? Maybe you could be more specific about the speed issues.MattDarin Cox wrote: Just loaded it (1.5.1 beta). Seems to be almost identical to OE for the way I use it...except slower. Speed is one of the reasons I use OE instead of Outlook. :( Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 3:07 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Thunderbird just simply works. My only complaint is that the spell checker sucks and has serious problems if you are off by more than one letter. For the type of work that we do, it is definitely a better application. The E-mail is stored in plain text files so you can search it that way, and there's none of that magic stuff that hides important things from you the way that Outlook does. And of course hardly any known vulnerabilities for auto-execution.MattDarin Cox wrote: Plain text would be my preference as well, to see headers and message at once. Hmmm...may have to try Thunderbird again. It seemed to be missing some features I liked in OE the last time I tried it. I would use Outlook, but it still experiences too manyfailures incommunicating with the TCP/IP stack, and is too slow and bloated for my taste...and preview doesn't seem to work as well as OE. If MS would combine the best features of OE and Outlook, they'd have a better mail client. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:46 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text.It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape).MattDarin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Re: [Declude.Virus] Sudden Internet Slowdown
I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
Oh... so that's what those scuff marks on the cases are... I was wondering... ;^P Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:45 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Hey Darin, No - that must be your servers only, check if you have your scheduler to do a reboot at 3am every night you may be pleasantly surprised :) David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 1:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
Oh, right.. *nix is set to reboot at 4am. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:45 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown That's just the Windows version :)MattDarin Cox wrote: I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: "Scott Fisher" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: "Matt" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
Oh, you said Atlantic, and I was thinking Atlantic Coast/Eastern time. Ok, but I still think we should insert an hour into the clock. I could use an extra hour of sleep g. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 2:09 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Since when is Maine no longer in the Atlantic time zone? How come I did not get the notice? I never get the notices! Has any one informed the president? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just
Re: [Declude.Virus] Sudden Internet Slowdown
Hmmm... that gets me thinking... maybe all offices should be located straddling the international date line. Then if someone wants something done on a particular day, and you missed it, you could just walk over to the other side of the building, finish it, and tell them it's done. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 2:07 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from
Re: [Declude.Virus] Sudden Internet Slowdown
LOL - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 3:39 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown NO NO NO NO Then all of our clients will be asking us how come we have not done the work yesterday that they asked us to do tomorrow. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 11:39 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown Hmmm... that gets me thinking... maybe all offices should be located straddling the international date line. Then if someone wants something done on a particular day, and you missed it, you could just walk over to the other side of the building, finish it, and tell them it's done. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 2:07 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Yep... I find that typically only a few questions or comments on the list get formal response by Declude nowadays, so email to their support address is the only way to get a response. There's just not the same level of service or customer attention. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, June 29, 2005 9:28 AM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Thanks for the info, Darrell. I'm sure that'll be enough to get me pointed in the right direction. I had another quick question for anyone willing to answer. Typically I get most of my questions answered through these Declude discussion lists. Yesterday afternoon I submitted a request to [EMAIL PROTECTED] regarding this issue (and a few tertiary issues) and I have yet to get any sort of response whatsoever. I checked their web site and they said that e-mail is the best way to get support. Is this typical of Declude's support to be unresponsive like this? TIA, Dan - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 28, 2005 5:35 PM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Dan, I have been running 2.0.6 with no major issues that plague me on a daily basis. The only issue I have encountered is when the server is under high load and Declude spawns processes until the server starts generating errors. Since I upgraded the server it doesnt happen very often. For the install you can grab the package from your account on the declude site. The manual install was pretty easy - just install and select manual along with a directory. The upgrade for 2.0.6.16 the last beta is just an exe download. Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - -- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Yep. I've had that confirmed by Barry in the past. Though if you renew 6 months later, they back date your renewal so you only get 6 months of additional coverage. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, June 29, 2005 11:57 AM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hi, All, OK, then. Well since it may be some time before I hear anything from Declude perhaps someone on here can help answer my question. We are currently running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. Our Service Agreement expired on June 15th. Since our Service Agreement ended on June 15th I assume this means we can legally upgrade to any version which was released before that date? During the conversations I had with Scott in the past that was the case but I just wanted to make sure before I upgraded to 2.0.6. TIA, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, June 29, 2005 10:02 AM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Yep... I find that typically only a few questions or comments on the list get formal response by Declude nowadays, so email to their support address is the only way to get a response. There's just not the same level of service or customer attention. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, June 29, 2005 9:28 AM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Thanks for the info, Darrell. I'm sure that'll be enough to get me pointed in the right direction. I had another quick question for anyone willing to answer. Typically I get most of my questions answered through these Declude discussion lists. Yesterday afternoon I submitted a request to [EMAIL PROTECTED] regarding this issue (and a few tertiary issues) and I have yet to get any sort of response whatsoever. I checked their web site and they said that e-mail is the best way to get support. Is this typical of Declude's support to be unresponsive like this? TIA, Dan - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 28, 2005 5:35 PM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Dan, I have been running 2.0.6 with no major issues that plague me on a daily basis. The only issue I have encountered is when the server is under high load and Declude spawns processes until the server starts generating errors. Since I upgraded the server it doesnt happen very often. For the install you can grab the package from your account on the declude site. The manual install was pretty easy - just install and select manual along with a directory. The upgrade for 2.0.6.16 the last beta is just an exe download. Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - -- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
[Declude.Virus] FYI - new virus as yet unidentified
Don't know what it is yet, but the attached file was named kitten.zipcontainingan unencryptedEXE. Darin.
