re: [Declude.Virus] OT: Alligate as a gateway for providers ?

[Douglas Cohn]

If Declude is running the load will not change.

We found that declude with using 99% of the resources on our server.  

We turned on Greylisting added SpamAssasin and turned off declude.  Then took 
the same server and created virtual servers on it.  I now have an extra virtual 
server I use for monitoring.

Maybe it was the version we were on or the way we had Declude configured but it 
just killed our box no matter what we did even with just a few domains.  
(Declude 4.3)

Maybe it was us,  I don't know but we get virtually no spam at all now and the 
server is running twice as fast.



 Original Message 
 Return-Path: [EMAIL PROTECTED]

 
 Hi list, we are a small provider doing some shop-hosting services.
 As a side-service we are running one eMail-server for 65 domains and 
 approximately 270 user.
 We tried Alligate (trial) as a gateway server to minimize the load on this 
 server.
 But my administrator said, that POP3 eMail never goes through to our 
 eMail-Server.
 Our request is, that the gateway is doing second level SMTP-Outbund
 filtering/checks and POP3 first level inbound filtering/checks.
 The eMail-server-SW is: SmarterMail 4.x on Windows2003 and 
 SPAM/Virus-Filtering is done by Declude EVA.
 And the customers should be able to receive their eMails via
 SmarterMail directly (bypass Alligate).
 Any chance on doing this with Alligate ?
 Uwe
 
 
 
 
 
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Version 6

[Douglas Cohn]

AH HA

Well now I see.  Yea  I use F-prot as a low cost AV scanner for remote
locations.  I no longer use it on Declude/SmarterMail since it includes AVG
and I see no reason for belts and suspenders.

Version 3 is still available for now as is Mcafee.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
(lists)
Sent: Wednesday, March 14, 2007 1:49 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] F-Prot Version 6

As Andrew pointed out, you did not read the fine print.

John T

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 Douglas Cohn
 Sent: Tuesday, March 13, 2007 8:50 PM
 To: declude.virus@declude.com
 Subject: RE: [Declude.Virus] F-Prot Version 6
 
 F-prot is $50 for 10 licenses per year.  $5 per machine per year.  Version
 6
 
 Why is that not still reasonable?
 
 Please explain
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Bilbee
 Sent: Thursday, February 01, 2007 8:33 PM
 To: declude.virus@declude.com
 Subject: RE: [Declude.Virus] F-Prot Version 6
 
 Changed when they released the new version. About 3 months back. Check the
 archives of this list. We were complaining about it. We dumped using their
 product and just use the AVG built into Declude.
 
 
 
 Kevin Bilbee
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
  [EMAIL PROTECTED]
  Sent: Thursday, February 01, 2007 3:33 PM
  To: declude.virus@declude.com
  Subject: Re: [Declude.Virus] F-Prot Version 6
 
  When did their licensing change?  F-Prot used to be extremely
  reasonable.
 
  Don
 
  - Original Message -
  From: Kevin Bilbee [EMAIL PROTECTED]
  To: declude.virus@declude.com
  Sent: Wednesday, January 31, 2007 11:14 PM
  Subject: RE: [Declude.Virus] F-Prot Version 6
 
 
   Read the license. It may be compatible but the licensing is
  expensive.
  
  
   Kevin Bilbee
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
   David Dodell
   Sent: Wednesday, January 31, 2007 7:26 PM
   To: Declude.Virus@declude.com
   Subject: [Declude.Virus] F-Prot Version 6
  
   Been using F-Prot version 3 for years ... and now getting notices to
   upgrade to version 6.
  
   Anyone done this yet, and is it still compatible with Declude/Imail,
   etc?
  
   David
  
  
   ---
   This E-mail came from the Declude.Virus mailing list.  To
   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
   type unsubscribe Declude.Virus.The archives can be found
   at http://www.mail-archive.com.
  
  
  
  
   ---
   This E-mail came from the Declude.Virus mailing list.  To
   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
   type unsubscribe Declude.Virus.The archives can be found
   at http://www.mail-archive.com.
  
  
 
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
 
 
 
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 
 
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Version 6

[Douglas Cohn]

F-prot is $50 for 10 licenses per year.  $5 per machine per year.  Version 6

Why is that not still reasonable?

Please explain

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
Sent: Thursday, February 01, 2007 8:33 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] F-Prot Version 6

Changed when they released the new version. About 3 months back. Check the 
archives of this list. We were complaining about it. We dumped using their 
product and just use the AVG built into Declude.



Kevin Bilbee




 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Thursday, February 01, 2007 3:33 PM
 To: declude.virus@declude.com
 Subject: Re: [Declude.Virus] F-Prot Version 6
 
 When did their licensing change?  F-Prot used to be extremely
 reasonable.
 
 Don
 
 - Original Message -
 From: Kevin Bilbee [EMAIL PROTECTED]
 To: declude.virus@declude.com
 Sent: Wednesday, January 31, 2007 11:14 PM
 Subject: RE: [Declude.Virus] F-Prot Version 6
 
 
  Read the license. It may be compatible but the licensing is
 expensive.
 
 
  Kevin Bilbee
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
  David Dodell
  Sent: Wednesday, January 31, 2007 7:26 PM
  To: Declude.Virus@declude.com
  Subject: [Declude.Virus] F-Prot Version 6
 
  Been using F-Prot version 3 for years ... and now getting notices to
  upgrade to version 6.
 
  Anyone done this yet, and is it still compatible with Declude/Imail,
  etc?
 
  David
 
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
 
 
 
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
 
 
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t

[Douglas Cohn]

Yes this is plain DUMB.

He should be shot IMO.

Declude should look at this as a way to get people off the list.  More
people leave lists when things like this happen than at any other time.

Douglas Cohn
VP Engineering
Photogra, Inc.
www.photogra.com 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Thursday, January 04, 2007 5:43 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] I'm currently on a business trip down south and
will be returning January 5th, 2007. If t

Ok, this makes it over a hundred received this afternoon.

Declude, would you kindly remove him from the list so we don't all get
inundated with more autoreplies?

Also, this is a gentle reminder to be a good list netizen and don't use
autoresponders for addresses that you use to subscribe to lists.  If you
need to use autoresponders, just set up a separate email address for list
subscriptions and don't use one there.

All the best,

Darin.


- Original Message - 
From: roconnor [EMAIL PROTECTED]
To: declude.virus@declude.com
Sent: Thursday, January 04, 2007 4:24 PM
Subject: [Declude.Virus] I'm currently on a business trip down south and
will be returning January 5th, 2007. If t


I'm currently on a business trip down south and will be returning January
5th, 2007. If this is an emergency please call our office at 360.527.9111

Thanks,
Rick


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t

[Douglas Cohn]

I like both options.

But killing him is also a good idea

Douglas Cohn
VP Engineering
Photogra, Inc.
www.photogra.com 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy
Schmidt
Sent: Thursday, January 04, 2007 6:01 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] I'm currently on a business trip down south and
will be returning January 5th, 2007. If t

So - shall we all call that emergency number and ask that he turn off his
vacation notice, or shall we just fake the return address an unsubscribe him
since the Declude staff is not taking action?

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Thursday, January 04, 2007 04:48 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] I'm currently on a business trip down south and
will be returning January 5th, 2007. If t

75 over 45 minutes.  Dumb...

Darin.


- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: declude.virus@declude.com
Sent: Thursday, January 04, 2007 4:12 PM
Subject: RE: [Declude.Virus] I'm currently on a business trip down south and
will be returning January 5th, 2007. If t


I think I received 36 of them.

Andrew.

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of Craig Edmonds
 Sent: Thursday, January 04, 2007 12:55 PM
 To: declude.virus@declude.com
 Subject: RE: [Declude.Virus] I'm currently on a business trip
 down south and will be returning January 5th, 2007. If t
 Importance: High


 Is it me or did everyone get this autoresponder about 300 times?

 Kindest Regards
 Craig Edmonds
 123 Marbella Internet
 W: www.123marbella.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of roconnor
 Sent: Thursday, January 04, 2007 9:45 PM
 To: declude.virus@declude.com
 Subject: [Declude.Virus] I'm currently on a business trip
 down south and will be returning January 5th, 2007. If t

 I'm currently on a business trip down south and will be
 returning January 5th, 2007. If this is an emergency please
 call our office at 360.527.9111

 Thanks,
 Rick


 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sender.eml was sent even though forging virus?

[Douglas Cohn]

Isn't it better to just remove all the eml files so as to be more of the
solution and less of the problem.

It just seems that is all of us stopped sending eml's that millions of
useless messages would be stopped.

What am I missing?  What value do these messages possibly have?

Doug 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy
Schmidt
Sent: Wednesday, December 13, 2006 1:45 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Sender.eml was sent even though forging virus?

Oh?

I've never had the problem with my external McAfee scanner.

Could this be a problem with Declude's internal AVG scanner?

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Wednesday, December 13, 2006 01:11 PM
To: declude.virus@declude.com
Subject: re: [Declude.Virus] Sender.eml was sent even though forging virus?

I've seen similar behavior with viruses found by AVG.


 Original Message 
 From: Andy Schmidt [EMAIL PROTECTED]
 Sent: Wednesday, December 13, 2006 12:42 PM
 To: 'Declude Virus List' declude.virus@declude.com
 Subject: [Declude.Virus] Sender.eml was sent even though forging virus?
 
 Hi,
 
 My sender.eml has the line:
 SKIPIFFORGING
 
 And my virus.CFG has:
 
 AUTOFORGE ON
 
 FORGINGVIRUS Anonymous Driver
 FORGINGVIRUS Antiman
 FORGINGVIRUS  Avril
 FORGINGVIRUS  Bagle
 
 Yet, declude virus just sent the sender.eml for the following details:
  
   File:Unknown File
   Result:  FoundI-Worm/Bagle
   Message ID:[EMAIL PROTECTED]
   Our Domain:Schmidt.AS for Schmidt.AS
   Queue ID:  D324e0153b795.smd
 
 Based on these headers:
 
 -Original Message Headers-
 Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP
   (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500
 Date: Wed, 13 Dec 2006 18:03:11 +0100
 To: Andy [EMAIL PROTECTED]
 From: Webmaster [EMAIL PROTECTED]
 Subject: price 13-Dec-2006
 Message-ID: [EMAIL PROTECTED]
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
 boundary=oibzhbgyvnajpcxfwpdt
 
 
 
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content

[Douglas Cohn]

Hey stupid me but why not use a file transfer program for transferring files
and not worry about what you block in email.  That is what FTP was invented
for anyway.  If you have any type of Intranet or help desk system you should
have a place that allows users to both upload files and download files.

Email was never designed as a method of transferring files.  Even though it
is used that way all too often.  A Simple web pahe with ASPUpload and
another page with the shared files would solve your issue.  Make it more
complex and set access rights on the files as well.

Just my two cents

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Tuesday, October 11, 2005 1:26 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content

We're looking for a simple way to opportunistically allow our users to
encrypt or password-protect certain emails and/or their attachments that
contain sensitive data.  We're running Declude Pro and have banned EZIP
extensions (the highly recommended suggestion from several people on this
forum), so that kinda rules out PKZIP and any kind of ZIP program (because
as soon as you password-protect a ZIP file, it becomes an EZIP file).  We
looked at PGP, but it seems very complex and seems to require a hardware
proxy in between our mail server and the Net.  Is there a simple and
effective way to encrypt or password protect documents for email
transmission that doesn't cause problems with Imail or Declude and doesn't
require software to be installed on the recipient's end?

Thanks.

Kevin
---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Version 3.0.5.5

[Douglas Cohn]

This is why I always wait for the bleeding edge people to suffer before I
touch anything.  After all the bugs get worked out of it and then 4 or 5
weeks later I will install it.

But without you guys nothing would ever get going.  So thanks.

Diug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Friday, September 30, 2005 11:39 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Version 3.0.5.5

Harry,

The install procedure is being updated.

David Barker
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand
Sent: Friday, September 30, 2005 11:34 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Version 3.0.5.5

Hi David

One almost needs to know less using this method than having to go  and
uninstall the service and then reinstall it

Will you make this file available in this manner in the future or will the
install procedure be updated to help simplify things.

I strive to have the greatest simplicity in operating my servers.  It means
I am spending less time with them and more with my customers.

Thank you

Harry Vanderzand
inTown Internet  Computer Services
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Friday, September 30, 2005 11:11 AM
 To: Declude.Virus@declude.com
 Subject: RE: [Declude.Virus] Version 3.0.5.5
 
 Undocumented but here it is for those on the board who know what they 
 are doing.
 
 IMAIL  
 http://www.declude.com/Version/3055/IM/decludeproc3055.exe
 SMARTERMAIL
 http://www.declude.com/Version/3055/SM/decludeproc3055.exe
 
 David Barker
 www.declude.com
 
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand
 Sent: Thursday, September 29, 2005 5:35 PM
 To: Declude.Virus@declude.com
 Subject: RE: [Declude.Virus] Version 3.0.5.5
 
 Thanks
 
 That's seems like a lot to do for such a simple process.
 
 Is it not just the decludeproc.exe that needs to be replaced? 
  If so then stopping the service, replace the file with the new one 
 and then starting it, would be quicker to do.
 
 Is there anywhere we can get just the new decludeproc.exe?
 
 Harry Vanderzand
 inTown Internet  Computer Services
 11 Belmont Ave. W., Kitchener, ON,N2M 1L2
 519-741-1222
 
  
 
  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
  ([EMAIL PROTECTED])
  Sent: Thursday, September 29, 2005 5:15 PM
  To: Declude.Virus@declude.com
  Subject: Re: [Declude.Virus] Version 3.0.5.5
  
  Harry,
  
  The message on my system just said you need to remove the last 
  version.
  Once I did that and re-ran the update all was well. 
  
  Darrell
  
   
  --
  --
  Check out http://www.invariantsystems.com for utilities for Declude 
  And Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
  integration, MRTG Integration, and Log Parsers.
  
  
  Harry Vanderzand writes: 
  
   I downloaded this update

   stopped decludeproc

   ran the update

   got message:  Another version is already running, cannot update

   what's up with that?
 
   
   Harry Vanderzand
   inTown Internet  Computer Services
   11 Belmont Ave. W., Kitchener, ON,N2M 1L2
   519-741-1222
   
 
   
   
 _   
   
   From: [EMAIL PROTECTED] 
   [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman
   Sent: Thursday, September 29, 2005 2:53 PM
   To: Declude.Virus@declude.com; Declude.JunkMail@declude.com
   Subject: [Declude.Virus] Version 3.0.5.5
   

   
   Declude Version 3.0.5.5 is available on the website for download. 
   
   There are two changes from version 3.0.5.3
   
 
   
   1.Fix for special character scanning causing 
 abnormal termination.
   Special thanks to John Tolmachoff for identifying and
  helping us fix
   this nasty.
   
   2.For SmarterMail only.  Correctly handle parsing the XML 
  file for the
   email installation path.  
   
 
   
   SY, Bill Billman
   
   Declude
   
 
   
   
   --
   No virus found in this outgoing message.
   Checked by AVG Anti-Virus.
   Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 
   9/26/2005
   
   
   
  
  ---
  This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe,
  just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
  
  
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an 

RE: [Declude.Virus] Declude using CBL to block users sending mail?????

[Douglas Cohn]

Here ya go Matt. The Headers as they come out of the email.  It's like the
pitcher covering his mouth with his glove when talking on the mound.  Old
habits die hard G  Thank you for the detailed info.  It is appreciated.

This is the IP that had been in CBL  216.74.167.74.  And you will see in my
later reply that this IP was listed incorrectly.  IE no virus was ever on
that machine and the mail it detected and determined was a virus smtp engine
was in fact a valid mail verifier program. (But can you really say that  Is
there such a thing as a VALID Mail verifier?  I think not now)

Return-Path: [EMAIL PROTECTED] Sun Jun 12 19:02:39 2005
Received: from photoadmin1.photograsupport.com [64.15.255.100] by
photoimail1.photogra.com with SMTP;
   Sun, 12 Jun 2005 19:02:39 -0400
Received: from mail.inetservers.com [64.15.252.17] by
photoadmin1.photograsupport.com with SMTP;
   Sun, 12 Jun 2005 19:02:06 -0400
Received: from UnknownHost [216.74.167.74] by mail.inetservers.com with
SMTP;
   Sun, 12 Jun 2005 16:00:38 -0400
From: douglas cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Test inetservers
Date: Sun, 12 Jun 2005 16:00:32 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcVviWNwVbHTbsZpSuy0Fh8yTDTA0w==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Declude-Sender: [EMAIL PROTECTED] [216.74.167.74]
X-Declude-Spoolname: 37291275.EML
X-Declude-Scan: Score [10] at 16:00:47 on 12 Jun 2005
X-Declude-Fail: CBL, WEIGHT10
X-Country-Chain: UNITED STATES-destination
X-SmarterMail-Spam: SPF_None
X-Rcpt-To: [EMAIL PROTECTED] 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, June 13, 2005 9:14 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Declude using CBL to block users sending
mail?

Andrew,

Just to clear up any confusion, this message was sent by Doug through his
own SmarterMail/Declude server, so his IP was the connecting hop and the
DYNA/hop limiting tricks won't have an effect here.

I think it might be valuable if people resisted the temptation of removing
IP's from headers when shared because those that might help out would often
benefit from this information.  Sometimes it doesn't really matter of
course, and Doug did give enough information to figure this out, but the
three received headers were confusing without a careful read.

Matt



Colbeck, Andrew wrote:

Doug, you're probably scoring on multiple hops by setting your HOPHIGH 
in global.cfg ...

If you don't want RBLs to score on multiple hops, just comment out that 
HOPHIGH line.

Alternatively, rename your CBL test to CBL-DYNA (don't forget to change 
the global.cfg definition plus the action line wherever it appears in 
your configuration files (e.g. CBL WARN to CBL-DYNA WARN).

Andrew 8)

p.s. Is your own machine's address on the Internet, or was CBL listing 
an internal, non-routable IP address like 192.168.1.1 ?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Monday, June 13, 2005 5:03 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Declude using CBL to block users sending 
mail?


My desktop IP was erroneously listed on CBL.  It seems that declude is 
checking autheticated users sending mail for CBL and according to CBL 
this is wrong.  SEE below

Here is the header showing what went on with the actual Ips removed to 
proect the innocent  (ME). But it sure seems that my desktop machine is 
the one being checked and shown as on CBL.  Had 10 points been enough I 
would not have been able to send mail.  The ONLY address within the 
below HEADER that was actually listed in the CBL is the HOST machine 
sending the email. NOT the MAIL servers but MY DESKTOP of which I am an 
authenticated sender.

Why would declude check an authenticated sender on the CBL list?

This all started because Smartermails SPAM does NOT check the 
authenticated senders and this is what confused me intially.  IE I 
thought Smartermails SPAM was not working properly on another server 
where I do NOT have declude ANTISPAM installed.  BUT as you see 
according to CBL it should NOT detect CBL on an autheticated senders IP.

According to CBL this is not how the list is designed.


Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005
Received: from forwardeddestinationmailserver [123.123.123.123] by 
forwardeddestinationmailserver with SMTP;
   Sun, 12 Jun 2005 18:35:56 -0400
Received: from decludesmtpserver [456.456.456.456] by 
destinationmailserver with SMTP;
   Sun, 12 Jun 2005 18:35:20 -0400
Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver 
with SMTP;
   Sun, 12 Jun 2005 18:34:59 -0400
From: douglas cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Test cbl
Date: Sun, 12 Jun 2005 18:34:52 -0400
MIME-Version: 1.0
Content-Type: text

RE: [Declude.Virus] Declude using CBL to block users sending mail?????

[Douglas Cohn]

 to drop scores of such
tests, and the net result of this would be trapping more spam with fewer
false positives if you weight things optimally.

Matt



Douglas Cohn wrote:

My desktop IP was erroneously listed on CBL.  It seems that declude is
checking autheticated users sending mail for CBL and according to CBL this
is wrong.  SEE below

Here is the header showing what went on with the actual Ips removed to
proect the innocent  (ME). But it sure seems that my desktop machine is the
one being checked and shown as on CBL.  Had 10 points been enough I would
not have been able to send mail.  The ONLY address within the below HEADER
that was actually listed in the CBL is the HOST machine sending the email.
NOT the MAIL servers but MY DESKTOP of which I am an authenticated sender.


