Re: [Declude.Virus] FW: Your mail server sent us a virus
Scott - did you ever find these guys? They still don't get it... Received: from prudentialrand.com [65.160.6.2] by mail.toplineus.com with ESMTP (SMTPD32-7.07) id A36A225A007C; Fri, 30 Jan 2004 10:08:26 -0500 We're still trying to track them the toplineus.com people. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
Scott - did you ever find these guys? They still don't get it... I finally got a hold of someone there. It looks like they will fix the problem, but I just have to convince them first that it wasn't really someone on your server that sent the virus. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
I think public humiliation is a good thing ;-) Greg R. Scott Perry wrote: Here's another, do you want these off list? Yes, off-list would be best (unless others on the list would like to see them -- if so, speak up). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
Include this link to the (ir)responsible postmasters: http://www.attrition.org/security/rant/av-spammers.html Here's another, do you want these off list? I have tried to e-mail this guy twice already: Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment data.zip, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject test. The Message-ID was: [EMAIL PROTECTED]. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: Your mail server sent us a virus
Been dealing with the same kind of people that i deal with ALL the the time eh LOL! - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 9:12 PM Subject: [Declude.Virus] FW: Your mail server sent us a virus Scott can you bitch slap this moron? I've sent him three separate e-mails with detailed instructions (I think I even copied one to the list) on how to turn this off in Declude and he hasn't replied once. Maybe you have a better contact e-mail. Marc -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 5:43 PM To: [EMAIL PROTECTED] Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! virus that appears to have come from your mail server. It was sent in an attachment thank_you.pif, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject Re: Approved. The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. The headers from the E-mail are: Received: from DJHX0Y21 [68.193.182.54] by eastwestresorts.com with ESMTP (SMTPD32-7.13) id A1F34F800078; Thu, 04 Sep 2003 15:43:15 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Approved Date: Thu, 4 Sep 2003 17:42:30 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_53E041C4 Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fw: Your mail server sent us a virus
John, Here's what I send back to the IMail / Declude Postmasters. - I function as the Postmaster for domain.com domain. An examination of our mail server logs indicates that the e-mail in question was NOT sent from our mail server. The [EMAIL PROTECTED] virus is a Forging Virus which selects the sender name from the address book of the infected machine. Due to this, most anti-virus systems are set to NOT send virus notification messages to the Forged Sender and Domain Postmaster. If you are truly concerned, examine the headers of the incoming e-mail to determine the IP address of the sending server and then use a web site such as www.samspade.org or www.dnsstuff.com to determine the actual source. In this case it was sent from an otherdomain.com user's infected system. It is also a well documented fact that erroneous notifications such as yours are putting large amount of unnecessary traffic on the internet and compounding the problems caused by this virus. Out recommendation is that you set your anti-virus software to not generate sender and sending postmaster e-mail for Forging Viruses. The most common forging viruses are: Bugbear, Fizzer, Klez, Magistr, Sobig (all versions), Palyh, Yaha, Lentin, Bridex, and MiMail. Additionally, since you are using IMail with Declude, you might want to check out the methods for doing this such as replacing the beginning content of your otherpostmaster.eml and sender.eml file with the following or even disabling them for the time being by renaming them: ONLYSENDIFREMOTESENDER SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Fizzer SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Outlook 'CR' vulnerability SKIPIFVIRUSNAMEHAS Palyh SKIPIFVIRUSNAMEHAS Yaha SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS MiMail From: [EMAIL PROTECTED] You might also subscribe to the Declude Virus forum where this has been a major subject of discussion or check out the Forum Archives. To subscribe, send an E-mail to [EMAIL PROTECTED] with a body of subscribe Declude.Virus Firstname Lastname. You will receive an E-mail that you will need to respond to in order to confirm your request. The archives can be found at http://www.mail-archive.com and the forum is declude.junkmail This notice is sent as a courtesy so that you have the option of correcting your virus notification configuration. If your mail server had a better virus protection configuration, it would have caused less work for our server and lessened the amount of unnecessary internet traffic. I don't know if it accomplishes anything (probably not), but I get some satisfaction out of it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, August 21, 2003 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fw: Your mail server sent us a virus Why is it there are mail admins out there running Imail and Declude that are continuing to send out virus notices to forged addresses? I have seen 5 in the last 24 hours. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, August 21, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fw: Your mail server sent us a virus There are only 2 .eml files that I'm using, recip.eml and postermaster.eml. There are no other .eml files in the declude directory. Ah, I think I know what the problem is. That notification is coming from *another* mailserver running Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses
RE: [Declude.Virus] Fw: Your mail server sent us a virus