Re: [Declude.Virus] [sniffer] New Spam/Virus?
Similar pattern to Markus' here, except that ours fell off to nothing slipping through from mid-March to mid-May. Previous pattern of receivingtwo or three a week resumed mid-May, but has gotten better over the past couple of weeks thanks to Sniffer. Darin. - Original Message - From: Markus Gufler To: Declude.Virus@declude.com Sent: Tuesday, June 07, 2005 3:02 AM Subject: RE: [Declude.Virus] [sniffer] New Spam/Virus? In the last hours? Not here. I can see an increased number of spams passing the filter in the last two weeks. From 01/01/05 up to the mid of May I've recieved less then 30 spam messages to my own inbox (by catching 300 each day) but from mid of May up to now I've received around 20 spam messages. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 11:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [Declude.Virus] [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: [removed] - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [Declude.Virus] Newbie question
Great... Could the Declude staff have this added to the manual? Darin. - Original Message - From: Guhl, Markus (LDS) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 06, 2005 4:28 AM Subject: AW: [Declude.Virus] Newbie question hi darin, we use AVAFTERJM ON with Declude 2.0.6.14 and it works like we need it. mfg i.a. gez. markus guhl *** lds nrw ref. 241 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Darin Cox Gesendet: Sonntag, 5. Juni 2005 23:02 An: Declude.Virus@declude.com Betreff: Re: [Declude.Virus] Newbie question I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope
Re: [Declude.Virus] Newbie question
Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com
Re: [Declude.Virus] Newbie question
I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses
Re: [Declude.Virus] System resources
Hi Bill, First, welcome. I hope yours will be a constant voice on the list. Questions: 1. What version of Declude? 2.06 only, or other versions as well? 2. How about older versions of IMail (8.1x, 8.0x, 7, 6, etc.) Thanks. Darin. - Original Message - From: Bill Billman To: Declude.JunkMail@declude.com ; Declude.Virus@declude.com Sent: Friday, June 03, 2005 4:24 PM Subject: [Declude.Virus] System resources Hello Everyone, I would like to introduce myself and say hello to everyone. Im new to Declude, having just joined last week. Im very excited about working for Declude and looking forward to working with you all. We have uncovered an intermittent issue with Declude and IMail 8.2. Basically, system resources are consumed until the system will no longer run. I want you to know that we are aware of the situation. We are working on a solution to this problem now and hope to have it solved in the near future. When ready we will conduct a limited beta program. If all goes well we will provide the solution in an interim release. I apologize for any inconvenience this may have caused and thank you for your patience. This is my first post here but assure you that it will not be my last. All the best, Bill Bill Billman Director of Engineering Declude - internet security software 978.499.2933 office 603.930.4886 mobile 978.477.8930 fax [EMAIL PROTECTED] www.declude.com --No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005
Re: [Declude.Virus] System resources
Thanks, Bill. Darin. - Original Message - From: Bill Billman To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 5:05 PM Subject: RE: [Declude.Virus] System resources Thanks Darin. The problem seems to be with IMail 8.2 and any version of Declude. We havent seen this problem using any version of Declude and older versions of IMail. Bill From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Friday, June 03, 2005 4:33 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] System resources Hi Bill, First, welcome. I hope yours will be a constant voice on the list. Questions: 1. What version of Declude? 2.06 only, or other versions as well? 2. How about older versions of IMail (8.1x, 8.0x, 7, 6, etc.) Thanks. Darin. - Original Message - From: Bill Billman To: Declude.JunkMail@declude.com ; Declude.Virus@declude.com Sent: Friday, June 03, 2005 4:24 PM Subject: [Declude.Virus] System resources Hello Everyone, I would like to introduce myself and say hello to everyone. Im new to Declude, having just joined last week. Im very excited about working for Declude and looking forward to working with you all. We have uncovered an intermittent issue with Declude and IMail 8.2. Basically, system resources are consumed until the system will no longer run. I want you to know that we are aware of the situation. We are working on a solution to this problem now and hope to have it solved in the near future. When ready we will conduct a limited beta program. If all goes well we will provide the solution in an interim release. I apologize for any inconvenience this may have caused and thank you for your patience. This is my first post here but assure you that it will not be my last. All the best, Bill Bill Billman Director of Engineering Declude - internet security software 978.499.2933 office 603.930.4886 mobile 978.477.8930 fax [EMAIL PROTECTED] www.declude.com --No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005 --No virus found in this incoming message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005 --No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005
Re: [Declude.Virus] Newbie question
You don't have to have PRO. You can also use a FROMFILE test with a text file listing all of the email addresses and/or domains you want to penalize. Just put a line like this in your Global.CFG: FROMBLACKLIST fromfile C:\IMail\Declude\fromblacklist.txt x 200 0 This penalizes every address/domain in the fromblacklist.txt file with 200 points. You'll need to add the action for the test name to the bottom of your Global.cfg for outgoing messages, and add it to your $default$.junkmail as well. Lastly, make sure you have a carriage return at the end of the fromblacklist.txt to avoid the last line being ignored.. Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: [Declude.Virus] Newbie question If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
If you want to know what caused the weight, then add MYFILTER WARN to both the global.cfg and the $default$.junkmail. This will add a line to the header telling you the message failed MYFILTER. Otherwise it looks good. You can add multiple filter files for different needs as well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 11:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