Why would declude check an authenticated sender on the CBL list?

This all started because Smartermails SPAM does NOT check the authenticated
senders and this is what confused me intially.  IE I thought Smartermails
SPAM was not working properly on another server where I do NOT have declude
ANTISPAM installed.  BUT as you see according to CBL it should NOT detect
CBL on an autheticated senders IP.

According to CBL this is not how the list is designed.


Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005
Received: from forwardeddestinationmailserver [123.123.123.123] by
forwardeddestinationmailserver with SMTP;
   Sun, 12 Jun 2005 18:35:56 -0400
Received: from decludesmtpserver [456.456.456.456] by destinationmailserver
with SMTP;
   Sun, 12 Jun 2005 18:35:20 -0400
Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver with
SMTP;
   Sun, 12 Jun 2005 18:34:59 -0400
From: douglas cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Test cbl
Date: Sun, 12 Jun 2005 18:34:52 -0400
MIME-Version: 1.0
Content-Type: text/plain;
   charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP]
X-Declude-Spoolname: 37296653.EML
X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005
X-Declude-Fail: CBL, WEIGHT10
X-Country-Chain: UNITED STATES-destination
X-SmarterMail-Spam: SPF_None
X-Rcpt-To: [EMAIL PROTECTED]


http://cbl.abuseat.org/

We're getting a lot of reports of spurious blocking caused by sites using
the CBL to block authenticated access to smarthosts / outgoing mail
servers.
THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts
that
your MX records point to.

If you use the same hosts for incoming mail and smarthosting, then you
should always ensure that you exempt authenticated clients from CBL checks,
just as you would for dynamic/dialup blocklists.

Another way of putting this is: Do not use the CBL to block your own
users.

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude using CBL to block users sending mail?????

[Douglas Cohn]

 Now to my final question and the reason all of this happened.

Imagine you work for developers that have an opted in mailing list with
close to a million email addresses.  Valid opted in users.  When someone
opts out they are removed.  They can email opt out, they can even call the
office and opt out, all legit.

BUT over the years none of the bunk email addresses were ever cleaned from
the list. (As I said opt outs are removed).  Additionally in the early days
email formation validity was not even checked so there may be addresses
without an @ sign or addresses with @@@ etc etc etc.

So the goal was two fold.  

1. Correct the process so future newsletters that are sent process the
bounces properly and remove any email addresses associated with hard
bounces.
2. Run the current list through some kind of email verification program to
avoid sending 1,000,00 extra emails over the course of the next few months
as additional newsletters go out.  They do NOT go out often, maybe 6 or 8
per year which helps the list remain valid.  They are not spammers.  Hence
the issue.  How do you clean such a list?

I tried Advanced maillist verifier AMV). Advanced Email verifier (AEV) and
BulkVerifier.

Now all of these programs seem like they may work but they get your ips in
trouble.  Furthermore what struck me as very odd is all of them are at least
2 years old at a minimum and no further dev has been done on them since.
This led me to believe the obvious.  You simply cannot use these programs
anymore in today's environment.

That said I would like something that could at least look at the address and
verify that it indeed created correctly and then verify that the domain is a
valid mail domain.

I played with DIG and DIG does return the info for you to determine if the
domain is valid but it requires a lot of work to write a routine that would
correctly validate the domains.  I was using 

Dig domainame MX

The problem is the return codes are not very easy to work with.  It's not
like I get a different errorlevel returned based on whether the domain has a
valid MX record or not  (which would be nice).

Any ideas are appreciated.

Regards

Doug

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Monday, June 13, 2005 11:34 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Declude using CBL to block users sending
mail?


- Original Message -
From: Matt

 So it would be possibly useful in this case, but again, solving the 
 issue that created the CBL listing is the most direct route, and less 
 dependencyon any particular test by adding something like Sniffer and 
 reducing weights on such things I think is still the best overall 
 solution.

Not to mention that anything done to reduce the weight of messages into you
own system does nothing to control how others may be using CBL to weight or
block spam coming into their systems.  So as Matt said, the best thing to do
is correct whatever issue got you listed in the first place, and then focus
your efforts on getting the listing removed.

Bill 

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Declude using CBL to block users sending mail?????

[Douglas Cohn]

My desktop IP was erroneously listed on CBL.  It seems that declude is
checking autheticated users sending mail for CBL and according to CBL this
is wrong.  SEE below

Here is the header showing what went on with the actual Ips removed to
proect the innocent  (ME). But it sure seems that my desktop machine is the
one being checked and shown as on CBL.  Had 10 points been enough I would
not have been able to send mail.  The ONLY address within the below HEADER
that was actually listed in the CBL is the HOST machine sending the email.
NOT the MAIL servers but MY DESKTOP of which I am an authenticated sender.  

Why would declude check an authenticated sender on the CBL list?

This all started because Smartermails SPAM does NOT check the authenticated
senders and this is what confused me intially.  IE I thought Smartermails
SPAM was not working properly on another server where I do NOT have declude
ANTISPAM installed.  BUT as you see according to CBL it should NOT detect
CBL on an autheticated senders IP.

According to CBL this is not how the list is designed.


Return-Path: [EMAIL PROTECTED] Sun Jun 12 18:35:56 2005
Received: from forwardeddestinationmailserver [123.123.123.123] by
forwardeddestinationmailserver with SMTP;
   Sun, 12 Jun 2005 18:35:56 -0400
Received: from decludesmtpserver [456.456.456.456] by destinationmailserver
with SMTP;
   Sun, 12 Jun 2005 18:35:20 -0400
Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver with
SMTP;
   Sun, 12 Jun 2005 18:34:59 -0400
From: douglas cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Test cbl
Date: Sun, 12 Jun 2005 18:34:52 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP]
X-Declude-Spoolname: 37296653.EML
X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005
X-Declude-Fail: CBL, WEIGHT10
X-Country-Chain: UNITED STATES-destination
X-SmarterMail-Spam: SPF_None
X-Rcpt-To: [EMAIL PROTECTED]


http://cbl.abuseat.org/

We're getting a lot of reports of spurious blocking caused by sites using
the CBL to block authenticated access to smarthosts / outgoing mail servers.
THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that
your MX records point to.

If you use the same hosts for incoming mail and smarthosting, then you
should always ensure that you exempt authenticated clients from CBL checks,
just as you would for dynamic/dialup blocklists.

Another way of putting this is: Do not use the CBL to block your own
users.

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot update

[Douglas Cohn]

They always said it!!

Here's the previous update notice


We recommend that users of F-Prot Antivirus for Windows update their programs 
to version 3.16b as soon as possible.
Please visit our update center to update your program 
now:


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J 
PorterSent: Thursday, June 09, 2005 2:14 PMTo: 
Declude.Virus@declude.comSubject: [Declude.Virus] F-Prot 
update

I received 
a notice for 3.16c update from Frisk.I don't recall it being normal for 
them to recommend updating ASAP.Anyone tried it yet?~Joe 

RE: [Declude.Virus] Second Scanner

[Douglas Cohn]

Mcafee is a CPU HOG.  Uses double the CPU of Fprot.  I have a low powered
machine and cannot even run Mcafee but fprot is no problem.  Both is unreal.

This is the mcafee command line scanner.  The declude archive includes a
Wget updater that works fine.  I use a 4NT update script but the Wget is
probably better I have just been too lazy to change it back.

Of course you will not that the Website clearly states you are required to
have a license to mcafee before you use this code which is readily available
to all.  You can also download the daily dats which are considered BETA
quality but that's fine with me.  Unluckily I do not use the with declude
because smartermail and mcafee are just more than the measly server I have
this one can handle.  Luckily Smartermail and fprot are working just fine
with declude and I have nothing to complain about  (ESPECIALLY SINCE I GOT
RID OF THAT IMAIL --- Blech).

Here is a mcafee command line scanner. ftp://ftp.nai.com/CommonUpdater/

Download the latest superdat (sdat.exe) file from the Network Associates
ftp site.
Now you must unpack it using the /e parameter. From the mcafee folder, run
sdat.exe /e (where  is the version number, for example
sdat4290.exe). When unpacking you don't see anything happen for about 20
seconds, just wait for it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Thursday, June 02, 2005 6:12 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Second Scanner

Matt posted speed comparison's I'd say about a year ago.

I use F-Prot
ClamAV
and McAfee

- Original Message -
From: David Sullivan [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Thursday, June 02, 2005 4:50 PM
Subject: [Declude.Virus] Second Scanner


I know this comes up every now and then, but the last thread I can
 find is from May 2004.
 
 I was interested in what folks were using as a second scanner aside
 from F-Prot. I've heard AVG is good but slow, Kaspersky fast with
 updates but expensive, MacAfee good but hard to get a command line.
 
 I thought someone had posted some stats about this but can't find
 them. Any suggestions?
 
 -- 
 Best regards,
 David  mailto:[EMAIL PROTECTED]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Orphaned eml files SMARTERMAIL current DECLUDE 206

[Douglas Cohn]

 It was been about 2 weeks since I reported this issue and I just found
files in my proc dir again even though I upgraded to the version you told me
to use below.

I was under the impression this version [2.0.6.10 (or higher) incremental
release;], as stated by you, resolved the issue.  Yet it does nothing of the
sort.  I see no difference between this and what was happening before.  I
must still manually move the messages back to have them get processed.

Why can't you do something in the meantime until you find a solution.  Do
something meaning make sure the files do not end up in the proc dir.  Or at
least tell us the truth so I downgrade to 205 where the issue does not
occur.  That I had to discover this myself is very distressing.

I agree you have been more proactive but this is till upsetting.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ralph Krausse
Sent: Wednesday, May 11, 2005 9:39 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Orphaned eml files SMARTERMAIL current DECLUDE
206

A few customers have reported similar issues with orphaned eml files and we
are working on a resolution. In the meantime we would recommend implementing
the 2.0.6.10 (or higher) incremental release; it does not run the routine to
reprocess email. 

Declude Engineering



-- -Original Message-
-- From: [EMAIL PROTECTED] [mailto:Declude.Virus-
-- [EMAIL PROTECTED] On Behalf Of Douglas Cohn
-- Sent: Tuesday, May 10, 2005 9:01 PM
-- To: Declude.Virus@declude.com
-- Subject: [Declude.Virus] Orphaned eml files SMARTERMAIL current DECLUDE
-- 206
--
-- I have orphaned hdr files in my spool directory like this
--
-- C:\SmarterMail\Spool\62298363.~DR
--
-- Then I found this in proc
--
-- C:\SmarterMail\Spool\proc\62298363.EML
--
-- Has anyone else seen this?
--
-- Doug
--
-- ---
-- [This E-mail scanned for viruses by Declude Virus]
--
--
-- ---
-- This E-mail came from the Declude.Virus mailing list.  To
-- unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
-- type unsubscribe Declude.Virus.The archives can be found
-- at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Orphaned eml files SMARTERMAIL current DECLUDE 206

[Douglas Cohn]

I have orphaned hdr files in my spool directory like this

C:\SmarterMail\Spool\62298363.~DR

Then I found this in proc

C:\SmarterMail\Spool\proc\62298363.EML

Has anyone else seen this?

Doug

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ALLOWVULNERABILITIES Directive

[Douglas Cohn]

THANK YOU FOR THE Participation in the 
forum!!!


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ralph 
KrausseSent: Wednesday, May 04, 2005 9:11 AMTo: 
Declude.Virus@declude.comSubject: [Declude.Virus] 
ALLOWVULNERABILITIES Directive


We are currently 
looking into a possible issue with this directive. We will be shortly releasing 
a incremental version with some enhancements and fixes. If ALLOWVULNERABILITIES 
does have an issue, it will be dealt with and 
documented.

Thank 
you
Declude Development 

RE: [Declude.Virus] f-prot update script

[Douglas Cohn]

 This update is the worst method IMO  (The one referenced in the link here).
I used to update every hour and using this I would find the machine with the
updater hung on the screen timed out at least once a week.

W2K Server SP4.  What OS are you using it on where it does NOT create
issues?

I started writing a simple updater using 4NT copy /u which copies across
anonymous ftp and http links and only copies new files.  Perfect but then I
read somewhere that fprot has no FTP updates available anymore so I rewrote
the one for Mcafee command line instead since I do not have the full version
installed on this machine and do not want to install the full version.

The script pulls the superdat expands it and then the daily dat.

I could not get the wget Mcafee script from the Declude links to work for
long either.  Wget got corrupted after 2 days saying it was not a valid
win32 application.  Those links on the Declude site should be removed as
that stuff does not work anymore.

4NT from Jpsoft is simply the best tool for the job anyway.  That and unzip
from infozip and it is done.

DC
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, May 02, 2005 11:21 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] f-prot update script

Daniel,
Give this a try:

http://www.f-prot.com/support/windows/fpwin_faq/88.html

-Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
Sent: Monday, May 02, 2005 11:06 AM
To: 'Declude.Virus@declude.com'
Subject: RE: [Declude.Virus] f-prot update script

I have tried using this script.  I keep getting an error referring to
wget.exe and it doesn't update F-Prot.

Daniel

===
Daniel Ivey
GCR Company / GCR Online
Voice:  434 - 570 - 1765
Fax:434 - 572 - 1981
[EMAIL PROTECTED]

-Original Message-
From: Goran Jovanovic [mailto:[EMAIL PROTECTED]
Sent: Monday, May 02, 2005 11:02 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] f-prot update script

Take a look at:

http://www.declude.com/Articles.asp?ID=100

F-Prot for DOS updater - A batch file that automatically updates F-Prot and
its virus definitions (old version here), and a Cygwin version, and a
complete .ZIPed version. Finally, a Simple version!




 Goran Jovanovic
 The LAN Shoppe



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
 [EMAIL PROTECTED] On Behalf Of Daniel Ivey
 Sent: Monday, May 02, 2005 9:52 AM
 To: 'Declude.Virus@declude.com'
 Subject: [Declude.Virus] f-prot update script

 Does anyone have an f-prot update script that they wouldn't mind
sharing?
 I
 have tried one that I found, but never could get it to work.  Any help
is
 appreciated.

 Thanks,
 Daniel

 ===
 Daniel Ivey
 GCR Company / GCR Online
 Voice:  434 - 570 - 1765
 Fax:434 - 572 - 1981
 [EMAIL PROTECTED]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Who is minding the store

[Douglas Cohn]

 Plus, if they actually integrate our feedback, we'll buy the support
agreement in order to download the latest fruits of our labor. :)

Yes that is a key point and the reason I always rushed out to renew in the
past.

I sent this email because now I am not so sure.  And I know others that have
the same feelings.  Renew or not renew.  I was told the company would be run
in the same high quality manner as before.  Clearly that is not the case.
Without knowing the coders know their stuff relating to spam it is quite
risky to take the chance with such a small company.  We knew Scott was the
best, who are the people that took over the reins and what credentials do
they have.  I mean Symantec cannot do it right and I should trust someone
who won't participate in their own forums?

If Scott would chime in here and say  DON'T worry Doug these people know
their stuff, you are in good hands.  I would order a renewal.  But he left.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jonathan
Sent: Sunday, May 01, 2005 5:59 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Who is minding the store

Douglas Cohn wrote:

Using this forum for support is certainly less expensive to the company

... unless you're charging for support, then it could be viewed as a losing
proposition to assist in free support. I fear this may be the mindset. This
view, is, of course, entirely wrong; as you mentioned, our RD feedback is
very valuable-worth more than a support contract. Plus, if they actually
integrate our feedback, we'll buy the support agreement in order to download
the latest fruits of our labor. :)
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Is this sort of stuff necessary on a list?

[Douglas Cohn]

Or even allowed on a list

What many lists I belong to help avoid this is disallow any reposting of the
footers.  That way an automated process like this would never get through.
It requires the users posting, us, to cut off the footers manually but that
keeps the lists mean and lean.  Initially I hated it but they are right.
They do not allow HTML and they allow no footers and it works well.

Jpsoft.com is one such list

DFC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell
Sent: Monday, May 02, 2005 2:59 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Is this sort of stuff necessary on a list?

Hahaha.. Yeah, I agree.


- Original Message -
From: Chuck Schick [EMAIL PROTECTED]
To: Declude. Virus Declude.Virus@declude.com
Sent: Monday, May 02, 2005 2:49 PM
Subject: [Declude.Virus] Is this sort of stuff necessary on a list?


I posted to list about a virus problem then I get this stupid (IMHO)
challenge-response stuff.  If everyone did this on all the lists I belong to
- I would do a posting and then spend the next 3 days answering all the
challenge-responses.  I think I will report this as spam.

Dear Greg Hedgepath - get a clue.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com



Dear Chuck,

Thanks for your email, but at this point I have NOT actually received your
message because I have implemented a challenge-response based anti-spam
solution.  Before I can receive your message you must respond in ONE of the
ways outlined below.

---
CLICK ON THE URL
---
Visit the following URL and follow the simple instructions.  When you do
this I will receive the message you sent and ALL future messages.

http://spambot.ahphosting.net/?key=6811e93e.42766ac2.5a637c50

If the above URL does not appear all on one line, copy and paste it into
your browser's address bar.

PLEASE NOTE: If you receive an error message when attempting to visit the
above URL, it is very likely that your network is not allowing you to visit
my confirmation page.  If this is the case, contact your network
administrator for help, or contact me by telephone.

You will not have to do this again.


---
REPLY TO THIS MESSAGE
---
Simply reply to this email message ensuring the subject of your reply
contains the subject of this message.  When your reply arrives I will
receive your ORIGINAL message and all FUTURE messages.

Or as an alternate method follow these instructions:


If you do not respond within 7 days, your message will be DELETED and I will
not be able to receive messages from you in the future.

I apologize for this small one-time inconvenience, but I have been forced to
implement this challenge-response based anti-spam solution to eliminate 100%
of the spam I receive, and it really works!

To learn more about the software I am using to stop spam, please visit
http://www.Zaep.com/.  Zaep has stopped 100% of all the spam messages I was
receiving every day.

Thank you,

Greg Hedgepath


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com


---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Who is minding the store

[Douglas Cohn]

What I find very odd is where is declude technical participation on this
list?  Since Scott left I see no SOLID ANSWERS to many questions.  Answers
that often came from Scott.  I surely understand that there are many very
skilled programmers, technicians and network managers that are all
communicating on this forum BUT is simply not the same without Scott or his
replacement.  Not the same in a very important sense though. It seems to me
that declude is no longer learning anything from this forum and while it may
serve the purpose for some users I fear that the information being posted
here no longer has that Perry seal of approval.  

What I mean by that is if someone said something that was simply wrong Scott
would debate the response and show why it was wrong. Since, as you all know,
many posters are extremely skilled technicians and their answers are taken
as fact and many times they are fact.  But it only requires one piece of
misinformation to wreck a server

So again I ask where is declude and why are they not participating in this
forum.  I have this feeling in my gut that EVERYTHING that is done is based
on the direct  return.  While that is completely understandable in any
business venture decisions like this should be thought about very carefully.
While it may appear like a loss to pay programmers and skilled support
people to read through every email and debate the responses the final
outcome should result in the same outcome Scott got from it.  That is a more
refined product that works better and is field tested and field proven.
PLUS the reality that many people used these forums as their sole route to
support.  Using this forum for support is certainly less expensive to the
company and more conducive to better results since 2 heads are better than
one and so on (3 are better than 2).  For a second just now I got the
feeling that maybe they do not want to give away support since it is NOT
required to have an active support contract to be on this list. If that is
the reason than it is just another reason to look for another company for
Spam and Virus protection on my mail server.  The software was purchased
originally and forum support is almost always available to all users
especially those without support contracts.  The support contract should add
access to updates and direct phone support.

Scott handed the new owners a built in RD Department full of many very
skilled professionals willing to assist at no charge so they can get the
best product available.  From what I see no effort has been made to make use
of it and every day that goes by more key people are dropping off and losing
faith in declude.  In the end everyone suffers.  This should have been
looked at as one of the most valuable support resources included in the deal
and ignoring it is plain dumb (sorry but there is no better word).

