[Declude.Virus] [Forged]@...
Hello, I'm getting mails Invalid final delivery userid: [EMAIL PROTECTED] in my virus.cfg I have # The FORGINGVIRUS option is used to list viruses that forge the return address, so Declude # can replace the name of the sender with [Forged]. # FORGINGVIRUSKlez FORGINGVIRUSSobig Declude is running in v1.65, F-Prot, IMail 7.13, NT Server. Has anyone else this problem? I thought Declude will report this only to the postmaster and the receiver, and not to the sender?? ;-) Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Forged]@...
I thought Declude will report this only to the postmaster and the receiver, and not to the sender?? ;-) To prevent the notifications from getting sent to the sender of viruses such as Klez (where the return address is forged), you would also need to have the following lines at the top of the \IMail\Declude\sender.eml file: SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Sobig Those lines instruct Declude Virus not to send the .eml file, when certain viruses are detected. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forged Mail
Below is an email I recieved. What is happening? How do I stop it? As you mentioned in the previous E-mail, there are some viruses that forge the return address. To stop it in this case, you should have SKIPIFVIRUSVIRUSNAME Bugbear in your \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forged request
I've got subscribers sending all sorts of messages to the from address listed in the error message headers, when those people most likely didn't even send the message with a virus. Same here also the sender domain name should be blanked - Original Message - From: Helpdesk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 15, 2002 5:55 PM Subject: [Declude.Virus] Forged request The Declude Virus software on acsworld.com has reported that you were sent an E-mail from [Forged], containing the : W32/Klez.H@mm virus in the Unknown File attachment. The subject of the E-mail was Re: Re:eager to see you. From: Jonathan Kamens [EMAIL PROTECTED] I'd like to request an option or a change in the Declude Virus program so that the forged option that is used in the top part of the warning message also replaces the from address in the header records part of the message. I've got subscribers sending all sorts of messages to the from address listed in the error message headers, when those people most likely didn't even send the message with a virus. If the header part of the warning message said From: [Forged] they wouldn't know any address to send a message to. Thanks, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Forged request
Hopefully Scott is taking a long lunch break. (He deserves it.) I am sure he will answer this when he has a chance. Until then; I think the problem is that the From address in the header is not the same as the one that Imail receives it from. Therefore, for that to work would require a separate action like this; If FORGINGVIRUS next If SKIPIFVIRUSNAMEHAS end (Some script that searches the header for FROM and replaces *@* with [FORGED]) (I am not a programmer so I do not know exactly how the syntax works.) John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Forged request
Hopefully Scott is taking a long lunch break. (He deserves it.) I am sure he will answer this when he has a chance. Most likely, we will not be able to add code to alter the headers. It's something we haven't done before, and don't want to do unless absolutely necessary. In this case, it's more of an educational issue than a programming issue. If we alter the headers to remove all references to any possible forged information, all that will be left is one Received: header, and the only trusted information in there will be the IP address. So if anyone is having serious problems with their users going crazy over the Klez virus, they might want to consider replacing the %HEADERS% variable with the %REMOTEIP% variable in the recip.eml file. It might also be worth re-wording the file to mention that there are some viruses that forge the return address, and the only way to track it down in those cases is by the IP address. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forged request
I had suggested a solution some time ago ONLYSENDIFVIRUS Klez,Magister DONTSENDIFVIRUS Klez, magistr, ... Where we can have different .eml for forgin virus that do not include headers, domain names, and keep complete eml notifications for other iruses - Original Message - From: John Tolmachoff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 15, 2002 6:50 PM Subject: RE: [Declude.Virus] Forged request Hopefully Scott is taking a long lunch break. (He deserves it.) I am sure he will answer this when he has a chance. Until then; I think the problem is that the From address in the header is not the same as the one that Imail receives it from. Therefore, for that to work would require a separate action like this; If FORGINGVIRUS next If SKIPIFVIRUSNAMEHAS end (Some script that searches the header for FROM and replaces *@* with [FORGED]) (I am not a programmer so I do not know exactly how the syntax works.) John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forged request
on 10/15/02 3:02 PM, R. Scott Perry wrote: In this case, it's more of an educational issue than a programming issue. Education might happen at a corporate institution, but it isn't going to happen at an ISP with thousands of customers. A simple example of why education won't work at an ISP. We moved our receptionist, billing department and the technical support staff, except for me, to another building down the block. We e-mailed all our subscribers twice about the move, had information about the move on our main web page, put ads in the local paper, put ads on the local radio stations and have a big sign on the front door of the office where I work located at eye level letting customers know they need to go to the other office down the block. Yesterday we had two subscribers come into our office, the wrong office, to pay their bill. Oh yeah, we moved those employees over 18 months ago. That means no customer has signed up for our service, received technical support or paid a bill at this office in 18 months and yet they continue to walk past the sign on the front door to try and pay their bills. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] forged, what would that mean?
I'm sure you've handed out the info b4, but can you point me to the info on FORGINGVIRUS option? TY Andrew - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 11, 2002 8:11 AM Subject: Re: [Declude.Virus] forged, what would that mean? here's a copy of my latest virus alert, I've never seen [forged] before, I have relay turned off. The Klez virus forges the return address, that's all that means. The [Forged] is used in conjunction with the FORGINGVIRUS option, so that you won't get mad at the person who apparently sent you the E-mail, since it wasn't really them that sent it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] forged, what would that mean?
here's a copy of my latest virus alert, I've never seen [forged] before, I have relay turned off. The Klez virus forges the return address, that's all that means. The [Forged] is used in conjunction with the FORGINGVIRUS option, so that you won't get mad at the person who apparently sent you the E-mail, since it wasn't really them that sent it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Forged but visible?
Scott, I recently added the FORGINGVIRUS tag to my virus.cfg. It works great. However, I have some users that would like to see the real address. I told them that it is a server wide setting. I looked in the log file and I see that it had been changed there as well. Is it possible to save the FROM address in the log files? -Jerry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forged but visible?
I recently added the FORGINGVIRUS tag to my virus.cfg. It works great. However, I have some users that would like to see the real address. I told them that it is a server wide setting. I looked in the log file and I see that it had been changed there as well. Is it possible to save the FROM address in the log files? Not currently -- in the next release, though, it will be available in the log files when using the HIGH logging level. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