I guess when it comes down to it either could be forged. If I'm going to block like this, I generally prefer to do it by IP rather than domain or email... for exactly that reason. Does fromfile actually use something different than MAILFROM in filter tests? I didn't catch that from the manual. Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 11:59 PM Subject: Re: [Declude.Virus] Newbie question I was going to suggest a fromfile. One potential problem.. the fromfile would use the enevelope from. In the case of a virus, I don't know if the envelope from would have the forged address in it. You'd have to capture some of the messages to know for sure. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:48 PM Subject: Re: [Declude.Virus] Newbie question You don't have to have PRO. You can also use a FROMFILE test with a text file listing all of the email addresses and/or domains you want to penalize. Just put a line like this in your Global.CFG: FROMBLACKLIST fromfile C:\IMail\Declude\fromblacklist.txt x 200 0 This penalizes every address/domain in the fromblacklist.txt file with 200 points. You'll need to add the action for the test name to the bottom of your Global.cfg for outgoing messages, and add it to your $default$.junkmail as well. Lastly, make sure you have a carriage return at the end of the fromblacklist.txt to avoid the last line being ignored.. Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: [Declude.Virus] Newbie question If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] .EML file syntax
Title: Message Hi Goran, Oh, I thought you wanted to separate the ALLRECIPS into TO, CC, and BCC groups. Does CC work? I would think that it would, but haven't tried it. In any case, you might be able to insert ascript in the process chain for virus scanning to check the result code and send your own notification instead of letting Declude do it. Then you would have more control and be able to BCC yourself. Basically the script would be called by Declude, then would in turn call the virus scanner, perform additional actions, and return the virus scanner result to Declude for normal processing. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 10:55 PM Subject: RE: [Declude.Virus] .EML file syntax Darin, Not sure if you understood what I was looking for. I want to take an EML file say for a banned file notification and send it TO: %ALLRECIPS% And BCC: me (or a monitor account). This is the functionality that does not exist. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Tuesday, May 31, 2005 10:43 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] .EML file syntax I asked about this about a month ago. From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
Re: [Declude.Virus] MS05-16 Exploit
Title: Message Do you use scripts to set up your accounts? Saves us a ton of time when restoring or migrating accounts. When we had a similar problem mid-April that also required a server rebuild, running the scripts allowed us to recreate all of the websites on that server in a few minutes. There were a few tweaks needed from permissions that had been changed but not documented, and Frontpage Server Extensions never seems to work right without installing first 2000, then upgrading to 2002 and restarting IIS, but otherwise it went smooth. Most of our recovery time was spent on a couple of websites that have a lot of custom services. Other than that it was just the base server rebuild and some drive shuffling to get backed up data local to the server. Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 8:42 PM Subject: RE: [Declude.Virus] MS05-16 Exploit Putting in 2 new drives was the easy part. Recreating 43 websites in IIS because the backup drive on the backup server departed for parts unknown the week before and proceeded with the tape drive (Onstream) finally giving out a month ago leaving my backup solution in shambles is what has been fun. Fortunately, both the actual website data drives and their separate backups on zip disks are fine. When it rains it pours. I must be in Southern California. Needless to say, I am revamping my backup and disaster recovery solutions. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, May 31, 2005 2:42 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] MS05-16 Exploit Ok, John, get back to fixing that mirrored drive set. Andrew 8)
Re: [Declude.Virus] .EML file syntax
Title: Message I asked about this about a month ago. From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
Re: [Declude.Virus] EXITSCANONVIRUS
Oh man...I feel your pain! Happened tous mid-April. Fortunately it was just after midnight on a Friday, so we had everything back up before morning and no one noticed the interruption in service. Was it Windows mirroring or hardware level? Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 3:30 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Sunday, May 29, 2005 4:59 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] EXITSCANONVIRUS Thanks! The grass is cut and the friends are already on the way over with beer and stuff to burn :)MattDarin Cox wrote: Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients.2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients.3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach. I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed.I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base.Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail.Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary= "_=_NextPart_001_01C55D5F.F2B051DD" This vulnerability is designed to detect spaces or tabs within message boundaries, and apparently could be exploited to package attachments which Outlook clients would read. The above example is not an example of exploitable code. RFC 2912 -
Re: [Declude.Virus] EXITSCANONVIRUS
I would hope existing vulnerability checks would not be retired, since there are already flags to decide whether or not to check for particular ones. We catch a bit of spam in the virus queue with these checks that is not otherwise caught, especially some that someone else (Andrew?) mentioned getting rid of. Unless there is 100% probability that no one will use the functionality any longer, please add flags to turn it off instead of removing it completely. That way those that still prefer it can still use it. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 1:23 AM Subject: Re: [Declude.Virus] EXITSCANONVIRUS John,I don't think that the behavior displayed in your logs was entirely purposeful. Declude tagged it with a vulnerability and then it ran your first virus scanner and found no virus, and then apparently it decided not to run the last two virus scanners. This of course is only interim functionality and I would imagine that they would be open to reports of unexpected behavior as well as tweaks for more optimal behavior.I believe that the intended functionality for EXITSCANONVIRUS ON would be to ignore the vulnerabilities and only skip further virus scanning when a prior virus scanner reports an exit code that you have configured to mark it as a virus. This seems consistent with what you are saying it should be.In an older thread regarding some bugs with F-Prot and other related things, Andrew also suggested separate functionality that would skip virus scanning when a vulnerability was found since that would be enough to block it on most systems. At that time I suggested that this was not necessarily a good idea, but I made a mistake. For my system, and many others running BANCRVIRUSES ON, it might be an even bigger CPU savings to skip all virus scanners when a vulnerability is detected. The only downside to this is that you will fill up your virus directory when using such a switch unless you are using another new directive, DELETEVULNERABILITIES ON. Naturally skipping virus scanning for vulnerabilities would be optional and not the default setting, and so would be deleting vulnerabilities. I would be in favor of seeing something like EXITSCANONVULNERABILITY added to Declude.Note that there are many issues with the current set of vulnerability checks that Declude does, and it would help to address these at the same time. We do have a switch to turn most of this off, but I get the impression that they are aware of the issues and are considering or may have decided to approach vulnerabilities differently, or possibly retiring some where appropriate. Deleting messages that fail vulnerability checks but aren't tagged as viruses should only really be done if you can rely on the vulnerability checks to be accurate.MattJohn Tolmachoff (Lists) wrote: It appears to be stopping when it finds a vulnerability and does not get scanned for virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Saturday, May 28, 2005 5:58 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS ... that's reasonable, John. How does it work up to now? If a vulnerability and a virus are detected, which gets reported? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 5:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such. An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, May 28, 2005 10:10 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a "virus" is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Colbeck, Andrew" [EMAIL PROTECTED]
Re: [Declude.Virus] EXITSCANONVIRUS
Matt, Point taken that it may no longer be a vulnerability. So, call it something different, maybe just another type of spam test, but don't take it away. They still have value as tests. As I stated earlier, we see spam held bythe vulnerability teststhat were not detected byspamtests. If the vulnerability/test can be disabled so it doesn't add any processing time to your config, why argue that it should be taken away from someone else who still has a use for it? Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 2:06 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,A vulnerability is only a vulnerability if there is an application vulnerable to it. Viruses also won't ever achieve 'critical mass' and therefore won't succeed in the wild if they rely on exploiting a vulnerability that no longer exists. Given that some of these vulnerabilities have been patched for more than two years, it is unlikely that a mass-mailing virus would attempt to exploit one of them, and if they relied on one of these methods that was long since patched, they could end up hurting their chances of success since their attachments wouldn't be seen by the E-mail clients receiving them (it would be better just to attach it normally and would make no sense to try to exploit the old vulnerability).Many of the vulnerability checks in Declude were the result of flaws in Outlook and Outlook Express. There were mostly ways to package in attachments in E-mails so that error correction in the clients would display or even execute the attachments, but the deMIMEing engines associated with E-mail virus scanners might not recognize them as attachments and therefore might not even attempt to scan the attachments. The shortcoming to many of Declude's vulnerability checks is that they might only check for the presence of the precursor or non-standard (but sometimes compliant) construction, and not the presence of the exploit (such as an attachment buried in the headers). So in essence all this is tagging is construction, and there are flaws in many of the current detection methods that can tag legitimate E-mail.This didn't become much of an issue for me until the number of addresses and domains expanded to the point where most flaws in the detection, or otherwise error prone mailers of legitimate E-mail were tripping these things in measurable numbers every single day. For servers with single domains or fewer addresses, this is probably much less of an issue, but the false positives would be more likely to go undetected.My opinion is that every vulnerability has a lifespan, and eventually should be retired if there is any chance of it causing a false positive, or even regardless. One example would be the "Object Data Vulnerability". This was discovered by eEye in the April of 2003 and patched by Microsoft on October 3, 2003. Two fairly unsuccessful Bagle variants exploited this vulnerability in April of 2004 and Declude added this to their list of vulnerabilities in response. While other viruses might have attempted to exploit this vulnerability, it would not be successful given the year and a half since the patch...it wouldn't be successful enough to achieve critical mass. On the flip side of this, I have found that Outlook can trip this vulnerability in Declude under certain circumstances, though I'm not sure what exactly they are, and the only solutions would be to fix the detection, turn it off, or retire it. I have almost zero concern about this causing me any issues by not detecting it at this point. http://www.eeye.com/html/Research/Advisories/AD20030820.html http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx There are similar conditions for other vulnerabilities as well. It was good to have them at the time, but now they are more trouble that their worth in my opinion.MattDarin Cox wrote: I would hope existing vulnerability checks would not be retired, since there are already flags to decide whether or not to check for particular ones. We catch a bit of spam in the virus queue with these checks that is not otherwise caught, especially some that someone else (Andrew?) mentioned getting rid of. Unless there is 100% probability that no one will use the functionality any longer, please add flags to turn it off instead of removing it completely. That way those that still prefer it can still use it. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 1:23 AM Subject: Re: [Declude.Virus] EXITSCANONVIRUS John,I don't think that the behavior displayed in your logs was entirely purposeful. Declude tagged it with a vulnerability and then it ran your first virus scanner and found no virus, and then apparently it decided not to run the last two virus scanners. This of course is only interim
Re: [Declude.Virus] EXITSCANONVIRUS