How can I have any faith in declude's stability going forward?  Considering
this what do the rest of you have to say?

I am NOT saying declude software is not doing a good job right now since I
am running 1.82 but after 1.82 what will there be?  Who is writing the code
and why would any of us trust that code?  If they would communicate on the
list we could see what we are dealing with and if they are not up to snuff
YET they can continue communicating and probably get there.  If not then
they were not suited for the job anyway and again Declude as a company has
used this forum to improve their company.

I would like to see declude answer this post on the list and of course
without starting an argument since that is the furthest thing from my mind.
While I may not be overjoyed in losing Scott from this list I really do NOT
KNOW how things stand at this company. That is common for many companies but
declude was different which made it an Excellent company to do business
with.  I do not believe that the only way to get that excellence is by
getting Scott back.  I believe that they can follow that formula and attain
the same success in excellent product development and support.

JUST MY TWO CENTS, what are your thoughts on this very important, very
appropriate subject.

***NOTE: PLEASE CORRECT ME IF I AM WRONG. I AM QUITE AWARE I MAY BE
COMPLETELY LOST AND HAVE NO IDEA WHAT I AM TALKING ABOUT. IF THAT IS TRUE
PLEASE SHOW ME WHERE I AM WRONG.  I am a big boy and very willing to admit
being wrong if I a have stated anything that is false. 

Regards,

Doug

---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipifforging not working on Mytob

[Douglas Cohn]

The only other difference is that I'm using SmarterMail.

That cause your Smarter.  The difference between SmarterMail and Imail is
just unreal.  It is like the difference between breathing and having a
plastic bag over your head.  Imail always sucked but I lived with it because
I owned a copy from a previous business venture and Declude worked great.  I
cannot imagine what anyone else's excuse is G  but I am sure they exist
and are valid as well.

But Smartermail is so much faster, smoother nicer need I say more. It also
does not choke on every little thing that pounds the server.

Dump Imail and be glad you did.

Just my 1 cent.

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry
Sent: Friday, April 15, 2005 12:53 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Skipifforging not working on Mytob

I have also been experiencing this, for over a week. I'm only using F-Prot,
but have added the appropriate lines to eml and virus.cfg files as John has.
The only other difference is that I'm using SmarterMail.

Shayne


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of John Carter
 Sent: Friday, April 15, 2005 10:48 AM
 To: Declude.Virus@declude.com
 Subject: [Declude.Virus] Skipifforging not working on Mytob
 
 
 Shortly after adding ClamAV to the Imail Server a few days ago, my 
 system started sending virus notices on Mytob (and so far, only Mytob) 
 even though I have SKIPIFFORGING in the sender.eml, recip.eml and 
 postmaster.eml, plus I have Mytob in the list of forging viruses in 
 the virus.cfg. In the virus log lines below, scanner 1 is F-Prot and 
 scanner 2 is ClamAV.
  The timing to the addition to ClamAV may be only a coincidence.
 
 Any ideas about what's happening?
 
 Thanks,
 John
 
 Notice lines: 
 ==
 Declude Virus 2.0.5 caught a incoming virus
 
 Subject: hello
From: [Forged] 
  To: [EMAIL PROTECTED]
  Msg ID: [EMAIL PROTECTED]
  Queue#: D74590703010e25a9.SMD
   Remote IP: 63.197.109.187
 Virus Name/File: W32/[EMAIL PROTECTED]  data.zip
 
 postmaster.eml
 ==
 SKIPIFFORGING
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: E-mail virus notice
 
 Declude Virus %VERSION% caught a %INOROUT% virus
 
 Subject: %SUBJECT%
From: %MAILFROM% 
  To: %ALLRECIPS%
  Msg ID: %MSGID%
  Queue#: %QUEUENAME%
   Remote IP: %REMOTEIP%
 Virus Name/File: %VIRUSNAME%  %VIRUSFILE%
 
 Headers:
 %HEADERS%
 
 Virus log lines: 
 
 04/15/2005 02:59:36 Q74590703010e25a9 Banning .ZIP file with exe 
 extension. 04/15/2005 02:59:36 Q74590703010e25a9 Scanner
 1: Virus=W32/[EMAIL PROTECTED] Attachment=data.zip [36] I
 04/15/2005 02:59:37 Q74590703010e25a9 Scanner 2: Virus=
 Worm.Mytob.T-2 Attachment=data.zip [36] I 04/15/2005 02:59:37
 Q74590703010e25a9 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 1]
 04/15/2005 02:59:37 Q74590703010e25a9 Deleting file with virus 
 04/15/2005 02:59:37 Q74590703010e25a9 Deleting E-mail with virus! 
 04/15/2005 02:59:37 Q74590703010e25a9 Scanned:
 CONTAINS A VIRUS [MIME: 2 58859] 04/15/2005 02:59:37
 Q74590703010e25a9 From: [Forged] To: [EMAIL PROTECTED] [incoming 
 from 63.197.109.187] 04/15/2005 02:59:37
 Q74590703010e25a9 Subject: hello
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Current Stable Declude manual install IMAIL only

[Douglas Cohn]

What is the current stable Declude version for IMAIL systems?

Is there still a version that allows manual updating of declude.exe?  Of
course a legally licensed copy I refer to only.

Doug 

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Mcaffee commandline scanner is it really free with updates??

[Douglas Cohn]

I am confused.

I have recently found the Mcaffee command line scanner on several freeware
apps.  Is it free?  They claim everything on their site is 100% legit.

Additionally they even explain how to update it using the superdat.  

Is it too old to be properly effective??  Not the signatures but the engine
of course.

What is missing from the rendition of the commandline scanner because I know
nothing in life is free!!

Thanks

DC

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] What's the IFrame vulnerability

[Douglas Cohn]

This may help

http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor
Sent: Thursday, December 02, 2004 1:06 PM
To: Declude-List
Subject: [Declude.Virus] What's the IFrame vulnerability

Just wondering if someone can explain what the HTML / IFrame @ expl capture
from f-prot is?

is it a vulnerability or worse?

thanks, bob




---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Issues with F-prot 3.16 or not?

[Douglas Cohn]

OOOPs

Just got this.


FRISK Software has released version 3.16a of F Prot Antivirus for Windows. 

More information on this release can be found on our
website:
http://www.f-prot.com/news/gen_news/041124_release_win316a.html

We recommend that users of F-Prot Antivirus for Windows update their
programs to version 3.16a as soon as possible



==
 I see a lot of posts surrounding F-prot 3.16.

I have not updated my server yet.  Is there an issue with it and declude?

Should the fpcmd.exe line be changed from prior to 3.16?  (Scott?)

One thing I do notice when using the desktop scanner version of 3.16.  It
detects Word macros as viruses much more frequently.  It also detects
several utility programs as viruses that neither previous versions of F-prot
nor Norton Corp 8.0 were detecting before.


Zebra's printer driver---

C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary
Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip  could be an archive bomb


MSDN downloads

D:\CD
Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl
l  could be a corrupted executable file D:\CD Flat\W2K Server
Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord)  could be a
corrupted executable file D:\CD Flat\W2K Server
Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord)  could be a
corrupted executable file Scan settings:

Safe tools.

E:\storage\Foundstone\udpflood.zip-udpflood.exe  is a destructive program
Virus-infected files in archives cannot be disinfected.
E:\storage\InfoZip\Wiz.exe  could be a corrupted executable file The
scanning was aborted by the user, with infected or suspicious 

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Server Virus Scanners

[Douglas Cohn]

F-prot seems to work fine for on-demand for me but I do not have any have
excel and word uploaded files.

I figured since I had to buy a 10 machine license might as well make some
use out of it.  There is still an issue with the auto updater occassionally
timing out though so I use batch files to update it.  From the last I
checked F-prot was faster and they release sigs sooner than most other AV
companies.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Lawrence
Sent: Friday, November 12, 2004 8:28 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Server Virus Scanners

I am about to setup a new server and I was previously using Trend Micro's
Server Protect on my other servers. I was wondering what others were using
for their on-demand scanner. I'm already using F-Prot for my command line
scanner with Declude, but I also need to have a server class scanner for
uploaded files. This box is a web server and my clients upload word and
excel files to the system. I want to be able to scan those immediately.

The reason I ask about a different scanner than Trend is that my service
agreement with them has expired and their marketing practices is forcing me
to buy a whole new product instead of using my existing copy. So, I wanted
to explore some other options before succumbing.

Thanks,

Dean

--
__
Dean Lawrence, CIO/Partner
Internet Data Technology
888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/
Corporate Internet Development and Marketing Specialists
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Server Virus Scanners

[Douglas Cohn]

Ignore my previous post about F-prot on your server.  It will not suffice if
you need to exclude certain folders from being scanned as I have found no
method that allows that yet.

As you know it is lightweight cannot be optimized to ignore specific
folders.  For servers that are not accessed by end users I find it more than
appropriate but if users are constantly uploading files it is not the
correct product.  Sorry for wasting time.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Lawrence
Sent: Friday, November 12, 2004 8:28 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Server Virus Scanners

I am about to setup a new server and I was previously using Trend Micro's
Server Protect on my other servers. I was wondering what others were using
for their on-demand scanner. I'm already using F-Prot for my command line
scanner with Declude, but I also need to have a server class scanner for
uploaded files. This box is a web server and my clients upload word and
excel files to the system. I want to be able to scan those immediately.

The reason I ask about a different scanner than Trend is that my service
agreement with them has expired and their marketing practices is forcing me
to buy a whole new product instead of using my existing copy. So, I wanted
to explore some other options before succumbing.

Thanks,

Dean

--
__
Dean Lawrence, CIO/Partner
Internet Data Technology
888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/
Corporate Internet Development and Marketing Specialists
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Updater timing out?

[Douglas Cohn]

I believe the updater is just very poorly written because I see this happen
all the time on brand new systems that run XP SP2, W2k SP4, etc etc. With
and without KVM's.

The solution unlunkily is to use one of the batch files.  I believe they
simply do not have enough bandwidth at F-prot and the application does not
handle timeouts properly.  It should gracefully die and try again in 5
minutes but it does not.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joey Proulx
Sent: Thursday, November 04, 2004 11:03 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-Prot Updater timing out?

I'm running Declude 1.81 with F-Prot.  It's on my NT 4.0 mail server, which
is one of five servers we have, running on a Hawking Technology KVM.  Screen
saver set to go on after 5 minutes, but no hibernation or standby.  I have
F-Prot set to look for updates hourly...and lately I'll check the mail
server and find this:
---
Updater - An Error Occurred
Failed to retrieve information about available updates.
System Error - the operation timed out.

Please check if your internet connection is working and try again.
---
This seems to happen when the KVM is set to another server (shouldn't even
affect it at all) and the mail server goes without human contact for a
while.  If I'm sitting at the mail server doing work, I'll see the updater
popup on the screen and do its thing.  This concerns me.  Sometimes I'll
check the server and see that message, then manually go in and check for
F-Prot updates, and there will be some available for download.  What if I
was out for the week?  Who knows what would get through in that amount of
time...

Any ideas as to what this could be?  There are no f-prot errors in the Event
Viewer, and no connection lapses

Joey Proulx
SAU #21 Technology Support Staff
2 Alumni Drive
Hampton, NH 03842
(603) 926-8992, ext 115
[EMAIL PROTECTED]


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] IpSwitch Collaboration Suite Yearly renewal costs up to $4995 per server per year

[Douglas Cohn]

These are not maintenance fees but cross grade.

It's only 10 TIMES the cost of the current renewal for an Unlimited version
of Imail.

HAHAHAHA

We are dumping IMAIL within the next year.  It is mopre than Exchange as far
as I'm concerned.  About triple the price for small in house corporate
deveopers that use MSDN versions for their in house stuff.

For ISPs you would have to be insane to use their crap.  I mean come on.
Imail was always crap but with Declude it sufficed.  For these prices it is
simply insane.

There are plenty of products priced like the old Imail (and cheaper) and I
am sure declude will be supporting one of them shortly if not already.  Plus
the alternates I have seen are definitely better than Imail (but that is not
saying much really)

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
Sent: Wednesday, November 03, 2004 5:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] IpSwitch Collaboration Suite Yearly renewal
costs up to $4995 per server per year

FYI for anyone who is contemplating going to the new version of Ipswitch's
collaboration suite it looks like their yearly renewal prices are going to
be about as much as the initial upgrade costs, I received the below email
from IPswitch.  It has been a bit since IpSwitch made their announcements re
the collaboration suite, what is everyone else doing in regard to this?  I
am still up in the air here, but leaning further and further away from
IPswitch I think.

Jim Matuska Jr.
Computer Tech II
CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 03, 2004 2:38 PM
Subject: RE: Ipswitch Service Agreement Status

 Jim,

 I apologize for our delay in response. Mary is out of the office today 
 and I wanted to get back to you. Below are the prices we have 
 currently for subsequent renewals of ICS.
 The price depends on which level/version you cross grade to, for the ICS.
 Below are the current renewal prices.

 25 User Standard Edition $ 375 Premium Edition $ 449 100 User Standard 
 Edition $995 Premium Edition $ 1295 250 User Standard Edition $1495 
 Premium Edition $ 2695 Unlimited User Standard Edition $2995 Premium 
 Edition $ 4995

 Please let me know if I may further assist you.
 Thank you

 Traci Casparius
 Service Sales Coordinator
 Ipswitch, Inc.
 (P)781-676-5773
 (F)781-676-5710
 [EMAIL PROTECTED]



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Updater timing out?

[Douglas Cohn]

I was not saying the batch files are bad, on the contrary they do work
perfectly.  It is the dumb updater that sucks.  But that brings up a good
point.  If the issue is F-prot bandwidth why do the batch files always
complete successfully???  ODD.

I also use the batch files on my servers.  Users desktops can deal with the
occassional hung updater because the users are there to click.

Additionally the f-prot updater requires a user login which is insane.  We
had issues even when using it via the scheduler.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Friday, November 05, 2004 7:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] F-Prot Updater timing out?

Batch file FTP scripts work great.  Very reliable and we never have an issue
with updates taking very long by not doing them on the hourjust takes a
few seconds.

Darin.


- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, November 05, 2004 7:01 PM
Subject: RE: [Declude.Virus] F-Prot Updater timing out?


I believe the updater is just very poorly written because I see this happen
all the time on brand new systems that run XP SP2, W2k SP4, etc etc. With
and without KVM's.

The solution unlunkily is to use one of the batch files.  I believe they
simply do not have enough bandwidth at F-prot and the application does not
handle timeouts properly.  It should gracefully die and try again in 5
minutes but it does not.

Doug

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joey Proulx
Sent: Thursday, November 04, 2004 11:03 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-Prot Updater timing out?

I'm running Declude 1.81 with F-Prot.  It's on my NT 4.0 mail server, which
is one of five servers we have, running on a Hawking Technology KVM.  Screen
saver set to go on after 5 minutes, but no hibernation or standby.  I have
F-Prot set to look for updates hourly...and lately I'll check the mail
server and find this:
---
Updater - An Error Occurred
Failed to retrieve information about available updates.
System Error - the operation timed out.

Please check if your internet connection is working and try again.
---
This seems to happen when the KVM is set to another server (shouldn't even
affect it at all) and the mail server goes without human contact for a
while.  If I'm sitting at the mail server doing work, I'll see the updater
popup on the screen and do its thing.  This concerns me.  Sometimes I'll
check the server and see that message, then manually go in and check for
F-Prot updates, and there will be some available for download.  What if I
was out for the week?  Who knows what would get through in that amount of
time...

Any ideas as to what this could be?  There are no f-prot errors in the Event
Viewer, and no connection lapses

Joey Proulx
SAU #21 Technology Support Staff
2 Alumni Drive
Hampton, NH 03842
(603) 926-8992, ext 115
[EMAIL PROTECTED]


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.56 released

[Douglas Cohn]

Plugs into Declude Virus???  

How does it do that or was this intended for the Declude JunkMail  list not
the Virus list 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman
Sent: Tuesday, November 02, 2004 6:31 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] ANN: SPAMC32 (SpamAssassin SPAMC for Declude)
0.5.56 released

All,

SPAMC32 has been updated to more easily function as a Declude 'weight'
test  type  in  addition  to  the default 'nonzero' type and the other
command-line  threshold  options.  See  the  release  notes  below and
download from the traditional /release folder.

--Sandy


--
SPAMC32 Release 0.5.56
11/1/2004
  *

Release notes for this version:

[ + Added feature]
[ * Improved/changed feature ]
[ - Bug fix  ]
[ ^ Cosmetic/naming change   ]


[+]  Added  switch  '-e'  to  allow  more granular management of SPAMD
weights  from a calling application. With -e enabled, SPAMC32 sets its exit
code  to  the  rounded weight received from SPAMD, regardless of
client- or server- based spam thresholds.



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
 
http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release
/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail
Aliases!
 
http://www.mailmage.com/products/software/freeutils/exchange2aliases/downloa
d/release/
 
http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/re
lease/

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Unknown virus warnings

[Douglas Cohn]

I have been using Viruscode 8 for more than 6 months and have not received
even 1 false positive,

But my users are not a very large group and they most likely do not send a
lot of attachments via email.  I have taught them how to transfer files
actually via ftp.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, October 29, 2004 11:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Unknown virus warnings


 I have not activated returncode 8 for F-prot in Declude yet because 
 I wasn't sure if we would get to many false positives. Has anyone, or 
 maybe f-prot themselves, any info on that? Does returncode 8 generate 
 false positives and if so, how many?

Bonno,

I don't know how much false positives it would produce but I haven't never
heard some customer complaining about it. Until this morning there was not
more then 2 or 3 Unknown Virus warnings per day with 13000 processed
messages/day.

But in this case - if I have understand it right - it was very usefull to
have viruscode 8 enabled.
I've seen the first Unknown virus message this morning at 09:30 AM. F-prot
has had updates ready 3 hours later. In the meantime there was an average of
10 Bagle.AP infected messages per minute - catched only with viruscode 8.

Until I've discovered what's going on here (the unknown virus story) and
adapted the virus.cfg file with appropriate BANNAME's there was a large
number of messages that would be delivered without this setting.

Imagine that the breakout happened at 09:30 GMT+1 So I was already at work.
People in american timezones was at work when AV-companies has had updates
but Mailservers are delivering messages also overnight...

Markus



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Spool Dir

[Douglas Cohn]

I personally do not like installing anything on my Imail servers.  That said
I use a sinple dos batch file to delete everything that is X days old. I run
it as a scheduled task daily.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Wednesday, October 13, 2004 1:15 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Spool Dir

I was wondering what everyone does with the Imail\spool\virus directory.  Do
you delete all the files regularly?  I've got 7000 files in there since I
installed Declude (2 weeks ago). 

---
[This E-mail was scanned for viruses.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Spool Dir

[Douglas Cohn]

 
FORFILES -pc:\foldername -s -m*.* -d-7 -cCMD /C del @FILE

-p = path 
-s = include subdirs
-m = match filetype
-d = age in days (can also be set as an absolute date ie DDMM) note that
- or + can be used here
-c = command to execute

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Thursday, October 14, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Spool Dir

Do you happen to have the batch?  I've been writing some xcopy lines, but
have had problems finding a simple date-specific delete statement.

Thanks


Douglas Cohn wrote:

I personally do not like installing anything on my Imail servers.  That 
said I use a sinple dos batch file to delete everything that is X days 
old. I run it as a scheduled task daily.

Doug

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Wednesday, October 13, 2004 1:15 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Spool Dir

I was wondering what everyone does with the Imail\spool\virus 
directory.  Do you delete all the files regularly?  I've got 7000 files 
in there since I installed Declude (2 weeks ago).

---
[This E-mail was scanned for viruses.]

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses.]



  


---
[This E-mail was scanned for viruses.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] JS.Downloader.Trojan

[Douglas Cohn]

I have F-prot marking my Thunderbird mail program files as
JS.Downloader.Trojan.  Symantec Corp 8.0 sees nothing suspicious about the
files.

