I can find one source of such a message in my virus logfiles. It was catched
as possible malware more then 12 hours ago:
From: [EMAIL PROTECTED]
Subject: Deutsche Gebuehreneinzugszentrale Rechnung
Attachment: Rechnung_GEZ.zip
Markus
> -Original Message-
> From: [EMAIL PROTECTED] [ma
Does anyone know why it was not possible to send messages to this list over
the last 3-4 days?
> Also can anyone supply their current list of FORGINGVIRUS
FORGINGVIRUS Anonymous Driver
FORGINGVIRUS Antiman
FORGINGVIRUS Bagle
FORGINGVIRUS Bobax
FORGINGVIRUS Breatel
FORGINGVIRUS Bridex
FORGINGVIR
thank you for turning this out
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent:
Monday, October 02, 2006 4:27 PMTo:
Declude.Virus@declude.comSubject: [Declude.Virus] stration
work
It looks like the Stration worm is causing
b
urce depletion problem such as
> a memory leak that may not even be directly related to clamd.
>
> George
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Markus Gufler
> > Sent: Friday, September 29,
reate temporary files/directories (check permissions).
> .TP
> 64: Can't write to temporary directory (please specify another one).
> .TP
> 70: Can't allocate and clear memory (calloc).
> .TP
> 71: Can't allocate memory (malloc).
>
>
>
> > -Original
> Failure I do believe, probably ClamD is not running?
Correct. Thank you.
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive
Does anyone know what exit codes ClamAV has and what they mean?
>From 2006-09-27 06:50PM on I can see a huge number of
"Virus scanner 2 reports exit code of 2"
...in the virus-logfile.
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [
de.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with
> Macro-Virus
>
> Is the word document only named that?
>
> John T
> eServices For You
>
> "Seek, and ye shall find!"
>
> > -Original Message-
> > From: [EMAIL PROTE
Some of us has noted in the past two hours that messages with an zip-file as
attachment has passed our virus filters
It's a zip-file containing a MS Word Document named "my_notebook.doc"
Most Virus-Scanners can't catch it. Virustotal has returned only two
scanners with positive results
Sophos ha
Hi Kami,
I've in use F-Prot 3.16f (latest version) here and can't
find any appearance of "Possibly a new variant
of JS" in my logfiles.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami
RazvanSent: Saturday, March 25, 2006 12:32 AMTo:
Declude.
I use %LOCALHOST% in my postmaster.eml file. As I understand this should be
the same, or not?
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
> Sent: Wednesday, March 08, 2006 6:24 PM
> To: Declude.Virus@declude.com
> Subje
Sorry, David hadn't had time to read latest postings on this list.
On my servers with 3.0.5.23 it seems working fine.
That's what I can see in a postmaster.eml from today:
Virus: Unknown Virus
File: Unknown File
From:
To:
Subject:
Rec
Hi Bill
Regarding the viruscodes 9 and 10 that was introduced
with f-prot 3.16 I will quote the relaese notes
Archive handling has been improved and is now more consistent.Version
3.16 also includes detection against so-called "archive
bombs", archives ... ... If the limit is exceeded th
It's not the only thread remaining without comment from
Declude even if there was replies to other threads in the
meantime.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
FisherSent: Thursday, February 02, 2006 7:32 PMTo:
Declude.Virus@declude
...seem's beeing a new varaint of Bagle.Virustotal
says
Antivirus
Version
Update
Result
AntiVir
6.33.0.81
02.02.2006
TR/Bagle.Gen.B
Avast
4.6.695.0
02.01.2006
no virus found
AVG
718
02.01.2006
I-Worm/Bagle
Block exe in zips (at least temporaly)!
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
I've grep'ed trough the logfiles for the last 7 days on my
servers
2981 lines has sources of
"\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" (ignoring double counts for the second av
scanner)
After filtering out all lines containing "Kapser" and
"Mywife" there remains the following 4 lines
01/25/
for grep and epreg on windows machines use the switch -U to
have correct line wraps
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)Sent: Wednesday, February 01, 2006 10:35 AMTo:
Declude.Virus@declude.comSubject: RE: [Declude.Virus] Enco
if they are no longer
> doing this, I
> > would assume that turning it off would be wise so long as
> you had two
> > virus scanners running.