Hi Matt, I think most of us always consider the "greater good" before making requests... and by their nature, most requests from one person have benefit to many others. I think the recommendation you outlined below is fairly good...but again, I would not like to see potentially valuable tests removed. Defaulting to off is good, but removing doesn't make sense when there's value in the test. Other than an occasional Partial vulnerability, I see no false positives with vulnerabilities from our user base. I do think your point about moving the code from Virus over to Junkmail is a good one when it is no longer an activevulnerability. I would just hate to see a valuable test removed, and again, we see a decent amount of spam caught by Virus that doesn't get caught by our Junkmail config. Code can easily be broken in moving from one place to another (Virus to Junkmail), so this may be a maintenance problem that it is desirable to avoid. However,deprecated vulnerabilitiescould potentially be more valuable there for use in weighting or combo tests to identify particular spammers and assist with detecting their payloads. I think this all falls under the "The more info wehave about a message, the better we can classify it" category. Indeed, one of the main reasons we haven't migrated to SmarterMail is the unavailability of the CMDSPACE test. We find much of the strength in Declude is due to the variety ofspecial tests Scott was able to come up with. So, with the caveat of not performing Item 3 in your list (Removal), it sounds very good to me. It's nowhere near #1 on my list either...just didn't want anything useful to disappear. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 4:22 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,I think there are many different ways to define "retire" in this context.Personally, I have already 'retired' the functionality on my system where I feel that it appropriate, but when I share my opinions and recommendations, I am often thinking of the greater good. I tend to not ask for things from Declude that would not also be of benefit to a good number of it's users. While having the switch alone might be good enough for the majority of us on these lists, the majority of Declude's customers don't pay attention to the lists, release notes, or many other things...they tend to run default configurations with very little in the way of tweaks. These people are most in need of a solution, though they probably mostly don't recognize the issue, and likewise wouldn't recognize the solution. By Declude providing this functionality and not working it into the overall approach for the best standard config and practices, it really only serves the few of us that are paying very close attention.So in this perspective, the best global approach in my opinion would be to establish a system for depricating such functionality. I would suggest the following: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients.2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients.3) Removal - Remove the code from the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach.Regarding their use in blocking some spam, I personally would rather Declude JunkMail tag such things, that way we could handle this as spam, as well as the potential false positives, within the systems that we have built to handle spam instead of the one built to handle viruses. Active Vulnerabilities are a different story, but I wouldn't object to seeing code added to BADHEADERS/SPAMHEADERS or another built-in test to show that something failed a depricated check within the context of Declude JunkMail. Some of these vulnerabilities are presently less than 90% accurate on my system in judging between spam and ham, though the viruses associated with them might well be deleted if they do exist and were detected by one of my scanners (I've based this on a review of the spam folder
Re: [Declude.Virus] EXITSCANONVIRUS
Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients.2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients.3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach.I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed.I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base.Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail.Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary= "_=_NextPart_001_01C55D5F.F2B051DD"This vulnerability is designed to detect spaces or tabs within message boundaries, and apparently could be exploited to package attachments which Outlook clients would read. The above example is not an example of exploitable code. RFC 2912 - http://www.faqs.org/rfcs/rfc2912.html3.1 Whitespace and folding long headers In some circumstances, media feature expressions can be very long. According to "A Syntax for Describing Media Feature Sets" [1], whitespace is allowed between lexical elements of a media feature _expression_. Further, RFC822/MIME [4,5] allows folding of long headers at points where whitespace appears to avoid line length restrictions. Therefore, it is recommended that whitespace is included as permitted, especially in long media feature expressions, to facilitate the folding of headers by agents that do not otherwise understand the syntax of this field.For this to have been the vulnerability, the whitespace would have needed to have been within the quotes that defined the boundary and not before it.MattDarin Cox wrote: Hi Matt, I think most of us always consider the "greater good" before making requests... and by their
Re: [Declude.Virus] f-prot update script
Huh? What about FTP is not working? We're still FTPing from them. Latest defs are Monday at 10:34am. I just ran the FTP update script manually and it ran fine. Here's what we use open ftp.frisk.is user anonymous [EMAIL PROTECTED] cd pub binary hash prompt get fp-def.zip get macrdef2.zip close quit Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 12:19 PM Subject: RE: [Declude.Virus] f-prot update script Hmmm. Well, I went to the F-Prot website and picked out their link to download the latest signatures. They do not support the FTP method anymore, but: wget -N http://updates.f-prot.com/cgi-bin/get_randomly?fp-def and wget -N http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2 do work very well. Thanks for pointing that out, Bill. It may be worth mentioning that when the GUI scheduler had problems, it would tell me instead of quietly erroring out or retrying, which was why I switched to the method discussed, which was to invoke: http://www.f-prot.com/support/windows/fpwin_faq/88.html from Task Scheduler or AT commands. Since I switched to this method, my downloads have been flawless. I won't be switching to wget with http unless this turns out to be bad. For what it's worth, I've been using 3.16a and now 3.16b ... Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, May 04, 2005 8:27 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] f-prot update script My wget script for updating F-Prot has been working just fine for a few years now, and still continues to function properly. Bill - Original Message - From: Douglas Cohn [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 8:13 AM Subject: RE: [Declude.Virus] f-prot update script This update is the worst method IMO (The one referenced in the link here). I used to update every hour and using this I would find the machine with the updater hung on the screen timed out at least once a week. W2K Server SP4. What OS are you using it on where it does NOT create issues? I started writing a simple updater using 4NT copy /u which copies across anonymous ftp and http links and only copies new files. Perfect but then I read somewhere that fprot has no FTP updates available anymore so I rewrote the one for Mcafee command line instead since I do not have the full version installed on this machine and do not want to install the full version. The script pulls the superdat expands it and then the daily dat. I could not get the wget Mcafee script from the Declude links to work for long either. Wget got corrupted after 2 days saying it was not a valid win32 application. Those links on the Declude site should be removed as that stuff does not work anymore. 4NT from Jpsoft is simply the best tool for the job anyway. That and unzip from infozip and it is done. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, May 02, 2005 11:21 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Daniel, Give this a try: http://www.f-prot.com/support/windows/fpwin_faq/88.html -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 11:06 AM To: 'Declude.Virus@declude.com' Subject: RE: [Declude.Virus] f-prot update script I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 9:52 AM To: 'Declude.Virus@declude.com' Subject: [Declude.Virus] f-prot update script Does anyone have an f-prot update script that they wouldn't mind sharing? I have tried one that I found, but never could get it to work. Any help is appreciated. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an