Then today F-prot looked in some static Office 2000 files and determined
that

AGENTANM.DLL
AGENTCTL.DLL
AGENTDP2.DLL
AGENTDPV.DLL
AGENTMPX.DLL
AGENTPSH.DLL
AGENTSR.DLL

All had the W32/[EMAIL PROTECTED]  Again Symantec claims they are clean and they
are flat storage and have not been accessed for over 18 months.

I think F-prot is repotrted a little too many false positives lately.

I will email them now.

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, October 13, 2004 8:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] JS.Downloader.Trojan


Now this morning, we get a W32.Netsky.P.dam virus via a data.zip file.  
I've submitted everything to F-Prot, but I'm surprised that it didn't 
catch these things.  UGH!

The .dam means damaged, another term for a corrupt, non-viable variant.
Since these are harmless, many AV programs do not detect them (but some --
usually Norton -- do).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Deleting Vulnerability

[Douglas Cohn]

You can run a scheduled task that deletes the contents of the virus folder
every x minutes, hours, days.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Carter
Sent: Friday, October 01, 2004 11:02 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Deleting Vulnerability

Now that 1.80 does not delete vulnerabilities even with DELETEVIRUSES ON,
what is the best way of deleting them?

Thanks,
John

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude Release 1.81 - Error on Web Site

[Douglas Cohn]

Title: Message



I am sorry. I misunderstood Graphic/text. I now 
see the graphic is the ARROW which I never attempted to click at 
all.

So when I said it works for me I was referring to the Text 
which for some dumb reason I took as graphic. (yes it's text). 


Both arrows definitely link to the full 
install.





I knewshould have stopped after that third hit 
before BG.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Andy 
SchmidtSent: Friday, October 01, 2004 6:24 PMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.Virus] Declude Release 
1.81 - Error on Web Site

DC,

may be 
my HTMLhas gotten a little rusty- but I think viewing the source 
will settle the argument:

 
TR TD width=74A 
 href="">http://www.declude.com/version/180/Declude_Setup.exe"STRONGIMG 
 height=50  
src=""https://www.declude.com/templates/60/images/orderreview/Icon_Download.gif">https://www.declude.com/templates/60/images/orderreview/Icon_Download.gif" 
 width=50 
border=0/STRONG/A/TD TD 
width=124A  href="">Automatic'>http://www.declude.com/version/181/Declude_Setup.exe"STRONGAutomatic 
 
Install/STRONG/A/TD/TR 
TR TDSTRONGA 
 href="">http://www.declude.com/version/180/Declude_Setup.exe"IMG 
height=50  src=""https://www.declude.com/templates/60/images/orderreview/Icon_Download.gif">https://www.declude.com/templates/60/images/orderreview/Icon_Download.gif" 
 width=50 
border=0/A/STRONG/TD 
TDSTRONGA  href="">Manual'>http://www.declude.com/version/181/declude1.81.zip"Manual 
 
Install/A/STRONG/TD/TR/TBODY/TABLE/DIV

Of 
course, you do realize that theymay have fixed this already (since I cc'ed 
support)?
Best 
RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 
(Business)Fax: +1 201 934-9206http://www.HM-Software.com/ 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Douglas CohnSent: Friday, October 01, 2004 06:16 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [Declude.Virus] Declude Release 1.81 - Error on Web 
  Site
  Not true for me.
  
  Not even true of the link you have here in the 
  email. You have some kind of caching going on locally it 
  seems.
  
  DC
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Andy 
  SchmidtSent: Friday, October 01, 2004 6:08 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [Declude.Virus] Declude 
  Release 1.81 - Error on Web Site
  
  Hi,
  
  there is a slight error on the 
  "download" page for your registered customers:
  
  Both "down" arrow buttons link to 
  the "automatic install" executable.
  
  Only the "manual install" TEXT link 
  actually downloads the zip file.
  
  
  Use of Version 1.81 requires a Valid Service 
  AgreementDownload Now 
  


  
  Automatic 
Install

  
  Manual 
Install
  
  
  
  Best 
  RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent 
  Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 
  (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ 

RE: [Declude.Virus] Lines in the virus.cfg file

[Douglas Cohn]

Now that 1.81 is released what is the recommendation by 
DECLUDE (SCOTT) regarding the config file.??

IE do we allow the AV software to scan jpegs by removing 
the line 
SKIPEXT 
 JPG 

or do we allow Declude to take care of it completely 
.

From what I understand (and I know ugotz) the infected 
jpegs are more likely to be in Web Pages then in emails. I am assuming 
from the threads here that people are catching infected jpegs. Or is it 
tests only??

DC



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Greg 
LittleSent: Thursday, September 30, 2004 12:30 PMTo: 
[EMAIL PROTECTED]Subject: Re: [Declude.Virus] Lines in the 
virus.cfg file
I should eliminate (comment out) at least the JPG line right 
away.The new test (when it's fully ready) provides a great safty net to 
backup the AV programs. The new test will ignore these lines and bad JPEGs will 
be caught.The test is available by install a new interim version of Declude. 
(The test in the current intermin 1.80 has some problems so wait until they are 
resolved or check the other messages for details.)The best advice I've 
seen is to eliminate at least the JPG line, because these lines will prevent the 
AV programs from being called. Until last week, you could safely save some CPU 
time on your e-mail server by not scanning JPEGs.GregSharyn 
Schmidt wrote:

  
  I was looking through my virus.cfg and I noticed 
  the following: 
  # The SKIPEXT option will let you skip scanning of 
  certain file extensions. For # 
  example, a GIF file can't contain a virus, so there is no need to scan 
  it. # 
  SKIPEXT  
  GIF SKIPEXT 
   TXT SKIPEXT  JPG SKIPEXT  
  MPG 
  Should I now allow declude to scan jpg and gif 
  files or is this totally different than the new jpeg vulnerability? 

  Thanks, Sharyn --- [This E-mail scanned for viruses 
by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing 
list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
"unsubscribe Declude.Virus". The archives can be found at 
http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude 
Virus] 

RE: [Declude.Virus] Release version

[Douglas Cohn]

H

I wasn't suggesting to unzip the contents of that zip file into the root of
Imail  I would assume anyone using the manual method would

1. Rename current declue.exe to declude.exe.178xxx
2. Copy new declude.exe into imail root 
3. Stop start Imail smtp service

You may want to try using the Winzip Classic interface to avoid the snafu
you just mentioned.  Either way unzip to a temp directory and move the file
yourself.  Or use Infozip at the command line G...

Works fine by the way.  Nothing blew up yet on my box

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska
Sent: Tuesday, September 28, 2004 2:30 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Release version

Be careful if you don't uncheck the use directory option in winzip you will
create a Files directory in the imail directory with the declude.exe file
rather than overwriting the declude.exe file in the imail root directory
when you unzip the file.

Jim Matuska Jr.
Computer Tech II
CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 28, 2004 10:58 AM
Subject: RE: [Declude.Virus] Release version


 Is it required we run the install program  or can we just replace the
 declude.exe as in previous updates?

 Doug

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
 Sent: Tuesday, September 28, 2004 1:50 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] Release version


Scott, I just DLed the release and the declude -diag shows it at 1.75

 Did you run the install program?

 Did you type \IMail\Declude -diag *EXACTLY* like that, with *NO* changes
 (not even changing the path)?

-Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers
 since 2000.
 Declude Virus: Ultra reliable virus detection and the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just
 send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]


 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT: F prot as a desktop scanner

[Douglas Cohn]

I have used it on client machines for the past 6 months and also find it
equal to Norton Corp except for one thing.  It handles mail clients
differently in that it does not scan email as they come in but instead seems
to scan it only when you attempt to read it.

Norton Corp seemed to catch the viruses as soon as the mail was popped and
worked with exchange client very well also.  

Obviously the mail scanner should prevent viruses from passing through
anyway.

There is an obvious advantage to using a different product on the desktop
versus the mail server in that if one product misses a virus the other
should pick it up but I personally believe that the price difference between
F-prot and Norton is not warranted.  

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Sunday, August 01, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] OT: F prot as a desktop scanner

We've used it for a couple of years.  Works as well as Symantec or McAfee as
far as we can tell.  Just make sure you set up updates and notifications
properly and it works like a charm.

Darin.


- Original Message -
From: marc catuogno [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, August 01, 2004 9:23 AM
Subject: [Declude.Virus] OT: F prot as a desktop scanner


I've been happy with F-prot on the mail server and since I know many people
are using it on their servers as well, I was wondering if anyone has it
deployed on their user's machines.  If so I'd like to know, how well it does
on regular windows XP machines.  You can't beat the price


Thanks - Marc



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] I do not think this should of failed.

[Douglas Cohn]

It may be worth your time to contact Yahoo and alert them of this if it is
really an issue.  If they give a hoot (and they very well may) they will put
some text on the page to use the Url and not the filename when sending links
of maps in email.

Doesn't Yahoo have a link for sending a map to somone directly on their
site. 

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Thursday, July 15, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] I do not think this should of failed.

The real issue is not one with our client base rather the other quarter of a
million people who are not our clients but send email to our servers.  When
that email does not make it through it creates a problem for me.

Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Doug Anderson
 Sent: Wednesday, July 14, 2004 4:33 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] I do not think this should of failed.


 We have the same problem.

 DO NOT USE the email map link on the page

 Copy and paste the link/url into an email or email link directly from 
 the browser to the user. The url contains all the info for creating the
map.

 - Original Message -
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, July 14, 2004 4:13 PM
 Subject: Re: [Declude.Virus] I do not think this should of failed.


 
  A soccer club sent an email regarding the location of soccer practice.
  Declude appeared to catch it because of a yahoo map link to the 
  soccer fields.  It would seem to be a common practice for someone 
  to use a map
 link
  for directions.  Copy of logfile below.
  
  How do we prevent this from happening in the future?   I do
 not have any
  clout with Yahoo so I doubt I could get them to change their
 nomenclature.
 
  Unfortunately, filenames longer than 256 characters are very unsafe.  
  If Yahoo chooses to use filenames greater than 256 characters, they 
  need to understand that their E-mails are going to be blocked.  It 
  sounds like Yahoo just changed their file naming system.
 
  Note that it is fine for them to have a *link* that is longer than 
  256 characters, it is only the filename that has the problem.  In 
  this case, the filename was
 
 overviewmap_OVMAPDATA=Ypg91eR32XWTWSco9NwX6snk0KVRpsRh.tpax9mLk 
 followed
  by at least
  158 more characters.
 
  In general, if the average person isn't going to be able to type a
 filename
  without making a typo after a few tries, it shouldn't be used as a
 filename.
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail 
  mailservers since 2000.
  Declude Virus: Ultra reliable virus detection and the leader in
 mailserver
  vulnerability detection.
  Find out what you've been missing: Ask for a free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To 
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
 
  *Scanned for viruses by Declude Virus*
 
 


 *Scanned for viruses by Declude Virus*

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Mcafee command line scanner

[Douglas Cohn]

That is the correct price for that LICENSE LEVEL (L)  VCLCAE-AA-LH

But you must be GOVERNMENT and I believe that price is for 10,000+ copies.

License Pricing IDIQ:Level L,Volume:,Government:


McAfee VirusScan Command Line Scanner Standard - complete package
Specifications
General 
Compatibility PC: 

Operating System 
License qty 1 node 
License type Complete package
Licensing program Network Associates TSP Licensing Program 

System Requirements 
Min operating system Microsoft DOS 6.22,Microsoft Windows XP,Microsoft
Windows 95/98,Microsoft Windows NT 3.51,Microsoft Windows 2000 /
NT4.0,Microsoft Windows Millennium Edition 

Software 
License Pricing IDIQ:Level L,Volume:,Government: 
Service / Support 
Service / Support Details Technical support  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adam Hobach
Sent: Wednesday, July 07, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Mcafee command line scanner

Which Mcafee product does everyone use then?

Thanks,

Adam



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jeff Pereira
Sent: Wednesday, July 07, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Mcafee command line scanner


It will work, but you will most likely be violating their licensing
agreement.


- Original Message -
From: Adam Hobach [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, July 07, 2004 12:31 PM
Subject: [Declude.Virus] Mcafee command line scanner


 Is this a real price for the Mcafee command line scanner:

 http://www.macmall.com/macmall/shop/detail.asp?dpno=118250

 Has anyone found this software this low?? This is what is needed to 
 work with Declude?

 Thanks,

 Adam

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Version 3.15 w/Declude

[Douglas Cohn]

I have not seen this problem through the couple of renditions of 3.14 and it
is still working now at 3.14e even though 3.15_M is available .

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of serge
Sent: Monday, July 05, 2004 6:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] F-Prot Version 3.15 w/Declude

 C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe /run /quit

Problem wih above is that when there is a new fprot  version, the virus def
update will fail I use the batch upgrade as a backup for these situations.


- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, July 04, 2004 4:58 PM
Subject: RE: [Declude.Virus] F-Prot Version 3.15 w/Declude


 This is the command we run from task manager and have for some time with
no
 issues.

 C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe /run /quit

 DC



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hyslip
 Sent: Friday, July 02, 2004 6:30 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] F-Prot Version 3.15 w/Declude

 will it run through task manager if called?

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of J Porter
 Sent: Friday, July 02, 2004 4:19 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] F-Prot Version 3.15 w/Declude

 I don't log out of the email server. I simply lock the console. The
Updater
 will still run and the system still requires a password to get back to the
 console.

 Is there a good reason not to do it this way??

 ~Joe

 - Original Message -
 From: Douglas Cohn [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Thursday, July 01, 2004 3:53 PM
 Subject: RE: [Declude.Virus] F-Prot Version 3.15 w/Declude


  I have been doing that exact thing for months now.  The question is what
  does the new version do differently that may affect the way updates
work,
  not so much how you go out and get them.
 
  Using the scheduler requires that you have the box logged in all the
time
  which is clearly not an option for a mail server.

 ---
 [This E-mail scanned for viruses at HNB.com]

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]


 ---
 [This E-mail scanned for viruses by Declude Virus]

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Version 3.15 w/Declude

[Douglas Cohn]

Absolutely

Locking the screen is far from the same as logging a machine out.  Of course
if the account logged in has no rights then it is not as bad but leaving a
system logged in with an admin account is asking for trouble.

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J Porter
Sent: Friday, July 02, 2004 4:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] F-Prot Version 3.15 w/Declude

I don't log out of the email server. I simply lock the console. The Updater
will still run and the system still requires a password to get back to the
console.

Is there a good reason not to do it this way??

~Joe

- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 01, 2004 3:53 PM
Subject: RE: [Declude.Virus] F-Prot Version 3.15 w/Declude


 I have been doing that exact thing for months now.  The question is what
 does the new version do differently that may affect the way updates work,
 not so much how you go out and get them.

 Using the scheduler requires that you have the box logged in all the time
 which is clearly not an option for a mail server.

---
[This E-mail scanned for viruses at HNB.com]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Version 3.15 w/Declude

[Douglas Cohn]

This is the command we run from task manager and have for some time with no
issues.

C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe /run /quit 

DC



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hyslip
Sent: Friday, July 02, 2004 6:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-Prot Version 3.15 w/Declude

will it run through task manager if called?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J Porter
Sent: Friday, July 02, 2004 4:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] F-Prot Version 3.15 w/Declude

I don't log out of the email server. I simply lock the console. The Updater
will still run and the system still requires a password to get back to the
console.

Is there a good reason not to do it this way??

~Joe

- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 01, 2004 3:53 PM
Subject: RE: [Declude.Virus] F-Prot Version 3.15 w/Declude


 I have been doing that exact thing for months now.  The question is what
 does the new version do differently that may affect the way updates work,
 not so much how you go out and get them.

 Using the scheduler requires that you have the box logged in all the time
 which is clearly not an option for a mail server.

---
[This E-mail scanned for viruses at HNB.com]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT- Anyone know about this latest attack reported by CNN?

[Douglas Cohn]

http://www.microsoft.com/security/incident/download_ject.mspx  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, June 25, 2004 10:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] OT- Anyone know about this latest attack
reported by CNN?


 OT- Anyone know about this latest attack reported by CNN?know about 
 this latest attack reported by CNN?
 
 
 Here is what CNN says:
 http://www.cnn.com/2004/TECH/internet/06/24/internet.attack.a
 p/index.ht
 ml
 Sharyn
 
 I read somewhere that it only infects IIS 5 but I haven't heard much 
 else.

http://www.microsoft.com/security/incident/download_ject.mspx

If the patch from MS04-011 is installed you should be safe.
We've running several IIS5 Webservers an none was infected until now.

Markus



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT- Anyone know about this latest attack reported by CNN?

[Douglas Cohn]

UNTIL NOW??

You are infected now? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, June 25, 2004 10:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] OT- Anyone know about this latest attack
reported by CNN?


 OT- Anyone know about this latest attack reported by CNN?know about 
 this latest attack reported by CNN?
 
 
 Here is what CNN says:
 http://www.cnn.com/2004/TECH/internet/06/24/internet.attack.a
 p/index.ht
 ml
 Sharyn
 
 I read somewhere that it only infects IIS 5 but I haven't heard much 
 else.

http://www.microsoft.com/security/incident/download_ject.mspx

If the patch from MS04-011 is installed you should be safe.
We've running several IIS5 Webservers an none was infected until now.

Markus



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT- Anyone know about this latest attack reported by CNN?

[Douglas Cohn]

http://www.microsoft.com/security/incident/download_ject.mspx 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, June 25, 2004 10:11 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] OT- Anyone know about this latest attack
reported by CNN?

OT- Anyone know about this latest attack reported by CNN?know about this
latest attack reported by CNN?


Here is what CNN says:
http://www.cnn.com/2004/TECH/internet/06/24/internet.attack.ap/index.ht
ml
Sharyn

I read somewhere that it only infects IIS 5 but I haven't heard much else.

Gary

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Virus reports not showing virus

[Douglas Cohn]

Thanks

Had a feeling when I pasted it but it was too late already.  Must have added
it when I changed it to fpcmd.

Thanks  I removed it just now.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, June 24, 2004 8:02 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Virus reports not showing virus


Here is a snippet of my logs.  I also do not understand the missing files?

The problem here is:

SCANFILEC:\Progra~1\FSI\F-Prot\Fpcmd.exe /TYPE /SILENT /NOMEM 
/ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt)

There should be no ) at the end of report.txt -- otherwise, F-Prot will
try to save a file named report.txt), which Declude Virus won't be able to
find, so Declude Virus won't be able to determine the virus name (although
the viruses will still get caught).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Virus reports not showing virus

[Douglas Cohn]

I am having some odd reports from Virusloganalyser lately.

It no longer shows I have any viruses just Outlook Vulnerabilities..
Previously, I believe when I was running the 16 bit Fprot (now running 32
bit) it reported viruses.

Here is a snippet of my logs.  I also do not understand the missing files?

Any ideas what is going on with my logs?  I posted my config after the log
snippet.

Thanks much

Doug

06/23/2004 00:24:11 Q05e79da60042f798 Scanned: CONTAINS A VIRUS [MIME: 2
22581]
06/23/2004 00:24:11 Q05e79da60042f798 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 203.148.249.232]
06/23/2004 00:24:11 Q05e79da60042f798 Subject: Hi
06/23/2004 00:24:30 Q05eb2fe4011e08de Could not find report file
C:\IMail\spool\D05eb2fe4011e08de.vir\report.txt.
06/23/2004 00:24:30 Q05eb2fe4011e08de File(s) are INFECTED [: 3]
06/23/2004 00:24:30 Q05eb2fe4011e08de Scanned: CONTAINS A VIRUS [MIME: 2
29807]
06/23/2004 00:24:30 Q05eb2fe4011e08de From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 172.195.102.75]
06/23/2004 00:24:30 Q05eb2fe4011e08de Subject: Illegal Website
06/23/2004 00:24:48 Q060c2fe8011e891a Outlook 'MIME Header' Vulnerability:
type=audio/x-wav, name=message.pif.
06/23/2004 00:24:49 Q060c2fe8011e891a Could not find report file
C:\IMail\spool\D060c2fe8011e891a.vir\report.txt.
06/23/2004 00:24:49 Q060c2fe8011e891a File(s) are INFECTED [[Outlook 'MIME
Header' Vulnerability]: 3]
06/23/2004 00:24:49 Q060c2fe8011e891a Scanned: CONTAINS A VIRUS [MIME: 3
29141]
06/23/2004 00:24:49 Q060c2fe8011e891a From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 203.157.253.196]
06/23/2004 00:24:49 Q060c2fe8011e891a Subject: Mail System
([EMAIL PROTECTED])
06/23/2004 00:24:52 Q06119dae00429d6e Scanned: Virus Free [MIME: 1 1798]
06/23/2004 00:25:16 Q062b2fed011e0271 Scanned: Virus Free [MIME: 1 3621]
06/23/2004 00:25:24 Q06342ff1011e22bb Scanned: Virus Free [MIME: 1 7757]
06/23/2004 00:25:33 Q06399db400423921 Scanned: Virus Free [MIME: 1 306]
06/23/2004 00:25:57 Q06509db600429386 Could not find report file
C:\IMail\spool\D06509db600429386.vir\report.txt.

