RE: [Declude.Virus] Feature Request: Deletion of banned files
John, Does this script delete just the files with the banned attachments or anything over 5 days old? Are you willing to share the script? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 30, 2004 11:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files I have a script that runs just after midnight each day that in effect deletes those held after 5 days. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, April 30, 2004 6:21 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Feature Request: Deletion of banned files Hi Scott, We seem to be spending more and more time deleting from the virus hold queue files that have .PIF and .SCR extensions. We'd like to request a little more granular control over banning of extensions...specifically, a setting to go ahead a delete some of them. For example, instead of BANEXT PIF perhaps we could use DELEXT PIF Obviously there are a number of other extensions we would continue to ban, and check for legitimacy, but this would be helpful. Thoughts? Darin. <>
[Declude.Virus] Unknown Viruses?
Hi, I am using F-Prot and it is working but I keep getting these unidentified viruses. Unknown Virus virus in the Unknown File attachment Can anyone shed any light on this? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking auto reply messages
on 5/6/04 10:10 AM, Douglas Cohn wrote: > Why are we looking for the beginning of an IP address? Our users were receiving a lot of messages like this ... >> Unknown user: [EMAIL PROTECTED] >> >> >> Original message follows. >> >> Received: from 0016190464.com [67.96.70.122] by mx2.acsworld.net >> (SMTPD32-8.05) id AC92E01A0136; Sat, 01 May 2004 17:54:26 -0400 >> Date: Sat, 01 May 2004 16:52:51 -0600 >> To: [EMAIL PROTECTED] which indicates that [EMAIL PROTECTED] sent a message to [EMAIL PROTECTED] However, that really didn't happen. The message contains "Unknown user", has headers but does not have the IP or name of our outgoing mail server in those original headers, so the message wasn't actually sent by an ACSWorld user. If they didn't send the original message, they don't want this message and constantly explaining forging viruses, how they work, why the return message gets returned, etc, was getting tiresome. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking auto reply messages
Greg, I like your thinking very much here. Unfortunately this requires knowing all the possible outgoing servers for all of your clients, and because I'm gatewaying a bunch of E-mail, that is near impossible to keep up with. I'm not about to give up on the idea though. My BOUNCER filter that I described is very effective at handling NDR's when they contain original content, even if it is just the headers often times, but yesterday some child porn spammer used a real E-mail address of a customer and generated about 500 bounces, and I estimate that about 50 got through because they contained no content in the bounce such as NDR's sent by AOL. Your filter might be a good way to manage the situation for individual domains that are having problems with real addresses being used, and implemented per-domain when a problem arises. I'm wondering if you are aware of any NDR's that are getting through your setup, i.e. ones that don't contain the headers. Thanks, Matt System Administrator wrote: on 5/6/04 10:10 AM, Douglas Cohn wrote: Why are we looking for the beginning of an IP address? Our users were receiving a lot of messages like this ... Unknown user: [EMAIL PROTECTED] Original message follows. Received: from 0016190464.com [67.96.70.122] by mx2.acsworld.net (SMTPD32-8.05) id AC92E01A0136; Sat, 01 May 2004 17:54:26 -0400 Date: Sat, 01 May 2004 16:52:51 -0600 To: [EMAIL PROTECTED] Subject: Hidden message From: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; which indicates that [EMAIL PROTECTED] sent a message to [EMAIL PROTECTED]. However, that really didn't happen. The message contains "Unknown user", has headers but does not have the IP or name of our outgoing mail server in those original headers, so the message wasn't actually sent by an ACSWorld user. If they didn't send the original message, they don't want this message and constantly explaining forging viruses, how they work, why the return message gets returned, etc, was getting tiresome. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] blocking auto reply messages
on 5/6/04 10:10 AM, Douglas Cohn wrote: > Why are we looking for the beginning of an IP address? Our users were receiving a lot of messages like this ... >> Unknown user: [EMAIL PROTECTED] >> >> >> Original message follows. >> >> Received: from 0016190464.com [67.96.70.122] by mx2.acsworld.net >> (SMTPD32-8.05) id AC92E01A0136; Sat, 01 May 2004 17:54:26 -0400 >> Date: Sat, 01 May 2004 16:52:51 -0600 >> To: [EMAIL PROTECTED] >> Subject: Hidden message >> From: [EMAIL PROTECTED] >> Message-ID: <[EMAIL PROTECTED]> >> MIME-Version: 1.0 >> Content-Type: multipart/mixed; which indicates that [EMAIL PROTECTED] sent a message to [EMAIL PROTECTED] However, that really didn't happen. The message contains "Unknown user", has headers but does not have the IP or name of our outgoing mail server in those original headers, so the message wasn't actually sent by an ACSWorld user. If they didn't send the original message, they don't want this message and constantly explaining forging viruses, how they work, why the return message gets returned, etc, was getting tiresome. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] blocking auto reply messages