Re: [Declude.Virus] f-prot update script
Hi Andrew, We have monitoring in place to know if any management process fails, so we'll know if this no longer works and we need to change. However, this has worked flawlessly for years, so I see no reason to change to the F-Prot updater that was always iffy at best. Not sure how HTTP updates are any different from a legacy standpoint than FTP, since the F-Prot updater is the officially supported mechanism. In any case, my comment was just that it works fine, and has for years. I'll choose FTP over HTTP anyday if given the choice... Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 12:50 PM Subject: RE: [Declude.Virus] f-prot update script Darin you're depending on legacy support. I'd suggest that if you want to stick to this method, you work on your backup plan. See the Windows Updater FAQ: http://www.f-prot.com/support/windows/fpwin_faq/fpwin_faq_6.html which lists: http://www.f-prot.com/support/windows/fpwin_faq/30.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, May 04, 2005 9:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] f-prot update script Huh? What about FTP is not working? We're still FTPing from them. Latest defs are Monday at 10:34am. I just ran the FTP update script manually and it ran fine. Here's what we use open ftp.frisk.is user anonymous [EMAIL PROTECTED] cd pub binary hash prompt get fp-def.zip get macrdef2.zip close quit Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 12:19 PM Subject: RE: [Declude.Virus] f-prot update script Hmmm. Well, I went to the F-Prot website and picked out their link to download the latest signatures. They do not support the FTP method anymore, but: wget -N http://updates.f-prot.com/cgi-bin/get_randomly?fp-def and wget -N http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2 do work very well. Thanks for pointing that out, Bill. It may be worth mentioning that when the GUI scheduler had problems, it would tell me instead of quietly erroring out or retrying, which was why I switched to the method discussed, which was to invoke: http://www.f-prot.com/support/windows/fpwin_faq/88.html from Task Scheduler or AT commands. Since I switched to this method, my downloads have been flawless. I won't be switching to wget with http unless this turns out to be bad. For what it's worth, I've been using 3.16a and now 3.16b ... Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, May 04, 2005 8:27 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] f-prot update script My wget script for updating F-Prot has been working just fine for a few years now, and still continues to function properly. Bill - Original Message - From: Douglas Cohn [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 8:13 AM Subject: RE: [Declude.Virus] f-prot update script This update is the worst method IMO (The one referenced in the link here). I used to update every hour and using this I would find the machine with the updater hung on the screen timed out at least once a week. W2K Server SP4. What OS are you using it on where it does NOT create issues? I started writing a simple updater using 4NT copy /u which copies across anonymous ftp and http links and only copies new files. Perfect but then I read somewhere that fprot has no FTP updates available anymore so I rewrote the one for Mcafee command line instead since I do not have the full version installed on this machine and do not want to install the full version. The script pulls the superdat expands it and then the daily dat. I could not get the wget Mcafee script from the Declude links to work for long either. Wget got corrupted after 2 days saying it was not a valid win32 application. Those links on the Declude site should be removed as that stuff does not work anymore. 4NT from Jpsoft is simply the best tool for the job anyway. That and unzip from infozip and it is done. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, May 02, 2005 11:21 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Daniel, Give this a try: http://www.f-prot.com/support/windows/fpwin_faq/88.html -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 11:06 AM To: 'Declude.Virus@declude.com' Subject: RE: [Declude.Virus] f-prot update script I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel
Re: [Declude.Virus] f-prot update script
Yep. We do the same thing for scheduling updates. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 1:16 PM Subject: Re: [Declude.Virus] f-prot update script FYI, my experience with the command line updater in F-Prot has been perfect so far as I can tell. I think the issue that you are referring to is the program updates that only the GUI handles through the F-Prot Updater which has been known to hang in the past when bandwidth isn't good. The command line tool can be set up in Windows Scheduler with a reasonable time out which should kill the command if it goes on too long, and it only handles the definitions. I can see from F-Prot's perspective that supporting scheduled FTP downloads is not good for their bandwidth since most probably don't bother to check to see if there is a newer file before downloading (not necessarily the case here). I schedule my command line to run at an odd minute, every 60 minutes in order to avoid any common download times and the slowdowns that might accompany them. I have McAfee update every 60 minutes offset 30 minutes from F-Prot."C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe" /HIDDEN /INTERNETMattDarin Cox wrote: Hi Andrew, We have monitoring in place to know if any management process fails, so we'll know if this no longer works and we need to change. However, this has worked flawlessly for years, so I see no reason to change to the F-Prot updater that was always iffy at best. Not sure how HTTP updates are any different from a legacy standpoint than FTP, since the F-Prot updater is the officially supported mechanism. In any case, my comment was just that it works fine, and has for years. I'll choose FTP over HTTP anyday if given the choice... Darin. - Original Message - From: "Colbeck, Andrew" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 12:50 PM Subject: RE: [Declude.Virus] f-prot update script Darin you're depending on legacy support. I'd suggest that if you want to stick to this method, you work on your backup plan. See the Windows Updater FAQ: http://www.f-prot.com/support/windows/fpwin_faq/fpwin_faq_6.html which lists: http://www.f-prot.com/support/windows/fpwin_faq/30.