> >
> > Note that I'm not dismissing your primary intention of pointing out
> > the FP issue with viru
Today I've had a message hold as false positive ("unknown virus" exit code
8)
F-Prot seems ending with this exit code if there is attached a password
protected zip file and in the body is something like
"password: ."
This message was definitively no false positive and so I requeued it.
I've
subject, etc.). Is this not
true? Keith -Original Message- From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
> I'm still on Declude v2.x and am comfortable there, as Don
> points out, many of us are waiting for the v3.x to be utterly
> stable and to have desired new features before going to it.
> As the software is maturing, so is much of the userbase;
> there used to be a lot of early adopters whe
t; community and particularly the people at Declude.
>
> I'd rather see Declude keep pumping the water out of the
> bilge to the point they can fix the hull, rather than taking
> the time to hang a new pennant from the mast. Wouldn't you?
>
> Thanks,
>
>
>
hose tagged as suspicious. Do you have good statistics on
> these, which show a significant false positive rate? I think
> we'd all be interested in your finding . . .
>
> Thanks,
>
>
> Friday, January 27, 2006, 10:56:56 AM, Markus Gufler
> <[EMAIL PROTECTED]> wr
virus names
that they test for via DNS. Please correct me if I'm wrong on any of
this.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler
Sent: Wednesday, January 25, 2006 2:37 PM
To: Declude.Virus@declude.com
Su
> So, with or without AVAFTERJM, it looks like each message is
> scanned by the virus scanner (which makes sense to me).
Wrong... if you block the messages on the servers:
As we know usualy >50% of all incomming messages are spam.
We know too that resource usage of one or two scan-engines is w
> aren't you out hunting mosquitos with hand grenades?
If the "mosquito" is a very nasty but important customer it's bether using
tank's, mg's and whatever you can organize in order to prevent painfull
stings...
On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in
order to
the virus logfile instead of the content from each
virus-message is definitively an excellent idea. However there is a more
simplier and efficient possibility if we could delete infected messages by
the virus name.
Markus
>
>
> Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler
> &l
> How does AVAFTERJM cut down on work? I thought it only
> affected the order in which JM and AV ran, and that AV ran
> each time, regardless of this setting.
The problem I know is when someone is reviewing hold spam messages and has
the possibility to requeue them. In this case the message w
This is still the most significant limit in declude.eva's
extensions banning. As long as we can't specify different BANEXTS for direct
attachments and in-archive-attachments many of us can't enable
BANZIPEXTS.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behal
> As a work around until and if Declude adds the requested
> feature, you could write a script to search the files on a
> timed based for a phrase (virus
> name) and have it delete them.
Do you mean this script on my disk who creates one hour each day with 100%
CPU usage?
Markus
---
[This E-
> But if we are cycling the held viruses on a x day basis, (my
> cycle is 5
> days,) why would that be needed?
5 days x 2 viruses x 2 (d & q-file) = 200k files
Around 99% of this files contains the same 5 types of malware that are
stored, moved and defragmented unnecessary.
I asked only be
Maybe someone has already requested it:
Why not allow commands like
DELETEVIRUSNAME Netsky
DELETEVIRUSNAME Bagle
...
in the virus.cfg file?
I won't and can't delete all viruses on our server because there is always
the possibility that a scanner is catching something as "suspicious" or
"generi
That's exactly how I use the notifications.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Wednesday, January 18, 2006 12:48 AMTo:
Declude.Virus@declude.comSubject: RE: [Declude.Virus] New
Virus?
I agree completely.
I've seen many of this Kapser.A today. I've added it to the forging virus
list and (oops) forgot to write it on the Declude.Virus list.