Config

# The  in the LOGFILE option automatically gets replaced with the
month/date

LOGFILE spool\vir.log
LOGLEVELMID

#
# SCANFILE is the location of the command-line virus scanner. Note that it 
# must include the full path.  VIRUSCODE is the code that scanner returns if
# it finds a virus.
#

SCANFILEC:\Progra~1\FSI\F-Prot\Fpcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt)

VIRUSCODE 3
VIRUSCODE 6
VIRUSCODE 8
REPORTInfection:


# VIRDIR is the directory to move E-mails with viruses; by default,
# it is set to 'spool\virus' (\IMail\spool\virus).

VIRDIR  spool\virus

# The MAXATONCE option limits the number of AV processes.  For example,
# MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing
# purposes).  A value of 0 (or commenting it out) allows unlimited processes
# to run at the same time.

MAXATONCE 0

#
# The following options allow you to limit scanning to only incoming or
outgoing
# E-mail.
#

INCOMINGON
OUTGOINGON

#
# The ONACCESS option should be set to OFF unless you have an on-access
virus scanner
# that will be deleting attachments with viruses.  It is recommended NOT to
have an
# on-access scanner interfering, and to leave this at OFF.
#

ONACCESSOFF

#
# The SCANNERTIMEOUT option lets you choose the number of seconds that
Declude will
# wait for the virus scanner to finish.  The minimum value is 10 seconds.
Most
# scanners will not need to take that long.  This option is mainly to
prevent
# defective scanners (that never finish) from interfering with your outgoing
E-mail.
# Raising this will NOT help if your virus scanner always times out.
#

SCANNERTIMEOUT  60

#
# The SKIPEXT option will let you skip scanning of certain file extensions.
For
# example, a GIF file can't contain a virus, so there is no need to scan it.
#

SKIPEXT GIF
SKIPEXT TXT
SKIPEXT JPG
SKIPEXT MPG
SKIPEXT PNG

#
# The BANEXT option will let you ban file extensions.  E-mails containing
attachments
# with these file extensions will be quarantined, and if you have a
BANnotify.EML file,
# it will be sent out.  This works in the Standard and Pro versions.
#

BANEXT  ad
BANEXT  adp 
BANEXT  asp
BANEXT  bas
BANEXT  bat
BANEXT  CEO
BANEXT  chm
BANEXT  cmd
BANEXT  com
BANEXT  cpl 
BANEXT  crt 
BANEXT  exe
BANEXT  hlp
BANEXT  hta
BANEXT  inf
BANEXT  ins 
BANEXT  isp
BANEXT  js
BANEXT  jse
BANEXT  lnk
BANEXT  mdb 
BANEXT  mde 
BANEXT  msc 
BANEXT  msi
BANEXT  msp 
BANEXT  mst
BANEXT  pcd
BANEXT  pif
BANEXT  reg
BANEXT  scr
BANEXT  sct 
BANEXT  shb 
BANEXT  

RE: [Declude.Virus] F-Prot letting TROJ_REVOP.F thru

[Douglas Cohn]

Have you sent those caught viruses to the declude or F-prot virus traps?

They may be corrupted and not viable viruses any longer.  Meaning they are
no longer harmful  (Possibly).

F-prot would surely want to see this.  Go to their website and submit the
samples.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of M Pilletere
Sent: Friday, June 18, 2004 11:53 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-Prot letting TROJ_REVOP.F thru

Hi,
I have just started using Declude with F-Prot as our virus scanner.  Was
using Trend Viruswall. Have noticed that F-Prot is letting thru viruses that
Trend desktop scanners are catching.  I have had 11 TROJ_REVOP.F get thru
today alone.  Is anyone else seeing this?  Trying to use ClamAV as a second
scanner but need to wait till I can reboot the mail server to get it
functioning.

Thanks
Mike
RSR Group,Inc.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BSOD and IMail-Server reboot

[Douglas Cohn]

I was simply replying to a gentlemen's post John.

Read the thread.

HE asked if I found out whether Declude was the CAUSE of the problem or I
switched to another AV product.

  Did you (or someone else) find a solution in the meantime, or did 
  you
 just
  switch to another AV ?

I said it was NOT Declude.  Hence my post.

He specifically mentioned Peter Verzoni.  I worked on that specific system.
Again my reply.

There was no need for further banter.  He wanted to know if it was resolved.


I agree Imail does not cooperate well with Intel NICs at extreme traffic.
Your answer was GET A SERVER NIC.  That is not the solution.  The solution
is Imail should fix their bug or use a NON intel NIC.  Better yet you must
use 3Com Nics to be sure since that seems to be all Imail tests.  A NIC that
we have found is prone to many other issues and is no longer the market
leader.  Back in 98-99 when Imail started it was and we all used them. No
longer true today as Dell, HP and most white box servers use Intel NICs.

But all that is irrelevant.  The only issue I complained about was you were
rude.  Don't accept it, fine.  But enjoy the world you create with responses
like that.  You must live with it, we must only read your posts.  Deny Deny
Deny .. Be like Bush...

To everyone else  Again I apologize and promise I stop here no matter what
the response (snappy or otherwise G)...  Except Declude related...

Regards


Doug

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Saturday, June 12, 2004 6:05 PM
To: [EMAIL PROTECTED]
Subject: FW: [Declude.Virus] BSOD and IMail-Server reboot

Just realized this was originally posted on the Declude virus list, even
though it has nothing to do with Declude Virus, and the person should have
posted on the Imail list, since it is an Imail issue and a search of the
Imail list archives shows this has been discussed many times.

 The imail forum has not one post regarding an INTEL SERVER Board and 
 on board NICs.  I recall some conversations about desktop boards but 
 none regarding SERVER BOARDs.

 I do not remember whether the board was a Server board or workstation board
being part of the discussion on past problems. It was the Intel OB NIC that
was discussed, and a search of the Imail archives shows 269 hits for Intel
OB NIC.

 Furthermore what logic would you as a Networking Professional give to 
 an SMTP server running on the same platform and pushing sustained 
 traffic of three times that of the IMAIL server yet never causing any 
 issues and certainly not creating a BSOD.  This is something I am very 
 interested in hearing.

I am not an Ipswitch technician, so I have no idea of why this occurs, I
just know from many others posting such that it does!

 I have been building systems and maintaining data centers now for 16
years.

Goody for you. Now back to the issue at hand.

 I have brought this exact issue to Intel's and Microsoft's attention 
 and neither see any reason for the NIC to be the root cause of the issue.
 
 Microsoft has read the BSOD dumps and reports IMAIL as the culprit.

Then take the next step and share that information with Ipswitch. From all
the posts about Intel OB NICs and Imail over the years, it is my opinion
there is a real problem with Imail and Intel OB NICs. To date, most have
fixed the problem by using a server grade 3Com NIC and disabling the Intel
OB NIC. If you have the time and resources to further pursue this issue with
Ipswitch, many Imail admins will thank you.

 This type of comment from you has little to no value.  You act like 
 you
are
 participating in a forum but clearly you are using the forum simply 
 for
your
 own end.

Sure it does. Just because you do not like the work around, and would rather
spend time on finding the cause of the problem in hopes that Ipswitch will
finally fix it, does not mean that my advice has no value. 

BTW, how does my posting advice on a subject that comes up again and again
over time equal my using the forum for my own end?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 
 
 - Original Message -
 From: John Tolmachoff (Lists) [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, June 11, 2004 3:11 PM
 Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot
 
 
 There has been much discussion concerning Intel OB NICs and Imail.
 
 Search the archives.
 
 Bottom line, get a solid Server designated NIC.
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
  On Behalf Of Douglas Cohn
  Sent: Friday, June 11, 2004 11:32 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot
 
  This problem has not gone away.  It occurs with very high traffic 
  only
 and
  is not related to declude.  That is we tested iot without declude 
  and
 it
  still Blue Screens when there is extremely

RE: [Declude.Virus] BSOD and IMail-Server reboot

[Douglas Cohn]

This is very negative post John.

The SE7501WV2 is a $600.00 + Intel Dual Xeon SERVER Motherboard with a Dual
Gigabit Server NICs.  It is designed for server traffic.

This is the same EXACT Onboard NIC in IBM X series and HP Proliant servers.
Dell uses the lower cost Broadcom Gigabit NICs.

The archives have no references to anything related to Server motherboards
only desktop motherboards.

It seems to me when people have nothing to say  say nothing. 

In the future I will not reply to the list either and I apologize in advance
for doing so. No one needs a post to tell them to do what will not change
the situation anyway.

Doug


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Friday, June 11, 2004 3:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot

There has been much discussion concerning Intel OB NICs and Imail.

Search the archives.

Bottom line, get a solid Server designated NIC.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 On Behalf Of Douglas Cohn
 Sent: Friday, June 11, 2004 11:32 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot
 
 This problem has not gone away.  It occurs with very high traffic only 
 and is not related to declude.  That is we tested iot without declude 
 and it still Blue Screens when there is extremely high traffic.
 
 Imail claims that when the server has extremely high traffic you need 
 to
use
 a SERVER NIC in the machine.  One which does NOT offload processing to 
 the server but has it's own processor onboard the NIC.
 
 This has some logic but if true why on servers running only SMTP 
 passing double the amount of sustained traffic do we not also have the
issue.
 
 Using Intel Based SE7501WV2 baseboards with on board nics on sevweral 
 servers.  Only Imail servers Blue Screen.  We set them to auto reboot 
 and
it
 only happens in extremely high traffic times.
 
 DC
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Uwe Degenhardt
 Sent: Thursday, June 10, 2004 5:05 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.Virus] BSOD and IMail-Server reboot
 
 Hi list and especially
 Peter Verzoni.
 
 Peter you mentioned a while ago
 the following problems you had on one of your servers:
 
 http://www.mail-archive.com/[EMAIL PROTECTED]/msg06418.html
 
 Did you (or someone else) find a solution in the meantime, or did you 
 just switch to another AV ?
 
 Would be great to get the link where you posted the info to F-Prot as
well.
 
 Thank you.
 
 Uwe
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just
 send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BSOD and IMail-Server reboot

[Douglas Cohn]

This problem has not gone away.  It occurs with very high traffic only and
is not related to declude.  That is we tested iot without declude and it
still Blue Screens when there is extremely high traffic.

Imail claims that when the server has extremely high traffic you need to use
a SERVER NIC in the machine.  One which does NOT offload processing to the
server but has it's own processor onboard the NIC.

This has some logic but if true why on servers running only SMTP passing
double the amount of sustained traffic do we not also have the issue.

Using Intel Based SE7501WV2 baseboards with on board nics on sevweral
servers.  Only Imail servers Blue Screen.  We set them to auto reboot and it
only happens in extremely high traffic times.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Uwe Degenhardt
Sent: Thursday, June 10, 2004 5:05 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] BSOD and IMail-Server reboot

Hi list and especially
Peter Verzoni.

Peter you mentioned a while ago
the following problems you had on one of your servers:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg06418.html

Did you (or someone else) find a solution in the meantime, or did you just
switch to another AV ?

Would be great to get the link where you posted the info to F-Prot as well.

Thank you.

Uwe

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] What is Partial Vulnerability on a PDF

[Douglas Cohn]

Uuencode/Uudecode is what we used to use before the high speed world became
a reality.  

You would type Uudecode and the file name and path.  If I remember as long
as all the parts where in the same directory it would reassemble it.  There
are plenty of mailers that will reassemble and I really thought all of them
did it today.

UUencode/UUdecode
UUencode/UUdecode is a software utility that converts a binary file (often a
photo or a graphic) to an ASCII (text) file so that it can be sent as an
attachment to an e-mail message or downloaded from a newsgroup. Since e-mail
messages must be text, not binary information, UUencode disguises non-text
files as text so that they can be included in a mail message. When the
message is received, the recipient, or their e-mail program, runs UUdecode
to convert it to the original file. 

Easily available on the net via shareware.  Google UUencode

Doug

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruce Loughlin
Sent: Friday, June 04, 2004 2:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF

Was there ever a way to put these emails back together?
I had some one send me pictures that got broken up by this, and was
wondering if they could be re-assembled.

Bruce


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Goran Jovanovic
Sent: Thursday, June 03, 2004 4:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF


Yes I looked again and you are right. So Declude would have to keep track of
e-mail to e-mail and possible out of sequence and different clients marking
the split stuff in different ways 

On/Off switch is the way to go (unfortunately)



 Goran Jovanovic
 The LAN Shoppe


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
 [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
 Sent: Thursday, June 03, 2004 4:05 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF

 I think the problem is, that while the extension may show up in one of
the
 5, it would not be in all 5 and therefore not an accurate test.

 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You


  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
  On Behalf Of Goran Jovanovic
  Sent: Thursday, June 03, 2004 12:37 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.Virus] What is Partial Vulnerability on a
PDF
 
 
  I guess it would be nice to say
 
  BANPARTIAL   EXE
  BANPARTIAL   COM
  BANPARTIAL   VBS
 
  Etc
 
  I don't think a PDF can be infected but then again you never know so 
  maybe .
 
  In any case it is almost a damned if you do damned if you don't
 
  Thanx
 
 
   Goran Jovanovic
   The LAN Shoppe
 
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
   [EMAIL PROTECTED] On Behalf Of Matt
   Sent: Thursday, June 03, 2004 3:28 PM
   To: [EMAIL PROTECTED]
   Subject: Re: [Declude.Virus] What is Partial Vulnerability on a
PDF
  
   Goran,
  
   Outlook/Outlook Express allows a sender to split messages over a
  certain
   size into multiple attachments.  Messages of this type can bypass
  virus
   scanning and therefore represent a vulnerability.  I have however 
   personally determined that because it is so easy to turn on, and
  because
   I have yet to find any viruses that are currently exploiting this
  flaw,
   that it is better to leave it off for now rather than comb over my
  hold
   file looking for such messages and alerting those that are set up
for
   this.  Scott does provide a stitch for your Virus.cfg that can
turn
  this
   off with the following:
  
   BANPARTIALOFF
  
   I don't feel that this is a set it and forget it type of
setting, so
   use at your own risk, and keep your eyes and ears pealed for
exploits
  in
   the event that a virus does start exploiting the flaw.  Thankfully
the
   trickery has gone down since the arrested that German teenager :)
  
   Matt
  
  
  
   Goran Jovanovic wrote:
  
   Declude Virus and F-Prot reported
   
   X-Declude-Virus: Detected [Partial Vulnerability].
   
   This is an e-mail that has been cut into 5 part and it has a PDF 
   attached to it.
   
   --=_NextPart_000_0019_01C4494C.0AFFE0A0
   Content-Type: application/octet-stream;
name=Report.pdf
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment;
filename=Report.pdf
   
   We stopped the 5 e-mails but why would it have triggered on a PDF
  file?
   
   Also how does the client out the PDF back together???
   
   Thanx
   
   
Goran Jovanovic
The LAN Shoppe
   
   ---
   [This E-mail was scanned for viruses by Declude Virus
   (http://www.declude.com)]
   
   ---
   This E-mail came from the Declude.Virus mailing list.  To 
   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
   type 

RE: [Declude.Virus] What is Partial Vulnerability on a PDF

[Douglas Cohn]

Actually why couldn't Declude run uudecode and reassemble the file before
hand, then have it scanned and determine if it is harmful or not??

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Saturday, June 05, 2004 5:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF

Uuencode/Uudecode is what we used to use before the high speed world became
a reality.  

You would type Uudecode and the file name and path.  If I remember as long
as all the parts where in the same directory it would reassemble it.  There
are plenty of mailers that will reassemble and I really thought all of them
did it today.

UUencode/UUdecode
UUencode/UUdecode is a software utility that converts a binary file (often a
photo or a graphic) to an ASCII (text) file so that it can be sent as an
attachment to an e-mail message or downloaded from a newsgroup. Since e-mail
messages must be text, not binary information, UUencode disguises non-text
files as text so that they can be included in a mail message. When the
message is received, the recipient, or their e-mail program, runs UUdecode
to convert it to the original file. 

Easily available on the net via shareware.  Google UUencode

Doug

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruce Loughlin
Sent: Friday, June 04, 2004 2:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF

Was there ever a way to put these emails back together?
I had some one send me pictures that got broken up by this, and was
wondering if they could be re-assembled.

Bruce


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Goran Jovanovic
Sent: Thursday, June 03, 2004 4:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF


Yes I looked again and you are right. So Declude would have to keep track of
e-mail to e-mail and possible out of sequence and different clients marking
the split stuff in different ways 

On/Off switch is the way to go (unfortunately)



 Goran Jovanovic
 The LAN Shoppe


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
 [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
 Sent: Thursday, June 03, 2004 4:05 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF

 I think the problem is, that while the extension may show up in one of
the
 5, it would not be in all 5 and therefore not an accurate test.

 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You


  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
  On Behalf Of Goran Jovanovic
  Sent: Thursday, June 03, 2004 12:37 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.Virus] What is Partial Vulnerability on a
PDF
 
 
  I guess it would be nice to say
 
  BANPARTIAL   EXE
  BANPARTIAL   COM
  BANPARTIAL   VBS
 
  Etc
 
  I don't think a PDF can be infected but then again you never know so 
  maybe .
 
  In any case it is almost a damned if you do damned if you don't
 
  Thanx
 
 
   Goran Jovanovic
   The LAN Shoppe
 
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
   [EMAIL PROTECTED] On Behalf Of Matt
   Sent: Thursday, June 03, 2004 3:28 PM
   To: [EMAIL PROTECTED]
   Subject: Re: [Declude.Virus] What is Partial Vulnerability on a
PDF
  
   Goran,
  
   Outlook/Outlook Express allows a sender to split messages over a
  certain
   size into multiple attachments.  Messages of this type can bypass
  virus
   scanning and therefore represent a vulnerability.  I have however 
   personally determined that because it is so easy to turn on, and
  because
   I have yet to find any viruses that are currently exploiting this
  flaw,
   that it is better to leave it off for now rather than comb over my
  hold
   file looking for such messages and alerting those that are set up
for
   this.  Scott does provide a stitch for your Virus.cfg that can
turn
  this
   off with the following:
  
   BANPARTIALOFF
  
   I don't feel that this is a set it and forget it type of
setting, so
   use at your own risk, and keep your eyes and ears pealed for
exploits
  in
   the event that a virus does start exploiting the flaw.  Thankfully
the
   trickery has gone down since the arrested that German teenager :)
  
   Matt
  
  
  
   Goran Jovanovic wrote:
  
   Declude Virus and F-Prot reported
   
   X-Declude-Virus: Detected [Partial Vulnerability].
   
   This is an e-mail that has been cut into 5 part and it has a PDF 
   attached to it.
   
   --=_NextPart_000_0019_01C4494C.0AFFE0A0
   Content-Type: application/octet-stream;
name=Report.pdf
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment;
filename=Report.pdf
   
   We stopped the 5 e-mails but why would it have triggered

RE: [Declude.Virus] Notification for forwarded messages

[Douglas Cohn]

Remember this link is included in the recipients email.
http://serverwithvirus.com:port/declude.asp?msgid=%QUEUENAME%

We use Port 81.  We also remove almost all access to IIS and use IIS
lockdown to tighten all the way down.

The way that we do this is we include the link to the infected file in the
alert email. You want the Virus here it is.  We explain how dangerous it is
to request such a file but if the client determines that the message is
urgent they have the opportunity to click once and be done.

