Hi,
We're running Declude Virus Pro paired with McAfee NetShield v4.5 (the full
version, so we can have the Command Line Scanner) with the latest signature
files. We're also running Symantec Corporate Edition v8.0 on the desktop
with the latest signature files.
Lately we've experienced several infections where the [EMAIL PROTECTED]
Virus has slipped past McAfee and landed in our Netscape v4.79 Inbox. As
soon as somebody opens their Inbox, Symantec detects the virus and
quarantines the whole Inbox (obviously including all the other non-infected
emails)!
I realize this is more likely a failure of McAfee and not Declude, however
I'm wondering if Declude could possibly be not decoding the email properly
and presenting it to the McAfee Command Line Scanner in such a way as to
cause it to mis-detect the virus? What's really strange is the email
appears to be one of those "friendly" informative bounces, attempting to
tell me I sent them a virus. Firstly, I didn't and secondly - WTF would
somebody return a "you have a virus" message WITH THE ACTUAL VIRUS STILL
ATTACHED?!?
Here's a copy of one of the infected emails (sans the actual virus) as it
looks when viewed from the Inbox using NotePad:
>From - Fri May 28 09:10:15 2004
Received: from redwing.mail.pas.earthlink.net [207.217.120.246] by
roycemedical.com with ESMTP
(SMTPD32-8.05) id AC33279B002A; Thu, 27 May 2004 20:04:19 -0700
Received: from exim by redwing.mail.pas.earthlink.net with local (Exim 3.36
#1)
id 1BTXg8-0007cR-00
for [EMAIL PROTECTED]; Thu, 27 May 2004 20:05:04 -0700
X-Failed-Recipients: [EMAIL PROTECTED]
From: Mail Delivery System <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Mail delivery failed: returning message to sender
Message-Id: <[EMAIL PROTECTED]>
Date: Thu, 27 May 2004 20:05:04 -0700
X-RBL-Warning: CATCHALLMAILS:
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.217.120.246
with no reverse DNS entry.
X-Declude-Sender: <> [207.217.120.246]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: CATCHALLMAILS, IPNOTINMX, NOLEGITCONTENT, REVDNS [4]
X-Note: This E-mail was sent from [No Reverse DNS] ([207.217.120.246]).
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: R
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-UIDL: 382853452
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[EMAIL PROTECTED]
SMTP error from remote mailer after end of data:
host mx3.earthlink.net [207.217.125.18]: 554 Message Rejected Due To
Virus Found In Attachment
------ This is a copy of the message, including all the headers. ------
Return-path: <[EMAIL PROTECTED]>
Received: from toucan-120.pocket ([10.4.120.212] helo=toucan)
by redwing.mail.pas.earthlink.net with smtp (Exim 3.36 #1)
id 1BTXg8-0007cK-00
for [EMAIL PROTECTED]; Thu, 27 May 2004 20:05:04 -0700
X-MindSpring-Loop: [EMAIL PROTECTED]
Received: from r0r3.com ([68.189.33.3])
by toucan (EarthLink Mail Service) with ESMTP id 1btxG538c3NZFmk0
for <[EMAIL PROTECTED]>; Thu, 27 May 2004 20:05:01 -0700 (PDT)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Mail Delivery (failure [EMAIL PROTECTED])
Date: Thu, 27 May 2004 20:05:02 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <[EMAIL PROTECTED]>
This is a multi-part message in MIME format.
------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_001C_01C0CA80.6B015D10"
------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br>
follow the link to read the delivered message.<br><br>
Received message is available at:<br>
<a href=3Dcid:[EMAIL PROTECTED] height=3D0
width=3D0>www.r0r3.com/inbox/ntdrivers/read.php?sessionid-20228</a>
<iframe
src=3Dcid:[EMAIL PROTECTED] height=3D0
width=3D0></iframe>
<DIV> </DIV></BODY></HTML>
------=_NextPart_001_001C_01C0CA80.6B015D10--
------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: audio/x-wav;
name="message.scr"
Content-Transfer-Encoding: base64
Content-ID:<[EMAIL PROTECTED]>
*******************************************************
**T H E E N C O D E D V I R U S W A S H E R E**
*******************************************************
------=_NextPart_000_001B_01C0CA80.6B015D10--
Here's another one of the infected emails from a different users Inbox:
>From - Fri Jun 11 16:07:50 2004
Received: from amxbounce05.aptimus.net [206.169.235.140] by roycemedical.com
(SMTPD32-8.05) id A7F94DB0112; Fri, 11 Jun 2004 12:28:57 -0700
Received: (qmail 5693 invoked for bounce); 11 Jun 2004 19:27:58 -0000
Date: 11 Jun 2004 19:27:58 -0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: failure notice
Message-Id: <[EMAIL PROTECTED]>
X-RBL-Warning: CATCHALLMAILS:
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.169.235.140
with no reverse DNS entry.
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[4000020e].
X-Declude-Sender: <> [206.169.235.140]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: CATCHALLMAILS, IPNOTINMX, NOLEGITCONTENT, REVDNS,
SPAMHEADERS [7]
X-Note: This E-mail was sent from [No Reverse DNS] ([206.169.235.140]).
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: R
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-UIDL: 385416631
Hi. This is the qmail-send program at aptimus.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[EMAIL PROTECTED]>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is a copy of the message.
Return-Path: <[EMAIL PROTECTED]>
Received: (qmail 25142 invoked from network); 11 Jun 2004 19:26:32 -0000
Received: from adsl-64-173-105-42.dsl.lsan03.pacbell.net (HELO
aptimail.giftplace.com) (64.173.105.42)
by 0 with SMTP; 11 Jun 2004 19:26:32 -0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: website
Date: Fri, 11 Jun 2004 12:28:46 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Your details.
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="website_2725.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="website_2725.zip"
*******************************************************
**T H E E N C O D E D V I R U S W A S H E R E**
*******************************************************
------=_NextPart_000_0016----=_NextPart_000_0016--
I've tried blocking these by both attachment name in Declude and
Content-Type in our Firewall, but they just keep morphing into something
else and slipping by. Any usefull advice greatly appreciated...
Alan Walters
Director of I.T.
Royce Medical
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