As we can see more and more that AV-Companies has forgotten how to call one
Virus using one name we should maybe begin to enhance their naming
convention by an in
Can't fnd anything about "feebsa" on vil.nai.com and the f-prot virus info
page.
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> Sent: Tuesday, December 20, 2005 6:54 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.V
Hi Kami,
(Nice to read you)
> As suggested the best path at the moment could be:
> BANZIPEXTSON
Yes this is necessary and unfortunately we can't still choose to block only
certain extensions within zip-files from all the extensions we block as
direct attachment.
Something like BANZIPEXT exe
> Some of the small AV companies are reporting it as a Bagle
> variant and F-Prot is reporting it as MitGlieder.GU although
> it is not catching it on the server.
Even if I can't explain why it is not catching it I can confirm this.
F-Prot on virustotal is catching it. On my server with newest
www.virustotal.com (se me previous posting for results)
At the moment i consider blocking at least temporaly eye in zips and update
the virus definitions
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
> Sent: Thursday, D
not all
scanners seems catching it right now
This is a report processed by VirusTotal on 12/15/2005 at 16:35:59 (CET) after
scanning the file "Stephen.zip" file.
Antivirus
Version
Update
Result
AntiVir
6.33.0.61
12.15.2005
TR/Bagle.Gen.B
There is a new Bagle variant around here. F-prot is catching it as
suspicious file. AVG does not catch it. Most other scanners has updates
The message is comming with two file attachments. The first is a small .bmp
file the second one a zip-file with different names containing a .txt and a
.exe fi
It seem's to be a virus with low prevalence but today I've had a case with
many virus warnings to forged recipient adresses due to one infected client.
FORGINGVIRUS Ircbot2.gen
or for Sophos
FORGINGVIRUS Forbot-FO
Markus
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
> Seems like AV companies need to start using more advanced
> pattern matching to catch these variants, rather than relying
> on specific signatures.
It's only a question of time that AV-engines will run a virtual PC sandbox
and let start inside the suspicious file. If certain actions are taken
> Well, I would say it is more like a restaurant but you can
> not get blow fish, alcohol, cigarettes, 10 Lbs of greasy
> French fries, etc.
Yes and in my case as alcohol is prohibited you can't have neither an
excellent glass of wine.
Some of our customers and partners are providing applicati
> I am scanning for viruses first. I block executables within
> zips.
Yes I know you can do this.
But on my systems banning exe in zips is like having a restaurant where
people can eat but drinking is not allowed.
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscri
Thank you John but,
> BANNAME mailtext.zip
...is this really the only name used by this variant?
I'm feeling a little bit bad, while adding and adding BANNAMEs to the
virus.cfg file.
First as sayd yesterday I feel there are many many BANNAME entries that are
not more accurate or spreading
Imail 8.15 and Declude 1.82 here
We will wait for smartermail 3 the compare it with Imail2006 and then set up
a complete new box with Declude v3.
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> Sent: Thursday, November 24, 2005
Would it be possible to have one line in the MID-logfile for each banned
filename
For example if I have
BANNAME price.com
BANNAME price.scr
BANNAME price.exe
BANNAME price.cpl
BANNAME joke.com
BANNAME joke.scr
BANNAME joke.exe
BANNAME joke.cpl
in my virus.cfg file it would be nice to have lines
There seems to be
another Variant with the same desciption as in my message before but the exe in
the zip-file is named 12.exe
This is not detected
by F-Prot and Mcafee. Virustotal says:
Antivirus
Version
Update
Result
AntiVir
6.32.0.6
11.23.2005
In the last 2 hours I can see something new.F-Prot is
catching it with result code 8 as unknown virusLooking
at the first examples:Subject: a random name like Alice, Emanuel,
Martha, Cybil, Ester, Body: empty htmlAttachment: ZIP-file with
another random name like them in the subject line
Not OT, or?
Some months ago there was a similar situation.
I've set up a combination of 3 junkmail text filters.
The first to identify such warning messages by looking for strings like
found, identified, removed...
The second one looks for items like virus, worm, attach, file ...