No going to other pages and pasting anything.  Obviously there is the danger
involved but these are grown people and the danger is to themselves.

The script works as I posted.  If you know Javascript you can modify it.

Being used for well over a year by the original author and I have used it
for months with never an issue.

The obvious issue is allowing people to access infected files.  That is your
call whether they paste into another page and you keep track of their name
or they simply click a link and get the virus sent to them. The problems can
occur on their end in both cases.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Friday, May 28, 2004 1:06 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Notification for forwarded messages

Doug

How do you deal with IIS and IMail web servers both running on the same box
and both wanting port 80?

I have broken up iissocketpooling in the past but it requires 2 IP addresses
to work. Is that what you have done or are you running one on a non standard
port? 

Thanx

-Original Message-
From: Douglas Cohn [EMAIL PROTECTED]
Date: Fri, 28 May 2004 12:28:22
To:[EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Notification for forwarded messages

We do this as well using Vbscript only.  It does exactly what you do.
Anytime a virus is quarantined an email with a link to the file is sent to
the recepient with a warning of the dangers involved in retrieving the
files.  We then delete everything over 5 days old to avoid getting too many
files in the virus dir.

We also require IIS to be running.  It was written by an ISP that uses it on
his shared IMAIL server.  He deletes them in 2 days.


=
You add this to the recip.eml
=
If you would like a copy of the infected email please follow the link below
AT YOUR OWN RISK!!!

http://serverwithvirus.com:port/declude.asp?msgid=%QUEUENAME%

REMEMBER IT IS AN INFECTED EMAIL.  The email will be deleted in 5 days.

The declude.asp file

[EMAIL PROTECTED]
%
 var virusdir=c:\\imail\\spool\\virus\\;
 var spooldir=c:\\imail\\spool\\;
 var file=+Request.QueryString(msgid);
 file=file.substr(1);

 fso = new ActiveXObject (Scripting.FileSystemObject);

 if (fso.FileExists(virusdir+D+file))
 {
  fso.MoveFile(virusdir+D+file, spooldir+D+file);
  fso.MoveFile(virusdir+Q+file, spooldir+Q+file);

  Response.Write(Please check your e-mail in a few minutes for the virus
infected message you requested.);  } % 

Very simple as well.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson
Sent: Friday, May 28, 2004 11:01 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Notification for forwarded messages

I have written a simple app using ASP and PERL that will move the
quarantined file from the virus directory back to the spool for delivery. It
requires IIS to run on the same box as Imail, I run gateway servers so it is
a bit easier for me.

I include the spool name and a link to the gateway server that held the file
in the BanNotify message, the user copies the file name and pastes it to
text box on the ASP page, clicking submit sends it to the PERL script which
moves the file back to the spool.

I then intercept all notifications for banned files that I dont want them
retreiving such as mpegs and mp3s

Works great

I dont mind sharing the code if anyone wants it

Rick Davidson
National Systems Manager
North American Title Group
-
- Original Message -
From: Hermann Strassner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 28, 2004 6:39 AM
Subject: [Declude.Virus] Notification for forwarded messages


Hello!

We block ZIPs and some executable extensions and want to leave it this way.
Because some folks need to send them, we have to check the quarantined files
(for viruses) and forward the mails without viruses manually. Is there a way
to inform the user that his mail is now forwarded?

Alternatively, is it possible for the user to answer to the automatic
generated mail and forward the mail by himself? Is it possible somehow?
I think of it as follows: User sends email with ZIP, gets a notification,
answers to the notification with YES or something like that, Declude sees it
and forwards this email. I think this is enough to make sure the user sends
the email intentionally.

Hermann

---
[This E-mail

RE: [Declude.Virus] Notification for forwarded messages

[Douglas Cohn]

We do this as well using Vbscript only.  It does exactly what you do.
Anytime a virus is quarantined an email with a link to the file is sent to
the recepient with a warning of the dangers involved in retrieving the
files.  We then delete everything over 5 days old to avoid getting too many
files in the virus dir.

We also require IIS to be running.  It was written by an ISP that uses it on
his shared IMAIL server.  He deletes them in 2 days.


=
You add this to the recip.eml
=
If you would like a copy of the infected email please follow the link below
AT YOUR OWN RISK!!!

http://serverwithvirus.com:port/declude.asp?msgid=%QUEUENAME%

REMEMBER IT IS AN INFECTED EMAIL.  The email will be deleted in 5 days.

The declude.asp file

[EMAIL PROTECTED]
%
 var virusdir=c:\\imail\\spool\\virus\\;
 var spooldir=c:\\imail\\spool\\;
 var file=+Request.QueryString(msgid);
 file=file.substr(1);

 fso = new ActiveXObject (Scripting.FileSystemObject);

 if (fso.FileExists(virusdir+D+file))
 {
  fso.MoveFile(virusdir+D+file, spooldir+D+file);
  fso.MoveFile(virusdir+Q+file, spooldir+Q+file);

  Response.Write(Please check your e-mail in a few minutes for the virus
infected message you requested.);  } %


Very simple as well.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson
Sent: Friday, May 28, 2004 11:01 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Notification for forwarded messages

I have written a simple app using ASP and PERL that will move the
quarantined file from the virus directory back to the spool for delivery. It
requires IIS to run on the same box as Imail, I run gateway servers so it is
a bit easier for me.

I include the spool name and a link to the gateway server that held the file
in the BanNotify message, the user copies the file name and pastes it to
text box on the ASP page, clicking submit sends it to the PERL script which
moves the file back to the spool.

I then intercept all notifications for banned files that I dont want them
retreiving such as mpegs and mp3s

Works great

I dont mind sharing the code if anyone wants it

Rick Davidson
National Systems Manager
North American Title Group
-
- Original Message -
From: Hermann Strassner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 28, 2004 6:39 AM
Subject: [Declude.Virus] Notification for forwarded messages


Hello!

We block ZIPs and some executable extensions and want to leave it this
way. Because some folks need to send them, we have to check the
quarantined files (for viruses) and forward the mails without viruses
manually. Is there a way to inform the user that his mail is now
forwarded?

Alternatively, is it possible for the user to answer to the automatic
generated mail and forward the mail by himself? Is it possible somehow?
I think of it as follows: User sends email with ZIP, gets a
notification, answers to the notification with YES or something like
that, Declude sees it and forwards this email. I think this is enough to
make sure the user sends the email intentionally.

Hermann

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS

[Douglas Cohn]

What is the link to the manual again.  I misplaced it.

And what is the most current Beta and where can I obtain.  Most current
interim?

Sorry bout this 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, May 25, 2004 9:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS


  Can I still send out notifications for the Vulnerability?
 
  It would be possible, but strongly discouraged, as you'll end up 
  becoming a spammer by doing so.

The only notifications that I would be sending out would be to the 
recipient and not to the sender or the postmaster of the sending domain.
I think it is a waste of bandwidth. If the user gets a notification 
that the file contained a virus and if the user really wants the file 
then the user will notify the sender and get it fixed. IMHO

Ah, that makes sense.  In that case, you can copy the
\IMail\Declude\recip.eml file to \IMail\Declude\recip-vulnerability.eml (or
whatever name you want), and use a line ONLYSENDIFVIRUSNAMEHAS
Vulnerability (without any SKIPIFVIRUSNAMEHAS or SKIPIFFORGING lines).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS

[Douglas Cohn]

I found the manual  sorry again.  But where are the interim releases.

I also see this in the manual.
Page Last Updated: 02 Mar 2004.   Latest Version: 1.75/1.78 (Release/Beta)

It is 1.79 that is the current BETA yes?  

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Wednesday, May 26, 2004 12:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS

What is the link to the manual again.  I misplaced it.

And what is the most current Beta and where can I obtain.  Most current
interim?

Sorry bout this 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, May 25, 2004 9:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS


  Can I still send out notifications for the Vulnerability?
 
  It would be possible, but strongly discouraged, as you'll end up 
  becoming a spammer by doing so.

The only notifications that I would be sending out would be to the 
recipient and not to the sender or the postmaster of the sending domain.
I think it is a waste of bandwidth. If the user gets a notification 
that the file contained a virus and if the user really wants the file 
then the user will notify the sender and get it fixed. IMHO

Ah, that makes sense.  In that case, you can copy the
\IMail\Declude\recip.eml file to \IMail\Declude\recip-vulnerability.eml (or
whatever name you want), and use a line ONLYSENDIFVIRUSNAMEHAS
Vulnerability (without any SKIPIFVIRUSNAMEHAS or SKIPIFFORGING lines).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: Possible Spam: [Declude.Virus] OT - Need IP from MAC address

[Douglas Cohn]

Why do you want to know the IP?

Do you have a router on the network?  Or a switch that you can manage. If
you have any Cisco hardware on the network you can easily determine the IP
from an arp address.  If it is a small network just 
show ip arp 

Or 

show ip arp xxx.xxx.xxx.xxx

Will give all stats from that IP.

Here are some tools to LEAD you to know which device it is  (MAYBE)
http://www.coe.uky.edu/~stu/nic/nic.cfm

If it is a printer

assuming it's a jetdirect you can do 
arp -s ip address mac address where ip address is a spare IP address
on your local subnet and mac address is the mac of the printer. Next
telnet ip address and you get the menu of the jetdirect and can read
what it's stored IP address is. Then delete the static arp entry and print a
help please phone IT and tell me where this printer is message to it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Pereira
Sent: Sunday, May 23, 2004 3:35 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address

Thanks for the reply, but I think you misunderstood

I know the IP of my computer, I don't know the IP of a piece of equipment
that I have, but I do know what the MAC address is.

jeff
- Original Message -
From: Don Brown [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, May 23, 2004 2:40 PM
Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address


 Get a command prompt and type ipconfig (without the quotes) and a 
 carriage return.

 To get a command prompt, Select Start/Run and type CMD (without the
 quotes) in the box and click the ok button.

 If you need to change the IP address, then Select 
 Start/Settings/Network Connections. Select something other than make 
 a new network connection. Next, click properties, choose Internet 
 Protocol (TCP/IP) and click Properties. You should be able to find 
 your way around from there.

 HTH

 Thanks,


 Sunday, May 23, 2004, 12:05:12 PM, Jeff Pereira [EMAIL PROTECTED]
wrote:
 JP Windows..sorry I left that out.
 JP
 JP jeff

 JP - Original Message -

 JP From:  Rich

 JP To:[EMAIL PROTECTED]

 JP Sent: Sunday, May 23, 2004 11:57 AM

 JP Subject: Re: Possible Spam:   [Declude.Virus] OT - Need IP from MAC
address




 JP What OS?


 JP - Original Message -

 JP From:  Jeff Pereira

 JP To:[EMAIL PROTECTED]

 JP Sent: Sunday, May 23, 2004 8:22 AM

 JP Subject: Possible Spam: [Declude.Virus] OT - Need IP from MAC
address




 JP Sorry for the OT post, but I am in need of help.

 JP

 JP I have a piece of equipment that I inherited that was
 JP assigned a fixed IP address, but I do not know what it is.

 JP

 JP I am pretty sure that there is a way to determine the IP
 JP by way of the MAC address, but I am unable to figure out how.

 JP

 JP Any help will be appreciated.

 JP

 JP jeff

 JP









 
 Don Brown - Dallas, Texas USA Internet Concepts, Inc.
 [EMAIL PROTECTED]   http://www.inetconcepts.net
 (972) 788-2364Fax: (972) 788-5049
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] TOT TCP/IP Protocol driver service

[Douglas Cohn]

The great feature of this product is that you can specifically add it to all
users or specific users desktops.  So you can see in within TS.

Yes it is great for that exact reason.

We used to create custom backgrounds when we sold servers to ISP clients so
they could immediately see where they are.  Saved us from doing that work
G...

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Friday, May 21, 2004 8:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] TOT TCP/IP Protocol driver service

I use the BGINFO on all the servers I support. It is absolutely great
especially since I terminal server into many at a time and it very clearly
tells me what server I am on. Also tells the less sophisticated network
admins which server they are on when using the KVM switch.


 
 Goran Jovanovic
 The LAN Shoppe

 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
 [EMAIL PROTECTED] On Behalf Of Douglas Cohn
 Sent: Friday, May 21, 2004 1:39 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] TOT TCP/IP Protocol driver service
 
 I also have the 2002 Admin pack.  Back then we paid $999 for it.
 
 I have saved several shared servers with it more than covering the
$999
 but
 now it is closer to $5000 I believe.
 
 It may be worth it as well.
 
 All their products are great.  Go to the freeware site
sysinternals.com
 and
 get all their tools.
 
 Even the simple Bginfo screen background is the handiest utility.  It 
 builds a very simply BMP that has all your system info and becoms the 
 desktop background.  Nothing fancy just the info.  You can run it on 
 boot up
or
 schedule it to update every few hours if needed. Great on desktops and 
 servers.
 
 DC
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
 (Lists)
 Sent: Thursday, May 20, 2004 12:14 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] TOT TCP/IP Protocol driver service
 
  ERD commander is an awesome tool, helps change service/device
startup
  values, registry, connect through the network to other machines, 
  chkdsk,
 etc
  etc...
 
  Might take a look at that, helps me a TON.
 
 I was going to recommend that, as I have the 2002 version, but their
new
 licensing terms has priced the newer version completely out of reach
for
 the
 average small business.
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] TOT TCP/IP Protocol driver service

[Douglas Cohn]

I also have the 2002 Admin pack.  Back then we paid $999 for it.

I have saved several shared servers with it more than covering the $999 but
now it is closer to $5000 I believe.

It may be worth it as well.

All their products are great.  Go to the freeware site sysinternals.com and
get all their tools.

Even the simple Bginfo screen background is the handiest utility.  It builds
a very simply BMP that has all your system info and becoms the desktop
background.  Nothing fancy just the info.  You can run it on boot up or
schedule it to update every few hours if needed. Great on desktops and
servers.

DC

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, May 20, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] TOT TCP/IP Protocol driver service

 ERD commander is an awesome tool, helps change service/device startup 
 values, registry, connect through the network to other machines, 
 chkdsk,
etc
 etc...
 
 Might take a look at that, helps me a TON.

I was going to recommend that, as I have the 2002 version, but their new
licensing terms has priced the newer version completely out of reach for the
average small business.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] RE Mass mailing maybe new virus

[Douglas Cohn]

Thanks

I was thinking about adding the rule as well but also 
assumed that any legit mail to yahoo would be blocked and stopped 
myself.

Too bad the powers that be here are not buying JUNK 
Mail.

DC


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
MattSent: Tuesday, May 11, 2004 4:57 PMTo: 
[EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing 
maybe new virus
This is likely just spam. The technique with the URL is someone 
exploiting Yahoo's redirection scheme to land you on another site. They do 
this to hide from URL parsers that don't recognize the exploit.It is 
possible that the site tries to install an exploit such as Java Byte Verify, 
which can be used to place just about anything on your computer, but typically 
just drops browser helper objects (adware/spyware) onto your system. 
Norton stops this stuff cold, and it's been around for a while. Note that 
I didn't bother with the payload link.Anyway, it just looks like it's 
forging spam to me.Your block of that address also isn't very wise 
because it is a legitimate link that could stop valid E-mail from Yahoo and 
their partners from getting through. If you are running JunkMail Pro, 
there is a filter for this technique listed on my site (link in the sig) called 
!YDIRECTED.Matt-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=Email 
Admin wrote:

  
  

  
  Hello
  Our Mail server recevied a mass mailing earlier today.The email is 
  address to [EMAIL PROTECTED] and is 
  coming from[EMAIL PROTECTED]Copy of 
  headers:Received: from mail.citravel.com [10.215.43.52] by 
  citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 
  11:25:34 -0400From: mail.citravel.com[EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: 
  RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: 
  text/html; charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-Declude-Sender: 
  [EMAIL PROTECTED] 
  [10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This 
  message was scanned for SpamX-RBL-Warning: Total weight value: 
  0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient 
  Host: citravel.comX-Note: Sender 
  Address: [EMAIL PROTECTED]X-Note: Sender 
  Host Name: (Private IP) X-Note: Sender IP Address: 
  10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent 
  from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: 
  Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: UX-UIDL: 
  384277933This person's email client does not show they sent this 
  message but the IPof the sending host is the senders system.I have 
  scanned this system and it is showing virus free. Using SOPHOS latetest 
  defs as of 2pm est 5/11/2004
  I am also sniffing the network now looking for other SMTP 
  Traffic.User who receive the email which has a link of h t t p:// d r 
  s . y a h o o . com / citravel.com/newsGet sent to a pornography 
  site. After they close this site there systemkeeps having pop ups 
  appearing regularly.
  this link redirects toh t t p:// d r s . y a h o o . com / 
  citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news
  I am not so much worried about the email but as to how it was 
  sent.
  This is where I think it might be a virus.
  Currently I have a filter stopping emails with d r s . y a h o o . c 
  o m(space added)I am seeing several hundred an hour being 
  stopped.
  
  Any help ideas thouhgt?
  Or should I just go golfing and forget about 
  it??? :)
  
  ~Paul~

RE: [Declude.Virus] RE Mass mailing maybe new virus

[Douglas Cohn]

I love decludeJunkmail as I have it on my 
personal domain on a sharedmail serverthat an ISP friend/client 
allows me to use. 

I must now use a local spam product on my personal mail and 
everyone else fends for themselves on the company domain which works for some 
but it is still local meaning everything already made it through the network. So 
you lost half the battle before you start basically.

Eventually I am hoping to convince them to go 
withdeclude but they are pestering me for an Exchange 2003 server. I 
was thinking of Using GFI for that unless Declude releases something for 
Exchange by then...

Anything in the works Scott.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
MattSent: Tuesday, May 11, 2004 5:43 PMTo: 
[EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing 
maybe new virus
Take note that there was a virus payload at the link as Greg pointed 
out, but it appears that Terra-Lycos has killed the domain in 
question.It is too bad that the power that be aren't buying 
JunkMail. I find it to be a very effective last line of protection for 
viruses, as virtually everything that slips through before definitions are 
updates, ends up getting caught by a good JunkMail config. It can be very 
time consuming though, especially if you enjoy it too much 
:)MattDouglas Cohn wrote:

  
  Thanks
  
  I was thinking about adding the rule as well but also 
  assumed that any legit mail to yahoo would be blocked and stopped 
  myself.
  
  Too bad the powers that be here are not buying JUNK 
  Mail.
  
  DC
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of MattSent: Tuesday, May 11, 2004 4:57 
  PMTo: [EMAIL PROTECTED]Subject: 
  Re: [Declude.Virus] RE Mass mailing maybe new virusThis 
  is likely just spam. The technique with the URL is someone exploiting 
  Yahoo's redirection scheme to land you on another site. They do this to 
  hide from URL parsers that don't recognize the exploit.It is possible 
  that the site tries to install an exploit such as Java Byte Verify, which can 
  be used to place just about anything on your computer, but typically just 
  drops browser helper objects (adware/spyware) onto your system. Norton 
  stops this stuff cold, and it's been around for a while. Note that I 
  didn't bother with the payload link.Anyway, it just looks like it's 
  forging spam to me.Your block of that address also isn't very wise 
  because it is a legitimate link that could stop valid E-mail from Yahoo and 
  their partners from getting through. If you are running JunkMail Pro, 
  there is a filter for this technique listed on my site (link in the sig) 
  called !YDIRECTED.Matt-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=Email 
  Admin wrote:
  




Hello
Our Mail server recevied a mass mailing earlier today.The email is 
address to [EMAIL PROTECTED] and is 
coming from[EMAIL PROTECTED]Copy of 
headers:Received: from mail.citravel.com [10.215.43.52] by 
citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 
11:25:34 -0400From: mail.citravel.com[EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: 
RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: 
text/html; charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-Declude-Sender: 
[EMAIL PROTECTED] 
[10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This 
message was scanned for SpamX-RBL-Warning: Total weight value: 
0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient 
Host: citravel.comX-Note: Sender 
Address: [EMAIL PROTECTED]X-Note: 
Sender Host Name: (Private IP) X-Note: Sender IP Address: 
10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent 
from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: 
Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: 
UX-UIDL: 384277933This person's email client does not show they 
sent this message but the IPof the sending host is the senders 
system.I have scanned this system and it is showing virus free. 
Using SOPHOS latetest defs as of 2pm est 5/11/2004
I am also sniffing the network now looking for other SMTP 
Traffic.User who receive the email which has a link of h t t p:// d 
r s . y a h o o . com / citravel.com/newsGet sent to a pornography 
site. After they close this site there systemkeeps having pop ups 
appearing regularly.
this link redirects toh t t p:// d r s . y a h o o . com / 
citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news
I am not so much worried about the email but as to how it 
was sent.
This is where I think it might be a virus.
Currently I have a filter stopping emails with d r s . y a h o o . 
 