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, May 04, 2005 9:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] f-prot update script Huh? What about FTP is not working? We're still FTPing from them. Latest defs are Monday at 10:34am. I just ran the FTP update script manually and it ran fine. Here's what we use open ftp.frisk.is user anonymous [EMAIL PROTECTED] cd pub binary hash prompt get fp-def.zip get macrdef2.zip close quit Darin. - Original Message - From: "Colbeck, Andrew" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 12:19 PM Subject: RE: [Declude.Virus] f-prot update script Hmmm. Well, I went to the F-Prot website and picked out their link to download the latest signatures. They do not support the FTP method anymore, but: wget -N http://updates.f-prot.com/cgi-bin/get_randomly?fp-def and wget -N http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2 do work very well. Thanks for pointing that out, Bill. It may be worth mentioning that when the GUI scheduler had problems, it would tell me instead of quietly erroring out or retrying, which was why I switched to the method discussed, which was to invoke: http://www.f-prot.com/support/windows/fpwin_faq/88.html from Task Scheduler or AT commands. Since I switched to this method, my downloads have been flawless. I won't be switching to wget with http unless this turns out to be bad. For what it's worth, I've been using 3.16a and now 3.16b ... Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry Sent: Wednesday, May 04, 2005 8:27 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] f-prot update script My wget script for updating F-Prot has been working just fine for a few years now, and still continues to function properly. Bill - Original Message - From: "Douglas Cohn" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 8:13 AM Subject: RE: [Declude.Virus] f-prot update script This update is the worst method IMO (The one referenced in the link here). I used to update every hour and using this I would find the machine with the updater hung on the screen timed out at least once a week. W2K Server SP4. What OS are you using it on where it does NOT create issues? I started writing a simple updater using 4NT copy /u which copies across anonymous ftp and http links and only copies new files. Perfect but then I read somewhere that fprot has no FTP updates available
Re: [Declude.Virus] RAR followup
We just saw a rash of them as well. Same patterns you mentioned. Glad we're holding on RAR! Darin. - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, April 14, 2005 5:29 PM Subject: [Declude.Virus] RAR followup Starting to see repeat names. Reminds me of viruses sent by RAR last year (and caught by scanners.) Names: Forest, It_is_about_you, prices, jokes John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Covad has a problem with our RBL
There could be many RBL's in your config (we have about 100 in ours...which we probably need to prune since many don't add any real value), each of which would require a DNS hit for each message. Best just to set up your own DNS server and be done with it. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, March 31, 2005 5:03 PM Subject: [Declude.Virus] Covad has a problem with our RBL I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RAR Support - why not?
Yeah...we had to do it previously due to log storage. It was a good thing we did it when there was still plenty of room as our logs doubled in size last November from a sudden increase in spam and dictionary attacks. Over a span of two days we went from 80% to 95% spam for about three weeks before it settled back down to around 90% spam...and stayed there. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 28, 2005 5:28 PM Subject: RE: [Declude.Virus] RAR Support - why not? I may have to start doing that. I used to be able to keep 30 days of logs - but volume, dictionary attacks and SPAM volume are making it increasingly difficult. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, January 28, 2005 05:15 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] RAR Support - why not? Notices only go out for banned files. We include a statement that the email will be available to be requeued for x number of days...so automatic processes clean it up if it's unclaimed. Regarding the space problem, are you moving logs off to another partition on a nightly basis? Between that, automatic cleanup, and zipping old logs ours stays pretty clean. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 28, 2005 5:05 PM Subject: RE: [Declude.Virus] RAR Support - why not? Hi Goran: Oh, I've been thinking about just that. However does that mean you hold all virus files? I don't think I could afford the additional disk space (the spool file is already too big as it is.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 12:48 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus
Re: [Declude.Virus] hlp attachments
Sure For about two weeks until I get back from vacationuh, we still get to charge for internet related services, right? ;^P Darin. - Original Message - From: Greg Little [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, December 29, 2004 12:59 PM Subject: Re: [Declude.Virus] hlp attachments http://msmvps.com/trafton/ Just added HLP to my block list. (anyone what to vote, we just shut down the internet) Greg --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] hlp attachments
http://www.thechannelinsider.com/article2/0,1759,1745654,00.asp Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 28, 2004 1:50 PM Subject: [Declude.Virus] hlp attachments I just had a client request blocking of hlp attachments. I have been extremely busy with 2 major projects and have not seen anything about this. Any one have information on a virus that uses that? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude Licensing codes
It's one thing to have the facts and make the decision yourself...it's another to have blind faith in another. I think most people will need to know exactly how the new licensing works to be comfortable with it. To avoid a lot of calls, and having to explain everything over and over, it would probably be a good idea for CMHZ to post the details to the listor send the info directly to customers if they're concerned about the info falling into the wrong hands on the list. While I trust CMHZ has/will address everyone's concerns, a business has to have a Continuity Plan that clearly addresses concerns like thisincluding detailed steps to be taken in the event of a failure/disaster. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Sent: Thursday, December 23, 2004 2:01 AM Subject: [Declude.JunkMail] Declude Licensing codes Here is some information for all who have concerns about the new licensing and tie in to IPs and/or MACs: I have spoken to Barry today, and while I will not reveal the little bit of information I was given, I will state on my honor that I have no problem with the new license code process what ever you want to call it. Additionally, Declude has designed and taken steps to make sure there will be no problems in the event you need to change IPs or hardware overnight, on a weekend, on an extended weekend or even if disaster were to strike and the Declude offices were not available for a week. Hopefully, you can now rest assured that Declude will not stop working if you have to fix your server. FYI, there is also a process in place for a cold spare server to be prepared and ready ahead of time. You will need to contact Declude to specifically set that up. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude Licensing codes