The last one loo
Thank you Darin.
just curious after watching our virus logfiles today
Anyone else can confirm that there are only a few of the today new virus and
far more netsky (most .p variant) showing up in the logfiles?
Today I've had some reports that certain varaints of the new virus slipped
trough while
Hmm, looks like there is one single variable containing the last detected
virus name and several threads writing to and reading from this variable...
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
> ([EMAIL PROTECTED])
> Sent: Fr
Yes sir ;)
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John
> Tolmachoff (Lists)
> Sent: Wednesday, September 21, 2005 12:24 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] VBE attachments
>
> Everyone is banning vbe attachment
I can see a lot of returning NDR's from our virus warnings (unknown virus)
in the last 3 hours now (03:00PM - 06:00PM GMT+1)
As I can see F-Prot is detecting some suspicious file but does not have an
exact definition or name for this virus.
I have temporaly disabled virus warnings.
Markus
> ---
I have to check my script because it still works fine up to
now.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Monday, September 12, 2005 9:58 PMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee
DailyDAT download locat
> OK, so it is cpl file, which we should all have in our list
> of banned extensions including banned if within a zip file,
> so we should all be safe, correct?
As save as the world can be ;-)
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mai
Ah, and not to forget: whatever name this virus will have: it's a forging
worm.
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Matt
> Sent: Monday, September 12, 2005 4:52 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Se
I can confirm this and can also see that Declude virus + f-prot seems
catching it now as "unknown virus"
In the past 30 minutes there was several of this infected messages on our
servers.
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ma
> It looks as though the Bagle author is back from his
> vacation. Today we've detected several new variants (actually
> old variants which have been repacked) and they are still coming in.
I can see some "unknown virus" detections in the last 24 hours.
Markus
---
This E-mail came from the
In the last hours a I can see some strange messages (see attached samples)
send from different servers and obviously forged mailfrom adresses.
Each message has as Subject and as Body "1" and an attached but empty file
named "1.txt"
The mailfrom-adress seems to be the first part of the recipients a
Have seen some NDR's yesterday and this morning and so I've added Breatel to
the list of forging viruses.
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
Andrew thanks for the info
> ...you will want
> to remove these optimizations from your Declude virus.cfg file:
>
> SKIPEXT JPG
> SKIPEXT JPEG
> SKIPEXT PNG
> SKIPEXT TIF
> SKIPEXT TIFF
... and hope that Declude or the AV-En
have had one with 405 MB last week.
The entire Declude system has scanned and checked it (it
was hold due to several suspicious files in the archive).
Only the _vbscript_ that should move the hold message file
has created some problems +800 MB of memory usage and some read-errors in the
dec
Title: Message
Thanks for the info's
I've seen some of this "SMS" subject lines in the virus log
(while searching for kitten.zip)
06/26/2005 22:37:03 Q11e3167a00d2c413 Scanner 2:
Virus=W32/Bagle.dldr Attachment= [42] I06/26/2005 22:37:22 Q1200168000d2c41c
Scanned: Virus Free [Prescan OK][MI
can't see any file "kitten.zip" in the past 8
hours...
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin
CoxSent: Sunday, June 26, 2005 8:33 PMTo:
Declude.Virus@declude.comSubject: [Declude.Virus] FYI - new virus
as yet unidentified
Don't
In the last hours? Not here.
I can see an increased number of spams passing the filter
in the last two weeks. From 01/01/05 up to the mid of May I've recieved less
then 30 spam messages to my own inbox (by catching >300 each day) but from
mid of May up to now I've received around 20 spam me
John,
it wouldn't help you this time but we have running most of
our servers with Raid-Mirroring and each server has a third disk in standby.
This disk is not only here to be replaced if one of the other two disk fails but
it is also replaced periodicaly (usualy once per month) with one of
My F-prot does catch some W32.Eyeveg-Massmailers in the last 5 days. The are
is always a NDR bounce, so I believe it should be added to the forging virus
list.
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "uns
> That means there are still way to many e-mail servers out
> there not using Declude Virus.