RE: [Declude.Virus] problems with the F-Prot updater

[Douglas Cohn]

I have seen this as well.

You could write a batch file that tests for the website first and if it
resolves correctly runs the updater.  If not it loops through and delays 10
minutes and then tries again.

I have been planning to do just that myself.

I run the updates every hour so I am more likely to see this issue than
someone that runs it daily at 3AM.

Good luck

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hermann Strassner
Sent: Thursday, May 06, 2004 4:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] problems with the F-Prot updater

 Is any one else having problems getting updates from the f-prot site?
 I get a runtime error from the updater program, and when I go to the
website
 to download the updates, I get a page can not be found.

I can`t reach the website and i got an runtime error 1 time. Half an hour
later everything worked fine again. I think the website was down or there
was too much traffic.

Hermann

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] blocking auto reply messages

[Douglas Cohn]

Help me out please.

Why are we looking for the beginning of an IP address?  Also my
understanding of these filters is to eliminate sending emails to users that
were not the original senders because of a forged virus.  Is that correct???
If so wouldn't adding the Virus name to the declude forged tag solve that??

I am asking here so please do not assume I know much G...

bracketfl - returned messages should have the original headers so I'm
looking for the beginning of an IP address 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of System Administrator
Sent: Thursday, May 06, 2004 8:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] blocking auto reply messages

on 4/30/04 12:41 PM, Jeffrey Di Gregorio wrote:

 Does anyone have a suggestion on what to do about the growing number 
 of auto reply messages being received by clients because of the 
 current amount of forging viruses.  I am getting daily complaints from 
 clients who say they never sent anything to someone but are receiving 
 multiple auto response messages (user unknown, mailbox full, virus 
 warnings, etc.)  I am at a loss on what to do about this.

I was having the same problem as you and I came up with these filters that
seem to work for me.

UNKNOWNUSERF filter e:\imail\declude\unknownuserf.txt   x 0  0
BRACKETFLfilter e:\imail\declude\bracketfl.txt  x 0  0
BRACKETFRfilter e:\imail\declude\bracketfr.txt  x 0  0
ACSMAILF filter e:\imail\declude\acsmailf.txt   x 0  0
NEVERSENTF   filter e:\imail\declude\neversentf.txt x 0  0

unknownuserf - 

SKIPIFWEIGHT 50
BODY 0 CONTAINS unknown user
BODY 0 CONTAINS user unknown

bracketfl - returned messages should have the original headers so I'm
looking for the beginning of an IP address

SKIPIFWEIGHT 50
BODY 0 CONTAINS [1
BODY 0 CONTAINS [2
BODY 0 CONTAINS [3
BODY 0 CONTAINS [4
BODY 0 CONTAINS [5
BODY 0 CONTAINS [6
BODY 0 CONTAINS [7
BODY 0 CONTAINS [8
BODY 0 CONTAINS [9

bracketfr - looking for the end of an IP address

SKIPIFWEIGHT 50
BODY 0 CONTAINS 0]
BODY 0 CONTAINS 1]
BODY 0 CONTAINS 2]
BODY 0 CONTAINS 3]
BODY 0 CONTAINS 4]
BODY 0 CONTAINS 5]
BODY 0 CONTAINS 6]
BODY 0 CONTAINS 7]
BODY 0 CONTAINS 8]
BODY 0 CONTAINS 9]

acsmailf - contains the IP and name of my outgoing mail server (obviously
substitute yours), if the message contains one of these values it is
possible the message did originate here.

SKIPIFWEIGHT 50
BODY 0 CONTAINS 12.4.184.4
BODY 0 CONTAINS mail.acsworld.com

neversentf - if the message was about an unknown user and had header
records, but they were not from my mail server, then it didn't come from my
mail server so we add 40 to the weight. We delete on 40 weight.

SKIPIFWEIGHT  50
TESTSFAILED  END CONTAINS acsmailf
TESTSFAILED   40 CONTAINS unknownuserf bracketfl bracketfr

If anyone is interested, our newest nigerian filter is available for
download at http://www.acsworld.net/declude/nigerianf.zip . It's a work in
progress but it seems to catch some scam messages everyday.

Later,
Greg

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: CBL:RE: [Declude.Virus] .CPL file blocked

[Douglas Cohn]

HUH???

The latest released version is 1.75; the latest beta is 1.75. 

You meant Beta is 1.79 correct??? 

Also what happened to that emergency list you created.  I joined it or tried
to but was never confirmed.

DC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, April 28, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: Re: CBL:RE: [Declude.Virus] .CPL file blocked


Is the latest version of Declude 1.78i28?

No.

The latest released version is 1.75; the latest beta is 1.75.  You are
running an interim release -- and as such, you really, REALLY should know
that it cannot be the latest release.  Whenever running an interim release,
you should always upgrade to the next beta or released version.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] .CPL file blocked

[Douglas Cohn]

I have told my users that they should zip everything up.  But obviously no
one listens.  Therefore they need to transfer word, excel docs so I did not
block it (actually I removed them after hearing complaints enough times).
Additionally we send out notifications to the recipient with a link that
enables them to download the suspect email at their own risk.  So blocking
is not the end all here.  The outbound mail was the issue with xls and doc.


DC



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Olden
Sent: Wednesday, April 28, 2004 1:47 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] .CPL file blocked

Douglas,
Can I ask why you block MS Access files (MDB) and not other Office products
that can contain macros?

John Olden - Systems Administrator
Champaign Park District


- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, April 27, 2004 3:34 PM
Subject: RE: [Declude.Virus] .CPL file blocked


 This is the most recent list I was given.  (from this list).  It has a
few more than Johns.

 BANEXT ad
 BANEXT adp
 BANEXT asp
 BANEXT bas
 BANEXT bat
 BANEXT CEO
 BANEXT chm
 BANEXT cmd
 BANEXT com
 BANEXT cpl
 BANEXT crt
 BANEXT exe
 BANEXT hlp
 BANEXT hta
 BANEXT inf
 BANEXT ins
 BANEXT isp
 BANEXT js
 BANEXT jse
 BANEXT lnk
 BANEXT mdb
 BANEXT mde
 BANEXT msc
 BANEXT msi
 BANEXT msp
 BANEXT mst
 BANEXT pcd
 BANEXT pif
 BANEXT reg
 BANEXT scr
 BANEXT sct
 BANEXT shb
 BANEXT shs
 BANEXT url
 BANEXT vb
 BANEXT vbe
 BANEXT vbs
 BANEXT vsd
 BANEXT vss
 BANEXT vst
 BANEXT vsw
 BANEXT ws
 BANEXT wsc
 BANEXT wsf
 BANEXT wsh


 BANEXT EZIP


 -- Original Message --
 From: John Tolmachoff \(Lists\) [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date:  Tue, 27 Apr 2004 11:12:07 -0700

 Here is my published policy, just revised yesterday:
 
 
 
 http://www.eservicesforyou.com/documents/emailattachments.pdf
 
 
 
 John Tolmachoff
 
 Engineer/Consultant/Owner
 
 eServices For You
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Bill
 Sent: Tuesday, April 27, 2004 9:19 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] .CPL file blocked
 
 
 
 Is this the list that everyone else is using?
 
 
 
 BANEXTBAS
 BANEXTBAT
 BANEXTCMD
 BANEXTCOM
 BANEXTCPL
 BANEXTHTA
 BANEXTEXE
 BANEXTMSI
 BANEXTMSP
 BANEXTMST
 BANEXTPIF
 BANEXTREG
 BANEXTSCR
 BANEXTSCT
 BANEXTVB
 BANEXTVBE
 BANEXTVBS
 BANEXTWSC
 BANEXTWSF
 BANEXTWSH
 BANEXTEZIP
 
 
 
 BANZIPEXTS  ON
 BANEZIPEXTS  ON
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Little
 Sent: Tuesday, April 27, 2004 9:17 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] .CPL file blocked
 
 Reminder
 If your not yet blocking CPL, your over due.
 (Also HTA, VBS, exe, scr and com)
 
 Greg
 
 From http://vil.nai.com/vil/content/v_122415.htm
 
 
 
 Attachment: May be one of the follwing:
 
 * Script dropper - using one of the following file extensions:
 
 * HTA
 * VBS
 
 * Password-protected ZIP archive (detected as W32/Bagle.gen!pwdzip)
 * Executable, using one of the following file extensions:
 
 * exe
 * scr
 * com
 * cpl
 
 * Executable dropper, CPL file with .CPL file extension.
 
 The executable uses the following icon:
 
 
 
 The CPL file uses the following icon:
 
 
 
 
 Don Hickey wrote:
 
 
 
 Here ya go - New Description
 
 http://us.mcafee.com/virusInfo/default.asp?id=description

http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=1224
15
 virus_k=122415
 
 Don
 
 
 
 
 
 
 
 







 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Mcafee NetShield Problems

[Douglas Cohn]

Contact Microsoft.  They can analyze the dumps for you.  64K dumps should be
fine.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Hahn
Sent: Wednesday, April 28, 2004 3:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Mcafee NetShield Problems

John-
Thanks for the response.
We are taking small memory dumps as we cannot afford to have it down in time
for a full 4 GB mem dump.  I do have 189 Minni 64 KB dump files.
How can I analyze those?

I also opened drwatsn32. It is enabled and noticed a error I N ldap
Application exception occurred:
App: f:\imail\OpenLDAP\bin\slapd.exe (pid=1940)
When: 4/24/2004 @ 07:24:33.281
Exception number: c005 (access violation)

I have 1 power supply
I have latest BIOS
Raid adapter was current until 4/23 when a new firmware was released.
We will be upgrading that tonight.


Any thoughts.
Thanks




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Wednesday, April 28, 2004 12:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Mcafee NetShield Problems

Any memory dumps being created?

Is DrWatson Running?

Do you have 2 power supplies running, and are they both in use?

What is the firmware on the raid controller? (There was a critical update on
this about 5 months ago.)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 On Behalf Of Scott Hahn
 Sent: Wednesday, April 28, 2004 9:23 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.Virus] Mcafee NetShield Problems
 
 We are having problems with a brand new dell poweredge 2650 that is 
 crashing 5-10 times per day:
 Windows 2003 Latest patches
 Imail 8.1 latest
 Declude Junk  Virus
 Netshield 4.5
 
 We have worked this with dell and they have run Hardware Diagnostics
and
 they Do not see a problem
 
 My question:
 Is anyone else having problems using Netshield 4.5.1 on windows 2003 ?
 Is anyone using Virus scan enterprise 7 on windows 2003 with declude?
 
 
 Thanks all
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Mcafee NetShield Problems

[Douglas Cohn]

Why the interest in the second power supply???  Is it used or just laying in
wait for the first one to die as in 99% of the RDP systems currently in
production?

Don't get me wrong.  You should always have at least one spare power supply
handy and if money is not an issue or the server is critical (mail) then
install them both but this is the first I ever heard anyone say you need the
second power supply to avoid daily crashes.  Is it a DELL thing?

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Wednesday, April 28, 2004 5:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Mcafee NetShield Problems

I agree with Scott's response about LDAP.

The raid controller firmware I am not concerned with, although I did not
know they had a new one. I will have to check on my clients 2650 for that.

While apparently not the root of the problem, I would highly suggest getting
the second PS for that unit and installing it. 

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 On Behalf Of Scott Hahn
 Sent: Wednesday, April 28, 2004 12:24 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] Mcafee NetShield Problems
 
 John-
   Thanks for the response.
 We are taking small memory dumps as we cannot afford to have it down 
 in time for a full 4 GB mem dump.  I do have 189 Minni 64 KB dump files.
 How can I analyze those?
 
 I also opened drwatsn32. It is enabled and noticed a error I N ldap 
 Application exception occurred:
 App: f:\imail\OpenLDAP\bin\slapd.exe (pid=1940)
 When: 4/24/2004 @ 07:24:33.281
 Exception number: c005 (access violation)
 
 I have 1 power supply
 I have latest BIOS
 Raid adapter was current until 4/23 when a new firmware was released.
 We will be upgrading that tonight.
 
 
 Any thoughts.
 Thanks
 
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
 (Lists)
 Sent: Wednesday, April 28, 2004 12:37 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] Mcafee NetShield Problems
 
 Any memory dumps being created?
 
 Is DrWatson Running?
 
 Do you have 2 power supplies running, and are they both in use?
 
 What is the firmware on the raid controller? (There was a critical 
 update on this about 5 months ago.)
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
  On Behalf Of Scott Hahn
  Sent: Wednesday, April 28, 2004 9:23 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.Virus] Mcafee NetShield Problems
 
  We are having problems with a brand new dell poweredge 2650 that is 
  crashing 5-10 times per day:
  Windows 2003 Latest patches
  Imail 8.1 latest
  Declude Junk  Virus
  Netshield 4.5
 
  We have worked this with dell and they have run Hardware Diagnostics
 and
  they Do not see a problem
 
  My question:
  Is anyone else having problems using Netshield 4.5.1 on windows 2003 ?
  Is anyone using Virus scan enterprise 7 on windows 2003 with declude?
 
 
  Thanks all
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To 
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] .CPL file blocked

[Douglas Cohn]

This is the most recent list I was given.  (from this list).  It has a few more than 
Johns.

BANEXT  ad
BANEXT  adp 
BANEXT  asp
BANEXT  bas
BANEXT  bat
BANEXT  CEO
BANEXT  chm
BANEXT  cmd
BANEXT  com
BANEXT  cpl 
BANEXT  crt 
BANEXT  exe
BANEXT  hlp
BANEXT  hta
BANEXT  inf
BANEXT  ins 
BANEXT  isp
BANEXT  js
BANEXT  jse
BANEXT  lnk
BANEXT  mdb 
BANEXT  mde 
BANEXT  msc 
BANEXT  msi
BANEXT  msp 
BANEXT  mst
BANEXT  pcd
BANEXT  pif
BANEXT  reg
BANEXT  scr
BANEXT  sct 
BANEXT  shb 
BANEXT  shs 
BANEXT  url
BANEXT  vb
BANEXT  vbe
BANEXT  vbs
BANEXT  vsd 
BANEXT  vss 
BANEXT  vst
BANEXT  vsw
BANEXT  ws
BANEXT  wsc 
BANEXT  wsf 
BANEXT  wsh


BANEXT  EZIP


-- Original Message --
From: John Tolmachoff \(Lists\) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Tue, 27 Apr 2004 11:12:07 -0700

Here is my published policy, just revised yesterday:

 

http://www.eservicesforyou.com/documents/emailattachments.pdf

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
Sent: Tuesday, April 27, 2004 9:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] .CPL file blocked

 

Is this the list that everyone else is using?  

 

BANEXTBAS
BANEXTBAT
BANEXTCMD
BANEXTCOM
BANEXTCPL
BANEXTHTA
BANEXTEXE
BANEXTMSI
BANEXTMSP
BANEXTMST
BANEXTPIF
BANEXTREG
BANEXTSCR
BANEXTSCT
BANEXTVB
BANEXTVBE
BANEXTVBS
BANEXTWSC
BANEXTWSF
BANEXTWSH
BANEXTEZIP

 

BANZIPEXTS  ON
BANEZIPEXTS  ON

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Little
Sent: Tuesday, April 27, 2004 9:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] .CPL file blocked

Reminder
If your not yet blocking CPL, your over due.
(Also HTA, VBS, exe, scr and com)

Greg

From http://vil.nai.com/vil/content/v_122415.htm

 

Attachment: May be one of the follwing:

*  Script dropper - using one of the following file extensions: 

*  HTA 
*  VBS 

*  Password-protected ZIP archive (detected as W32/Bagle.gen!pwdzip) 
*  Executable, using one of the following file extensions: 

*  exe 
*  scr 
*  com 
*  cpl 

*  Executable dropper, CPL file with .CPL file extension. 

The executable uses the following icon:



The CPL file uses the following icon:




Don Hickey wrote:



Here ya go - New Description
 
http://us.mcafee.com/virusInfo/default.asp?id=description
http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=122415
virus_k=122415
 
Don
 
 
  

 



 




 
   
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] [OT} Anti-Virus - Client Side Suggestion

[Douglas Cohn]

We have also used Norton Corporate for at least 3 - 4 years now with no
problems.

I remember a few years back when we had a mess in our network (In 1999 fast
growing pains) and a dedicated customer installed Norton and we had
installed it for our shared.  We saw his Norton in the Server MMC Manager
screens and he saw ours.  What a Nightmare that was.

We had a /19 with no subnets.  One FLAT Network.  Fast but very sloppy and
full of nightmares.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster
Sent: Monday, April 26, 2004 12:00 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] [OT} Anti-Virus - Client Side Suggestion

McAfee, Norton, or others?  Which do you think provides the quickest updates
and the best support..

Just was curious..


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] MAXATONCE Switch

[Douglas Cohn]

Yes . I only removed /nofloppy

Thanks very much. The performance is where it should 
be. I was wondering why mail was so slow BG 
DUH.

DC


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
MattSent: Saturday, April 17, 2004 12:50 AMTo: 
[EMAIL PROTECTED]Subject: Re: [Declude.Virus] MAXATONCE 
Switch
Doug,I'm not sure about the NOMEM option, but I verified 
several months ago that while NOBOOT isn't listed, fpcmd.exe will scan the boot 
sectors unless you use that switch. You should definitely use both of 
these switches.MattDouglas Cohn wrote:
First of all I am a putz cause I completely ignored the first line since my
path was more like the second G.

But if you type fpcmd /? It does not show the NOMEM or NOBOOT options.

Weird.

I will switch it now.

DAMN  Now I know why my mail was so slow.  What a moron I
yam..

Thanks

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hyslip
Sent: Friday, April 16, 2004 11:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MAXATONCE Switch

As listed at http://www.declude.com/virus/manual.htm

F-Prot -
SCANFILE C:\Progra~1\Comman~1\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE
/NOBOOT /DUMB /REPORT=report.txt (or SCANFILE
C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY
/NOBOOT /DUMB /REPORT=report.txt)

VIRUSCODE 3
VIRUSCODE 6
REPORTInfection:

Definitely works a lot better than the 16-bit version :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Douglas Cohn
Sent: Friday, April 16, 2004 11:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MAXATONCE Switch

Scott

Why does your sample F-prot command line use the 16 bit scanner instead of
the 32 bit one?

Do you have a recommended command line for FPcmd and do you recommend that
we always use it instead of F-prot.exe.  I have not patched my Imail server
with the current Microsft patches because I am concerned as well. I have
seen some odd behavior on other systems with those updates.

I see /noboot /nofloppy and others are not available under fpcmd.

TIA

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Friday, April 16, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] MAXATONCE Switch


  
  Your recommendation is MAXATONCE O allows unlimited processes to run at 
the same time.

Correct.

  
  Setting the switch to 8 or 10 will make SMTP hangs or become slower?

It is unlikely to make much of a difference, because [1] SMTP hangs should
not be related to the resources used by the virus scanner, and [2] it is
unlikely that you will have 8-10 virus scanners processes running at the
same time.

The MAXATONCE option was originally designed for people who have licensing
arrangements where they can only have a certain number of copies of the
virus scanner running simultaneously.

  
  Is you recommendation to set it to unlimited?

Yes.

  
  SMTP is now very slow after applying MSFT patches (apr 14). Sometimes 
smtp service just hangs.

For some reason, some servers have a horrible time handling too many 16-bit
processes, and end up causing serious delays in TCP/IP connections like you
describe.