Whoops...that should have been CPHZ... And just to avoid any misunderstanding, we are extremely happy with the products and services provided by CPHZ...and trust that they will disclose the info as soon as possible. It's always better to be upfront though - prepared to disclose info on obvious questions customers will have - rather than to be scrambling after the fact to assuage any concerns that are raised. Darin. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, December 23, 2004 6:11 AM Subject: Re: [Declude.Virus] [Declude.JunkMail] Declude Licensing codes It's one thing to have the facts and make the decision yourself...it's another to have blind faith in another. I think most people will need to know exactly how the new licensing works to be comfortable with it. To avoid a lot of calls, and having to explain everything over and over, it would probably be a good idea for CMHZ to post the details to the listor send the info directly to customers if they're concerned about the info falling into the wrong hands on the list. While I trust CMHZ has/will address everyone's concerns, a business has to have a Continuity Plan that clearly addresses concerns like thisincluding detailed steps to be taken in the event of a failure/disaster. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Sent: Thursday, December 23, 2004 2:01 AM Subject: [Declude.JunkMail] Declude Licensing codes Here is some information for all who have concerns about the new licensing and tie in to IPs and/or MACs: I have spoken to Barry today, and while I will not reveal the little bit of information I was given, I will state on my honor that I have no problem with the new license code process what ever you want to call it. Additionally, Declude has designed and taken steps to make sure there will be no problems in the event you need to change IPs or hardware overnight, on a weekend, on an extended weekend or even if disaster were to strike and the Declude offices were not available for a week. Hopefully, you can now rest assured that Declude will not stop working if you have to fix your server. FYI, there is also a process in place for a cold spare server to be prepared and ready ahead of time. You will need to contact Declude to specifically set that up. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Upgrade issues
I would need a better understanding of exactly what that means before I would be comfortable with it. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 21, 2004 7:16 PM Subject: RE: [Declude.Virus] Upgrade issues The built-in failsafes are designed to ensure that you won't need to wait until the next business day to get a new license key. What exactly does this mean? How long will you wait and does Deculde run without the key? I don't know the exact details, but in any case they are likely to change before the next release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Disable all virus notifications except BAN
How do we disable all notifications except for banned attachment? I've changed the names of all of the templates except BANnotify.eml, but am still getting some postmaster notifications for virus detections. Thanks, Darin.
Re: [Declude.Virus] Getting hammered by viruses
Hi Markus, Sounds like you're experiencing what we saw starting on November 16th... a tenfold increase in spam overnight. After a little over a week ours settled down ton about 3 times the amount of spam prior to the 16th. That has been steady ever since. We've attributed it to the recent spate of viruses, creating zombies. Analysis shows our zombie spam has increased dramatically, requiring more reliance on content filtering and dynamic IP detection. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:24 AM Subject: [Declude.Virus] Getting hammered by viruses Anyone else is seeing this? Last week we had an average of 2750 viruses each day. Two days ago this number increased to 9000. Yesterday we've catched 19000 viruses. From the other 16000 messages 9600 was spam. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Disable all virus notifications except BAN
Thanks, Scott, As Rick suggested, I moved all of the other notifications to a separate folder. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 3:12 PM Subject: Re: [Declude.Virus] Disable all virus notifications except BAN Scott, can you shed some light on why this might be? With Declude Virus, you can send out as many notifications to as many people as you want -- some people have a dozen or so notifications. To do that, Declude Virus sends out any \IMail\Declude\*.eml file (that isn't used by other Declude programs). So if you rename recip.eml to recip.bak, it won't get sent out. But if you rename recip.eml to bak.eml, it will get sent out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Getting hammered by viruses
For us it seemed to lag slightly behind the new Bagles that came out in early to mid Nov. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:53 AM Subject: RE: [Declude.Virus] Getting hammered by viruses Hmmm can't see any step near to 2004-11-16 but the virus creating this big wall of infected messages is Zafi.D, appeared some days ago. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, December 16, 2004 4:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Getting hammered by viruses Hi Markus, Sounds like you're experiencing what we saw starting on November 16th... a tenfold increase in spam overnight. After a little over a week ours settled down ton about 3 times the amount of spam prior to the 16th. That has been steady ever since. We've attributed it to the recent spate of viruses, creating zombies. Analysis shows our zombie spam has increased dramatically, requiring more reliance on content filtering and dynamic IP detection. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:24 AM Subject: [Declude.Virus] Getting hammered by viruses Anyone else is seeing this? Last week we had an average of 2750 viruses each day. Two days ago this number increased to 9000. Yesterday we've catched 19000 viruses. From the other 16000 messages 9600 was spam. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Disable all virus notifications except BAN
Hmmm...I'll try that. Thanks Rick. Scott, can you shed some light on why this might be? Darin. - Original Message - From: Rick Davidson To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 11:10 AM Subject: Re: [Declude.Virus] Disable all virus notifications except BAN I had to move them to a sub directory or delete them to get them to stop, renaming didnt work Rick DavidsonNational Systems ManagerNorth American Title Group- - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:37 AM Subject: [Declude.Virus] Disable all virus notifications except BAN How do we disable all notifications except for banned attachment? I've changed the names of all of the templates except BANnotify.eml, but am still getting some postmaster notifications for virus detections. Thanks, Darin.