>From what I can see this virus is sending out messages containing a long
list of recipients in the TO field. This turns out that there are not only
some dumb mail-virus-filters out but also there are st
I've just received a message containing a file account_info.zip to my inbox.
I've tried to open it but winzip was not able to open this 53 kByte
zip-archive: "start of central directory not found: zip file corrupt"
So I believe in this case neither AV-Scanner nor BANZIPEXTS ON will work, as
absol
> F-Prot Seems to be catching it now as
>
> X-Declude-Virus: Detected W32/[EMAIL PROTECTED]
My F-Prot is catching it for over 3 hours nou as Sober.O
Previously only the second scanner Mcafee has catched is as Sober.gen for
around a hour while F-prot has not detected it. In this hour there was
Question: Have you all running the latest v3.16b ?
I can't see any appearance of "HTML/ObjData" in the entire current logfile,
but I've still running 3.16a
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John
> Tolmachoff (Lists)
> Sent:
Title: Message
I'm using LOGLEVEL MID in my logfile so it must be this the
cause of missing previous loglines.
I've logfiles back to 03/2004 and have made some sporadic
checks. This few "could not find parse" was there for over 10 months now. Due to
the missing previous loglines I can't say
it seems to me that talking (or writting) is a good
idea.
why viruscode 9 and 10? Have I missed
something?
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
LandrySent: Thursday, April 28, 2005 10:32 PMTo:
Declude.Virus@declude.comSubject: Re: [
no absolutely no trace of the spool filename before the
"parse string" line.
I've checked now multiple cases in todays
logfile
Note:
F-prot is my first, Mcafee my second
scanner.
F-Prot 3.15 not 3.16
I've PRESCAN ON in my virus.cfg line
bye
Markus (have to leave the office now)
No I've checked this already before: there is no appearance
of the spool file name above this line. All I can see is something
like
04/28/2005 08:00:13 Q7be703950112a342 Could not find parse
string Infection: in report.txt04/28/2005 08:00:13 Q7be703950112a342
Scanner 2: Virus=W32/[EMAIL P
Matt,
how do you search for this F-Prot space
gaps?
As I can see from your log snippets there is each time a
"could not find parse string" after the space gap
Searching my logfile for this phrase I can find around 10
of them, but always as the first log entry of a processed message. So I
In the last hour I've seen some NDR's comming back for a new virus called
"Antiman"
Maybe we should ad it to the FORGINGVIRUS list. Anyone else can see this
virus in his virus logfiles?
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL
11:59pm here so it's not a good time to watch the cpu usage as most people
has leaved the office some hours ago. Time to say good night for me too
after haven't seen anything strange with f-prot on my server at the moment.
|-)
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mai
Matt, this seems to be interesting.
I was sure to have already in use the NOBOOT switch but
after opening my virus.cfg file I've seen that this was only part of my F-prot
config line. So if it will work for F-prot why it shouldn't work too for
Mcafee's engine?
The PROGRAMM switch seems a
er
an important heuristic that can be used in combination with other things to
detect what is likely a virus that may have passed the virus scanning.
Matt
Markus Gufler wrote:
Although Adobe recommends enabling scanning all fi
> Although Adobe recommends enabling scanning all file types in
> order to scan a PDF (and ass/u/me'ing its embedded contents
> as well), an AV scanner is not currently going to be able to
> scan this encrypted content until the content has been
> rendered/unencrypted at the desktop.
Is there
Another idea, now with the ability to use customizable hold
folders in v2
create a test that will move all messages containing a
relative small zip attachment to a separate hold folder.
Another external app or script will check this folder
regulary and requeue messages (or also move it back
In the past hours we've seen some NDR's coming back for virus notifcations
send out after detection of W32/[EMAIL PROTECTED]
So I've added
FORGINGVIRUS Mytob
so my virus.cfg file as it is realy a forging mass mailer even if not wide
spreaded.
Markus
---
This E-mail came from the Declude.Virus
Can't find any information about the Kapersky engine in the mail-archive.