Are you using a 16-bit virus scanner (such as F-Prot.exe) with Declude
Virus?  If so, I would recommend switching to a 32-bit scanner (such as
F-Prot's fpcmd.exe), which will likely help alleviate the problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

RE: [Declude.Virus] MAXATONCE Switch

[Douglas Cohn]

I am also using /SERVER and /ARCHIVE=5

I have no idea if it is doing anything worthwhile but it 
has not created any false positives so I leave it in. I actually got the 
config from users on this list.

I am being cautious regarding Viruscode 8 and excel and 
word files. So far so good.

SCANFILE C:\Progra~1\FSI\F-Prot\Fpcmd.exe /TYPE 
/SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /SERVER 
/REPORT=report.txt)

VIRUSCODE 3VIRUSCODE 6VIRUSCODE 
8REPORT Infection:


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting 
S.A. Luis Alberto ArangoSent: Saturday, April 17, 2004 12:38 
PMTo: [EMAIL PROTECTED]Subject: Re: 
[Declude.Virus] MAXATONCE Switch


The switch you should 
remove is /NOFLOPPY if you are using fpcmd.exe. Otherwise an error in the virus 
log will show up like this
1 [1 of 2 
not deleted] files were deleted

here is 
my new configuration with fprot 32 bits. And it works fine.
SCANFILE [PATH]fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE 
/NOBOOT /DUMB /REPORT=report.txt

[PATH]=where ever you 
fpcmd.exe is in your server.

In one post in the list 
a while ago, Scott suggested to remove the /NOBOOT switch along with /NOFLOPPY. 
But in the declude manual the /NOBOOT option is there, so I keep it in my 
scanfile line.

As I say it works very 
well now, and faster than ever. 

We also have the new 
MSFT patches installed.

 
-Luis Arango

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of MattSent: Friday, April 
16, 2004 
11:50 
PMTo: [EMAIL PROTECTED]Subject: X-SPAM-Phrase Re: [Declude.Virus] 
MAXATONCE Switch

Doug,I'm not sure about 
the NOMEM option, but I verified several months ago that while NOBOOT isn't 
listed, fpcmd.exe will scan the boot sectors unless you use that switch. 
You should definitely use both of these 
switches.MattDouglas Cohn 
wrote:First of all I am a putz cause I completely ignored the first line since mypath was more like the second G.But if you type fpcmd /? It does not show the NOMEM or NOBOOT options.Weird.I will switch it now.DAMN Now I know why my mail was so slow. What a moron Iyam..ThanksDC -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Mike HyslipSent: Friday, April 16, 2004 11:45 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] MAXATONCE SwitchAs listed at http://www.declude.com/virus/manual.htmF-Prot -SCANFILE C:\Progra~1\Comman~1\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE/NOBOOT /DUMB /REPORT=report.txt (or SCANFILEC:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY/NOBOOT /DUMB /REPORT=report.txt)VIRUSCODE 3VIRUSCODE 6REPORT Infection:Definitely works a lot better than the 16-bit version :)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Douglas CohnSent: Friday, April 16, 2004 11:36 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] MAXATONCE SwitchScottWhy does your sample F-prot command line use the 16 bit scanner instead ofthe 32 bit one?Do you have a recommended command line for FPcmd and do you recommend thatwe always use it instead of F-prot.exe. I have not patched my Imail serverwith the current Microsft patches because I am concerned as well. I haveseen some odd behavior on other systems with those updates.I see /noboot /nofloppy and others are not available under fpcmd.TIADoug -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott PerrySent: Friday, April 16, 2004 10:48 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] MAXATONCE Switch 
Your recommendation is MAXATONCE O allows unlimited processes to run at the same time. Correct. 
Setting the switch to 8 or 10 will make SMTP hangs or become slower? It is unlikely to make much of a difference, because [1] SMTP hangs shouldnot be related to the resources used by the virus scanner, and [2] it isunlikely that you will have 8-10 virus scanners processes running at thesame time.The MAXATONCE option was originally designed for people who have licensingarrangements where they can only have a certain number of copies of thevirus scanner running simultaneously. 
Is you recommendation to set it to unlimited? Yes. 
SMTP is now very slow after applying MSFT patches (apr 14). Sometimes smtp service just hangs. For some reason, some servers have a horrible time handling too many 16-bitprocesses, and end up causing serious delays in TCP/IP connections like youdescribe.Are you using a 16-bit virus scanner (such as F-Prot.exe) with DecludeVirus? If so, I would recommend switching to a 32-bit scanner (such asF-Prot's fpcmd.exe), which will likely help alleviate the problem. -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailserverssince 2000.Declude Virus: Ultra reliable virus detection and the leader in mailservervulnerability detection.Find out what you've been missing: Ask for a free 30-day evaluation.---[This E-mail was scanned for viruses by Declude 

RE: [Declude.Virus] MAXATONCE Switch

[Douglas Cohn]

Scott

Why does your sample F-prot command line use the 16 bit scanner instead of
the 32 bit one?

Do you have a recommended command line for FPcmd and do you recommend that
we always use it instead of F-prot.exe.  I have not patched my Imail server
with the current Microsft patches because I am concerned as well. I have
seen some odd behavior on other systems with those updates.

I see /noboot /nofloppy and others are not available under fpcmd.

TIA

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, April 16, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] MAXATONCE Switch


Your recommendation is MAXATONCE O allows unlimited processes to run at 
the same time.

Correct.

Setting the switch to 8 or 10 will make SMTP hangs or become slower?

It is unlikely to make much of a difference, because [1] SMTP hangs should
not be related to the resources used by the virus scanner, and [2] it is
unlikely that you will have 8-10 virus scanners processes running at the
same time.

The MAXATONCE option was originally designed for people who have licensing
arrangements where they can only have a certain number of copies of the
virus scanner running simultaneously.

Is you recommendation to set it to unlimited?

Yes.

SMTP is now very slow after applying MSFT patches (apr 14). Sometimes 
smtp service just hangs.

For some reason, some servers have a horrible time handling too many 16-bit
processes, and end up causing serious delays in TCP/IP connections like you
describe.

Are you using a 16-bit virus scanner (such as F-Prot.exe) with Declude
Virus?  If so, I would recommend switching to a 32-bit scanner (such as
F-Prot's fpcmd.exe), which will likely help alleviate the problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] MAXATONCE Switch

[Douglas Cohn]

First of all I am a putz cause I completely ignored the first line since my
path was more like the second G.

But if you type fpcmd /? It does not show the NOMEM or NOBOOT options.

Weird.

I will switch it now.

DAMN  Now I know why my mail was so slow.  What a moron I
yam..

Thanks

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hyslip
Sent: Friday, April 16, 2004 11:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MAXATONCE Switch

As listed at http://www.declude.com/virus/manual.htm

F-Prot -
SCANFILE C:\Progra~1\Comman~1\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE
/NOBOOT /DUMB /REPORT=report.txt (or SCANFILE
C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY
/NOBOOT /DUMB /REPORT=report.txt)

VIRUSCODE 3
VIRUSCODE 6
REPORTInfection:

Definitely works a lot better than the 16-bit version :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Friday, April 16, 2004 11:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MAXATONCE Switch

Scott

Why does your sample F-prot command line use the 16 bit scanner instead of
the 32 bit one?

Do you have a recommended command line for FPcmd and do you recommend that
we always use it instead of F-prot.exe.  I have not patched my Imail server
with the current Microsft patches because I am concerned as well. I have
seen some odd behavior on other systems with those updates.

I see /noboot /nofloppy and others are not available under fpcmd.

TIA

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, April 16, 2004 10:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] MAXATONCE Switch


Your recommendation is MAXATONCE O allows unlimited processes to run at 
the same time.

Correct.

Setting the switch to 8 or 10 will make SMTP hangs or become slower?

It is unlikely to make much of a difference, because [1] SMTP hangs should
not be related to the resources used by the virus scanner, and [2] it is
unlikely that you will have 8-10 virus scanners processes running at the
same time.

The MAXATONCE option was originally designed for people who have licensing
arrangements where they can only have a certain number of copies of the
virus scanner running simultaneously.

Is you recommendation to set it to unlimited?

Yes.

SMTP is now very slow after applying MSFT patches (apr 14). Sometimes 
smtp service just hangs.

For some reason, some servers have a horrible time handling too many 16-bit
processes, and end up causing serious delays in TCP/IP connections like you
describe.

Are you using a 16-bit virus scanner (such as F-Prot.exe) with Declude
Virus?  If so, I would recommend switching to a 32-bit scanner (such as
F-Prot's fpcmd.exe), which will likely help alleviate the problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] getting this in my logfile

[Douglas Cohn]

On this same subject.

If you are using Fprot and have configured it exactly as you recommend on
the WEBSITE will an Excel file with a dangerous Macro be detected?

IE is there a middle ground with FPROT?  I currently have /SERVER in my
commandline and Viruscode 8 in my config (see below) because I did not want
infected Excel files passing.  But I do not want to block every Excel/Word
file just because it has a macro.  

Alternatively if an Excel file that is NOT infected but contains a macro is
enclosed within a ZIP file with these same settings (that I am using) will
it also block it?

TIA

Doug

Snippet of my Virus.cfg--

SCANFILEC:\Program Files\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE /NOBOOT /DUMB /SERVER /REPORT=report.txt

VIRUSCODE   3
VIRUSCODE   6
VIRUSCODE   8
REPORTInfection

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, April 13, 2004 8:00 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] getting this in my logfile



04/13/2004 11:21:23 Qb1072b82012a066d Could not find parse string
Infection in report.txt
04/13/2004 11:21:23 Qb1072b82012a066d Error 8 in virus scanner 1.
04/13/2004 11:21:23 Qb1072b82012a066d Scanned: Error in virus scanner. 
[MIME: 2 270831]

the mail with attachment are being hold

Its a mail with an excel document with macro's but no virus

Running the latest f-prot, and a the latest interim relase, anyone 
having
any idea why or what happens

It sounds like you set up F-Prot to detect suspicious files -- which will 
block most files with macros in them.  You need to switch back to the 
default settings (unless you are OK blocking files with macros in them).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] netsky p ?

[Douglas Cohn]

Is there any thought about changing this?  IE removing the attachment and
passing the email through.

Or is the case I gave very rare??  IE a legitimate email with the
Quarantined Attachment.txt. And if not blocked it will come through, I am
aware as I do not block them.

Why add Quarantined Attachment.txt to the list of banned names?  Who cares
if it gets through?  It is not a virus anymore, and if it is it will be
detected.

Basically I am asking if anyone knows whether the percentage of the emails
that have been cleaned and replaced with this ridiculous text file, viruses
or just attachments that are not allowed.

Thanks guys

Doug  



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, March 25, 2004 9:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] netsky p ?


So again the question is does banname block the attachment or the email 
and the attachement???

It should treat the E-mail the same way as a banned file extension, sending
out the \IMail\Declude\bannotify.eml file.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Could not find parse string Infection: in report.txt

[Douglas Cohn]

Can anyone tell me what this means.  I included the later lines as well.

Running Declude standard Diagnostics ON (Declude v1.78i27). Fprot 3.14e with
this command line
SCANFILEC:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM
/ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /SERVER /REPORT=report.txt)

VIRUSCODE 3
VIRUSCODE 6
VIRUSCODE 8
REPORTInfection:



03/19/2004 03:01:17 Qa8cb020101122357 Could not find parse string Infection:
in report.txt

03/19/2004 03:01:17 Qa8cb020101122357 File(s) are INFECTED [: 8]
03/19/2004 03:01:17 Qa8cb020101122357 Scanned: CONTAINS A VIRUS [MIME: 3
25487]
03/19/2004 03:01:17 Qa8cb020101122357 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 80.65.93.134]
03/19/2004 03:01:17 Qa8cb020101122357 Subject: Re: Thank you!

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Could not find parse string Infection: in report.txt

[Douglas Cohn]

Thanks for the immediate reply G

Will it treat the message like a virus.  IE not forward it to the recipient?

Love your company and product.  You should start a consulting company and
teach corporations how to treat customers.

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Saturday, March 20, 2004 1:40 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Could not find parse string Infection: in
report.txt


Can anyone tell me what this means.  I included the later lines as well.

03/19/2004 03:01:17 Qa8cb020101122357 Could not find parse string
Infection:
in report.txt

That means that F-Prot detected a suspicious file, but not a virus.  When it
does that, it can't know the virus name, so it cannot report the virus name
in the report.txt file.  Since Declude Virus expects a virus name to be
present, that warning is logged.  In this case, you will see the name of the
virus appear as [Unknown Virus].

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] whitelisting?

[Douglas Cohn]

I agree with your customer.  Why do you ban all zip files?  How are they expected to 
conduct business if their business requires transferring files?  My customers required 
that I create a way for them to retrieve the infected files for them.

You could simply do that.  Allow the customer to retrieve the infected files if 
desired by creating a link and script to copy them into the spool dir.

Blocking encrypted zips is one thing but why all zip files?

Doug


-- Original Message --
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 19 Mar 2004 12:44:15 -0500

Hi,

I have a customer that is insisting I let .zip files through (I have them
banned right now).

Is there any way to allow email to a single address to go through?  If I do
a whitelist entry for this one email address in the global.cfg, will that
work?

Thanks, andy
thumpernet

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


 




 
   
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] More details on Virus.cfg and F-prot 3.14E

[Douglas Cohn]

I have been following the recent threads but I have not seen a definitive
answer.  Most likely because it is still so new (F-prot 3.14E).  Some help
would be greatly appreciated.

What about the /SERVER setting?  Any advantage to using it.

I am also a bit confused about the Viruscode settings.

I am using the defaults that you recommend
VIRUSCODE   3
VIRUSCODE   6
REPORTInfection:

But I see others are adding

VIRUSCODE   8
OKCODE2 5

What value do they have if any?  I assume they must have some value or they
would not be using them (I Hope g).

Lastly where can I verify and find future info on which Viruses forge
headers.  This list was nicely supplied to me from someone on this list and
I have added it to my cfg.

FORGINGVIRUSKlez
FORGINGVIRUSBagle
FORGINGVIRUSBraid
FORGINGVIRUSBridex
FORGINGVIRUSBugbear
FORGINGVIRUSDumaru
FORGINGVIRUSFizzer
FORGINGVIRUSHybris
FORGINGVIRUSKlez
FORGINGVIRUSLentin
FORGINGVIRUSMagistr
FORGINGVIRUSMydoom
FORGINGVIRUSMimail
FORGINGVIRUSPalyh
FORGINGVIRUSSober
FORGINGVIRUSSobig
FORGINGVIRUSVulnerability
FORGINGVIRUSYaha

Thanks

Doug




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, March 18, 2004 1:13 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Log error with latest interim release



Scott,  your thoughts?

 From what I have seen, AV heuristics just don't do a good enough job to be 
useful.  Specifically, they seem to catch legitimate E-mails regularly 
(typically .doc/.xls files).  However, depending on your needs, it may be 
worthwhile to use the heuristics, if the occasional false positive is 
acceptable.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-prot 3.14e

[Douglas Cohn]

Thanks.  The mail server is W2K server.

Appreciate the input.

Doug 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A.
Luis Alberto Arango
Sent: Tuesday, March 16, 2004 11:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

If you run W2K professional usually f-prot asks you to reboot after the
upgrade. Running W2K Server it shouldn't ask you for any reboot at all... at
least that has been my experience.

So.. you don't have to worry about rebooting.

Regards
Luis Arango

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Tuesday, March 16, 2004 8:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

Being new to Declude/F-prot I was testing an install.  Running W2K I updated
F-Prot from 3.14C to 3.14E and restarted everything without rebooting.
Seems to be working fine on my desktop.

Is this safe on my mail server as well?  I am not very comfortable rebooting
that often.

Thanks

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Tuesday, March 16, 2004 5:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

I didn't have 3.14d loaded in production long enough to form an opinion, but
3.14e seems to be working perfectly. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Tuesday, March 16, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-prot 3.14e

Appears to be out today.


--

John Shacklett

[EMAIL PROTECTED]
[EMAIL PROTECTED]

www.continentaloffice.com
 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
__
[Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email
escaneado contra virus por Panda Consulting -www.pandacons.com-]


__
[Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email
escaneado contra virus por Panda Consulting -www.pandacons.com-]

[AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS
entry. All Internet hosts are required to have a reverse DNS entry. The
missing reverse DNS entry will cause your mail to be treated as spam on some
servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-prot 3.14e

[Douglas Cohn]

I am running it locally on W2K Pro without rebooting and did get some error
recently but was with the On demand Scanner which is not used.  But it
clearly stated reboot required.

I will test on W2K Server and will soon know. The real issue is if it saus
reboot do I need to.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Wednesday, March 17, 2004 8:44 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

We always thought that it depended on whether Real-Time protector and/or
Scheduler was updated. Guess some more experimentation is called for,
although we're scanning on an NT4 server. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A.
Luis Alberto Arango
Sent: Tuesday, March 16, 2004 11:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

If you run W2K professional usually f-prot asks you to reboot after the
upgrade. Running W2K Server it shouldn't ask you for any reboot at all... at
least that has been my experience.

So.. you don't have to worry about rebooting.

Regards
Luis Arango

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Tuesday, March 16, 2004 8:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

Being new to Declude/F-prot I was testing an install.  Running W2K I updated
F-Prot from 3.14C to 3.14E and restarted everything without rebooting.
Seems to be working fine on my desktop.

Is this safe on my mail server as well?  I am not very comfortable rebooting
that often.

Thanks

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Tuesday, March 16, 2004 5:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

I didn't have 3.14d loaded in production long enough to form an opinion, but
3.14e seems to be working perfectly. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Tuesday, March 16, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-prot 3.14e

Appears to be out today.


--

John Shacklett

[EMAIL PROTECTED]
[EMAIL PROTECTED]

www.continentaloffice.com
 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
__
[Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email
escaneado contra virus por Panda Consulting -www.pandacons.com-]


__
[Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email
escaneado contra virus por Panda Consulting -www.pandacons.com-]

[AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS
entry. All Internet hosts are required to have a reverse DNS entry. The
missing reverse DNS entry will cause your mail to be treated as spam on some
servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-prot 3.14e

[Douglas Cohn]

Being new to Declude/F-prot I was testing an install.  Running W2K I updated
F-Prot from 3.14C to 3.14E and restarted everything without rebooting.
Seems to be working fine on my desktop.

Is this safe on my mail server as well?  I am not very comfortable rebooting
that often.

Thanks

DC 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Tuesday, March 16, 2004 5:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-prot 3.14e

I didn't have 3.14d loaded in production long enough to form an opinion, but
3.14e seems to be working perfectly. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett
Sent: Tuesday, March 16, 2004 12:12 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-prot 3.14e

Appears to be out today.


--

John Shacklett

[EMAIL PROTECTED]
[EMAIL PROTECTED]

www.continentaloffice.com
 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] sample configs

[Douglas Cohn]

Are there any sample configs around to get some ideas on what works well.

I just setup Declude AV and it worked right out of the box.  Nice feeling.

Thanks for the great product.

Doug

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Encrypted password

[Douglas Cohn]

I read that there are two products capable of this. Aladdin and Network Box
or something like that.

http://www.ealaddin.com/news/2004/esafe/Bagel_virus.asp  and another
http://www.tmcnet.com/usubmit/2004/Mar/1024780.htm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Serge
Sent: Saturday, March 13, 2004 12:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Encrypted password

not directly relevent to declude
scott had mentioned that certains gateway scanners parse the message body
looking for the password, use that password to open the zip file and scan it
now they can do that anymore it would be intersting to see if these gateway
products will catch this type of message


- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 13, 2004 5:15 PM
Subject: RE: [Declude.Virus] Encrypted password


 Hi Serge:

 Could you please elaborate on this?

 I am confused.. The virus is password protected zip file?

 If so then we are covered with

 BANEXT EZIP

 Or is this different?

 Kami

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Serge
 Sent: Saturday, March 13, 2004 12:11 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.Virus] Encrypted password

 Now they have it in a BMP file so antivirus programs wont be able to find
 it:

 Note:  Use password img src=cid:wjqkastket.bmp; to  open  archive


 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just
 send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.