Beginning using the banned extension option with Declude (see virus.cfg). Then any attachment with a .SCR or whatever is blocked at the server level and the user doesn't see it. This is the way I have our server configured concerning banned file extensions and banned file names:
BANEXT scr BANEXT pif BANEXT exe BANEXT com BANEXT EZIP BANEXT cpl BANEXT ad BANEXT adb BANEXT adp BANEXT asd BANEXT asp BANEXT BAS BANEXT BAT BANEXT cab BANEXT ceo BANEXT chm BANEXT CMD BANEXT COM BANEXT crt BANEXT data BANEXT dbx BANEXT dll BANEXT hlp BANEXT HTA BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT link BANEXT mch BANEXT mde BANEXT mdx BANEXT msc BANEXT MSI BANEXT MSP BANEXT MST BANEXT nch BANEXT nws BANEXT pcd BANEXT php BANEXT pl BANEXT pi BANEXT ocx BANEXT ods BANEXT REG BANEXT SCT BANEXT shb BANEXT shs BANEXT sht BANEXT sys BANEXT unk BANEXT uue BANEXT VB BANEXT VBE BANEXT VBS BANEXT vbx BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEXT wab BANEXT ws BANEXT WSC BANEXT WSF BANEXT WSH BANEXT xml BANNAME photo.zip BANNAME private.zip BANNAME report.zip BANNAME Wendy.zip BANNAME p_usb.zip BANNAME You_will_answer_to_me.zip BANNAME Attach.rar BANNAME Details.rar BANNAME details.rar BANNAME Document.rar BANNAME Encrypted.rar BANNAME first_part.rar BANNAME Gift.rar BANNAME Info.rar BANNAME Information.rar BANNAME Message.rar BANNAME MoreInfo.rar BANNAME pub_document.rar BANNAME Readme.rar BANNAME Text.rar BANNAME text_document.rar BANNAME TextDocument.rar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan Walters Sent: Saturday, June 12, 2004 2:50 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Getting hammered by [EMAIL PROTECTED] Hi, We're running Declude Virus Pro paired with McAfee NetShield v4.5 (the full version, so we can have the Command Line Scanner) with the latest signature files. We're also running Symantec Corporate Edition v8.0 on the desktop with the latest signature files. Lately we've experienced several infections where the [EMAIL PROTECTED] Virus has slipped past McAfee and landed in our Netscape v4.79 Inbox. As soon as somebody opens their Inbox, Symantec detects the virus and quarantines the whole Inbox (obviously including all the other non-infected emails)! I realize this is more likely a failure of McAfee and not Declude, however I'm wondering if Declude could possibly be not decoding the email properly and presenting it to the McAfee Command Line Scanner in such a way as to cause it to mis-detect the virus? What's really strange is the email appears to be one of those "friendly" informative bounces, attempting to tell me I sent them a virus. Firstly, I didn't and secondly - WTF would somebody return a "you have a virus" message WITH THE ACTUAL VIRUS STILL ATTACHED?!? Here's a copy of one of the infected emails (sans the actual virus) as it looks when viewed from the Inbox using NotePad: >From - Fri May 28 09:10:15 2004 Received: from redwing.mail.pas.earthlink.net [207.217.120.246] by roycemedical.com with ESMTP (SMTPD32-8.05) id AC33279B002A; Thu, 27 May 2004 20:04:19 -0700 Received: from exim by redwing.mail.pas.earthlink.net with local (Exim 3.36 #1) id 1BTXg8-0007cR-00 for [EMAIL PROTECTED]; Thu, 27 May 2004 20:05:04 -0700 X-Failed-Recipients: [EMAIL PROTECTED] From: Mail Delivery System <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Mail delivery failed: returning message to sender Message-Id: <[EMAIL PROTECTED]> Date: Thu, 27 May 2004 20:05:04 -0700 X-RBL-Warning: CATCHALLMAILS: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.217.120.246 with no reverse DNS entry. X-Declude-Sender: <> [207.217.120.246] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CATCHALLMAILS, IPNOTINMX, NOLEGITCONTENT, REVDNS [4] X-Note: This E-mail was sent from [No Reverse DNS] ([207.217.120.246]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: R X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-UIDL: 382853452 This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mailer after end of data: host mx3.earthlink.net [207.217.125.18]: 554 Message Rejected Due To Virus Found In Attachment ------ This is a copy of the message, including all the headers. ------ Return-path: <[EMAIL PROTECTED]> Received: from toucan-120.pocket ([10.4.120.212] helo=toucan) by redwing.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1BTXg8-0007cK-00 for [EMAIL PROTECTED]; Thu, 27 May 2004 20:05:04 -0700 X-MindSpring-Loop: [EMAIL PROTECTED] Received: from r0r3.com ([68.189.33.3]) by toucan (EarthLink Mail Service) with ESMTP id 1btxG538c3NZFmk0 for <[EMAIL PROTECTED]>; Thu, 27 May 2004 20:05:01 -0700 (PDT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Thu, 27 May 2004 20:05:02 -0700 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <[EMAIL PROTECTED]> This is a multi-part message in MIME format. ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: multipart/alternative; boundary="----=_NextPart_001_001C_01C0CA80.6B015D10" ------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> <a href=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0>www.r0r3.com/inbox/ntdrivers/read.php?sessionid-20228</a> <iframe src=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> ------=_NextPart_001_001C_01C0CA80.6B015D10-- ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<[EMAIL PROTECTED]> ******************************************************* **T H E E N C O D E D V I R U S W A S H E R E** ******************************************************* ------=_NextPart_000_001B_01C0CA80.6B015D10-- Here's another one of the infected emails from a different users Inbox: >From - Fri Jun 11 16:07:50 2004 Received: from amxbounce05.aptimus.net [206.169.235.140] by roycemedical.com (SMTPD32-8.05) id A7F94DB0112; Fri, 11 Jun 2004 12:28:57 -0700 Received: (qmail 5693 invoked for bounce); 11 Jun 2004 19:27:58 -0000 Date: 11 Jun 2004 19:27:58 -0000 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: CATCHALLMAILS: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.169.235.140 with no reverse DNS entry. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000020e]. X-Declude-Sender: <> [206.169.235.140] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CATCHALLMAILS, IPNOTINMX, NOLEGITCONTENT, REVDNS, SPAMHEADERS [7] X-Note: This E-mail was sent from [No Reverse DNS] ([206.169.235.140]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: R X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-UIDL: 385416631 Hi. This is the qmail-send program at aptimus.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 25142 invoked from network); 11 Jun 2004 19:26:32 -0000 Received: from adsl-64-173-105-42.dsl.lsan03.pacbell.net (HELO aptimail.giftplace.com) (64.173.105.42) by 0 with SMTP; 11 Jun 2004 19:26:32 -0000 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: website Date: Fri, 11 Jun 2004 12:28:46 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0016----=_NextPart_000_0016" X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Your details. ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: application/octet-stream; name="website_2725.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="website_2725.zip" ******************************************************* **T H E E N C O D E D V I R U S W A S H E R E** ******************************************************* ------=_NextPart_000_0016----=_NextPart_000_0016-- I've tried blocking these by both attachment name in Declude and Content-Type in our Firewall, but they just keep morphing into something else and slipping by. Any usefull advice greatly appreciated... Alan Walters Director of I.T. Royce Medical --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.