Yes, that is what I have been doing on some. But I do have other work to do too. Of course, if everyone had their configuration correct... John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of George Kulman Sent: Thursday, August 21, 2003 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fw: Your mail server sent us a virus John, Here's what I send back to the IMail / Declude Postmasters. - I function as the Postmaster for domain.com domain. An examination of our mail server logs indicates that the e-mail in question was NOT sent from our mail server. The [EMAIL PROTECTED] virus is a Forging Virus which selects the sender name from the address book of the infected machine. Due to this, most anti-virus systems are set to NOT send virus notification messages to the Forged Sender and Domain Postmaster. If you are truly concerned, examine the headers of the incoming e-mail to determine the IP address of the sending server and then use a web site such as www.samspade.org or www.dnsstuff.com to determine the actual source. In this case it was sent from an otherdomain.com user's infected system. It is also a well documented fact that erroneous notifications such as yours are putting large amount of unnecessary traffic on the internet and compounding the problems caused by this virus. Out recommendation is that you set your anti-virus software to not generate sender and sending postmaster e-mail for Forging Viruses. The most common forging viruses are: Bugbear, Fizzer, Klez, Magistr, Sobig (all versions), Palyh, Yaha, Lentin, Bridex, and MiMail. Additionally, since you are using IMail with Declude, you might want to check out the methods for doing this such as replacing the beginning content of your otherpostmaster.eml and sender.eml file with the following or even disabling them for the time being by renaming them: ONLYSENDIFREMOTESENDER SKIPIFVIRUSNAMEHASBugbear SKIPIFVIRUSNAMEHASFizzer SKIPIFVIRUSNAMEHASKlez SKIPIFVIRUSNAMEHASMagistr SKIPIFVIRUSNAMEHASVulnerability SKIPIFVIRUSNAMEHASSobig SKIPIFVIRUSNAMEHASOutlook 'CR' vulnerability SKIPIFVIRUSNAMEHASPalyh SKIPIFVIRUSNAMEHASYaha SKIPIFVIRUSNAMEHASLentin SKIPIFVIRUSNAMEHASBridex SKIPIFVIRUSNAMEHASMiMail From: [EMAIL PROTECTED] You might also subscribe to the Declude Virus forum where this has been a major subject of discussion or check out the Forum Archives. To subscribe, send an E-mail to [EMAIL PROTECTED] with a body of subscribe Declude.Virus Firstname Lastname. You will receive an E-mail that you will need to respond to in order to confirm your request. The archives can be found at http://www.mail-archive.com and the forum is declude.junkmail This notice is sent as a courtesy so that you have the option of correcting your virus notification configuration. If your mail server had a better virus protection configuration, it would have caused less work for our server and lessened the amount of unnecessary internet traffic. I don't know if it accomplishes anything (probably not), but I get some satisfaction out of it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, August 21, 2003 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fw: Your mail server sent us a virus Why is it there are mail admins out there running Imail and Declude that are continuing to send out virus notices to forged addresses? I have seen 5 in the last 24 hours. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, August 21, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fw: Your mail server sent us a virus There are only 2 .eml files that I'm using, recip.eml and postermaster.eml. There are no other .eml files in the declude directory. Ah, I think I know what the problem is. That notification is coming from *another* mailserver running Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com
RE: [Declude.Virus] Fw: Your mail server sent us a virus
Of course, if everyone had their configuration correct... John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com Amen, I didn't get nearly enough sleep last night and had received this auto-response from another declude user that had received a virus from a forged address at my domain... The Declude Virus software on our mail server detected the W32/[EMAIL PROTECTED] virus that appears to have come from your mail server. It was sent in an attachment your_details.pif, from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject Re: Thank you!. The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. The part that set me off was them telling people that if their mail server had better protection it would cause theirs less work!!! Arg...My response was... If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. #1 Our mail server does have better virus protection(in fact the same yours does), and it does prevent our users from infection. #2 If you had better administration you would turn off notifications to postmasters and senders as it is well known the Sobig Virus and all variants of this virus forge email addresses. I am sure I am one of many that has received this in the wrong. #3 Your auto response comes off unnecessarily rude, and makes your technical staff look ignorant. I would hope this is not a reflection of how your company does business. If you would like to cause your mail server less work take our suggestion in #2 Received: from DTS-ORL02 ([66.35.177.66]) Not my IP Thank you for your time, the intention of this email is only to educate. I am sure your technical staff is competent. --- [This E-mail was scanned for viruses by QuestNet.net (http://www.QuestNet.net)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fw: Your mail server sent us a virus
Hi Scott, I did that, but I'm still getting the notifications Thanks, Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:34 PM Subject: Re: [Declude.Virus] Fw: Your mail server sent us a virus That's due to the Mimail virus -- if you add a line SKIPIFVIRUSNAMEHAS Mimail to the top of the \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files, you won't get those anymore. -Scott At 01:28 PM 8/13/2003, andyb wrote: Hi, I keep getting these...any ideas? Thanks, Andy - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:33 AM Subject: Your mail server sent us a virus The Declude software on our mail server detected a virus that appears to have come from your mail server. It was sent from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject your account oamoshgs. The Message-ID was: [EMAIL PROTECTED]. If your mail server had virus protection, it would have caused less work for our server and would have likely prevented one of your users from getting a virus in the first place! Virus name: : W32/[EMAIL PROTECTED] File name: message.zip This is an automated message sent by Declude Virus ( http://www.declude.com ). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.