Following the declude virus manual it's possible to use this engine.
The Personal Editions can't be installed on windows server OS.
So it requires the "Kapersky AV File Server Protection" edition having an
yearly cost of US
> The odd thing on this was I had to add the "/MIME" flag to
> the scanner command line in order for my systems to start
> catching these.
Hmm, I've added it now too for the Mcafee engine. Let's see how does it have
an effect on cpu usage...
Markus
---
[This E-mail was scanned for viruses by
> Seems there is something going on, please check your virus logs.
>
> ...
There are comming in a lot of messages (SMD-file has a filesize of 23 kByte)
containing zip-files like
BANNAME new__price.zip
BANNAME price_new.zip
BANNAME price.zip
BANNAME price2.zip
F-Prot or Mcafee is already catchi
Seems there is something going on, please check your virus logs.
...
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubsc
> Actually, the problem is just as bad no matter who use the
> domain.net domain. Note that you can use "example.com",
> "example.net", or "example.org" for cases like this. Those
> domains were designed for test purposes, and are set up to
> properly deal with whatever traffic comes their w
> My guess is that there is a CR character in the X-Mailer:
> line -- the file you sent had a line:
>
> X-Mailer: PITA-Server 1.5-Z8 1107902839 Message-Id:
> <[EMAIL PROTECTED]>
>
> which would suggest that the X-Mailer: header ended in
> CRCRLF, which your mail client removed.
O
e-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
> Sent: Tuesday, February 08, 2005 8:56 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Where is the 'CR' vulnerability
>
>
> A customers
A customers PHP script is sending out the following message:
~~
Received: from lx.domain.net [217.123.123.123] by mail.zcom.it with ESMTP
(SMTPD32-8.13) id AD887060072; Tue, 08 Feb 2005 17:49:12 +0100
Received: by lx.domain.ne
A customers PHP script is sending out the attached message.
Question: Where is the CR vulnerability?
Markus
Received: from lx.domain.net [217.123.123.123] by mail.zcom.it with ESMTP
(SMTPD32-8.13) id AD887060072; Tue, 08 Feb 2005 17:49:12 +0100
Received: by lx.domain.net (Postfix, from userid 3
> Here is the alphabetized join of the active entries in our
> lists (in particular, I suggest that if you include "IFrame"
> as a generic forgingvirus indicator, that you also include "Trojan"):
Ok.
BTW:
Today I've seen two NDR's for our virus notifications warning for
"W32/Bobax.worm.gen"
B
Andrew,
Your comment "so we'll still keep this list up to date from postings on the
Declude.Virus newslist"
Here is my actual FORGINGVIRUS list, maintained for F-Prot/McAfee virus
names:
#FORGINGVIRUS Unknown Virus
FORGINGVIRUSMagistr
FORGINGVIRUSKlez
FORGINGVIRUSYaha
FORGINGVIRUS
> Up to now I can see here two Reblin's and the Remotehosts
> REVDNS entry seems to fit to the sender domain, so maybe no
> forging virus... ?
After multiple NDR's for our virus warnings I believe it's bether to add
Reblin to the forging virus list.
Markus
---
[This E-mail was scanned for vir
(sorry for the previous wrong post to the junkmail list)
Seems like from today on there is out a new Sober variant: Sober-J
F-Prot and/or Mcafee are catching them as "Reblin"
Up to now I can see here two Reblin's and the Remotehosts REVDNS entry seems
to fit to the sender domain, so maybe no forg
> My log files go to a separate directory (partition if
> available) and are zipped either weekly or monthly depending
> on size and when there are enough they get burned to CD then deleted.
As we're talking about partitions, spool folders and
moving/deleting/archiving files. I've noted that se
> I am not the authour of the ASP file it was posted previously
> and I just adjusted it for my purposes.
Hmmm seeing the source code it looks like I've typed this some years ago.
(please use it whoever want/need it)
However here are some drawbacks:
1.) Keep in mind that a message having multip
1 - 100 of 236 matches
Mail list logo