Here's what works for me: Matt's (Mailpure) ANTI-AV filter works pretty well for me. Then this was discussed last weekend on the list. It involved punishing those that fail the anti-av filter and have a null mail. I have a postmaster-mail filter: MAILFROM0 IS <> MAILFROM0 CONTAINSadministrator@ MAILFROM0 CONTAINSAntigen@ MAILFROM0 CONTAINSAntigen_ MAILFROM0 CONTAINSDLWC-virus-scanner@ MAILFROM0 CONTAINSe500admin@ MAILFROM0 STARTSWITH NAV@ MAILFROM0 CONTAINSNAVMSE- MAILFROM0 CONTAINSNAVMSE_ MAILFROM0 CONTAINSNAVMSE@ MAILFROM0 CONTAINSPOSTMASTER@ MAILFROM0 STARTSWITH root@ MAILFROM0 CONTAINSSymantec_AntiVirus_for_SMTP_Gateways@ MAILFROM0 CONTAINSVirus_Alert@ MAILFROM0 CONTAINSVirus-Alert@ MAILFROM0 CONTAINSVirus-Alert. MAILFROM0 CONTAINSviruschecker@ MAILFROM0 CONTAINSvirus-scanner@ MAILFROM0 CONTAINSvirusmanager@ MAILFROM0 CONTAINSVirus-Monitor@ MAILFROM0 CONTAINSvirusscan@ Then I have a combo filter for the anti-av (called MP-ANTI-AV) and the Postmaster-mail, giving 10 more points. TESTSFAILED 10 CONTAINSMP-ANTI-AV POSTMASTER-MAIL Note, I'm lazy and have the postmaster-mail filter immediately after the mp-anti-av filter in my cfg file. This way I can avoid a couple of other Testfailed filter. If you move the postmaster-mail filter to a different location, you'll need to add testfailed to look for each individual filters and then combo testfailed on those. Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/06/04 09:10AM >>> Help me out please. Why are we looking for the beginning of an IP address? Also my understanding of these filters is to eliminate sending emails to users that were not the original senders because of a forged virus. Is that correct??? If so wouldn't adding the Virus name to the declude forged tag solve that?? I am asking here so please do not assume I know much ... >>bracketfl - returned messages should have the original headers so I'm looking for the >>beginning of an IP address -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Thursday, May 06, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] blocking auto reply messages on 4/30/04 12:41 PM, Jeffrey Di Gregorio wrote: > Does anyone have a suggestion on what to do about the growing number > of auto reply messages being received by clients because of the > current amount of forging viruses. I am getting daily complaints from > clients who say they never sent anything to someone but are receiving > multiple auto response messages (user unknown, mailbox full, virus > warnings, etc.) I am at a loss on what to do about this. I was having the same problem as you and I came up with these filters that seem to work for me. UNKNOWNUSERF filter e:\imail\declude\unknownuserf.txt x 0 0 BRACKETFLfilter e:\imail\declude\bracketfl.txt x 0 0 BRACKETFRfilter e:\imail\declude\bracketfr.txt x 0 0 ACSMAILF filter e:\imail\declude\acsmailf.txt x 0 0 NEVERSENTF filter e:\imail\declude\neversentf.txt x 0 0 unknownuserf - SKIPIFWEIGHT 50 BODY 0 CONTAINS unknown user BODY 0 CONTAINS user unknown bracketfl - returned messages should have the original headers so I'm looking for the beginning of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS [1 BODY 0 CONTAINS [2 BODY 0 CONTAINS [3 BODY 0 CONTAINS [4 BODY 0 CONTAINS [5 BODY 0 CONTAINS [6 BODY 0 CONTAINS [7 BODY 0 CONTAINS [8 BODY 0 CONTAINS [9 bracketfr - looking for the end of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS 0] BODY 0 CONTAINS 1] BODY 0 CONTAINS 2] BODY 0 CONTAINS 3] BODY 0 CONTAINS 4] BODY 0 CONTAINS 5] BODY 0 CONTAINS 6] BODY 0 CONTAINS 7] BODY 0 CONTAINS 8] BODY 0 CONTAINS 9] acsmailf - contains the IP and name of my outgoing mail server (obviously substitute yours), if the message contains one of these values it is possible the message did originate here. SKIPIFWEIGHT 50 BODY 0 CONTAINS 12.4.184.4 BODY 0 CONTAINS mail.acsworld.com neversentf - if the message was about an "unknown user" and had header records, but they were not from my mail server, then it didn't come from my mail server so we add 40 to the weight. We delete on 40 weight. SKIPIFWEIGHT 50 TESTSFAILED END CONTAINS acsmailf TESTSFAILED 40 CONTAINS unknownuserf bracketfl bracketfr If anyone is interested, our newest nigerian filter is available for download at http://www.acsworld.net/declude/nigerianf.zip . It's a work i
RE: [Declude.Virus] blocking auto reply messages
Help me out please. Why are we looking for the beginning of an IP address? Also my understanding of these filters is to eliminate sending emails to users that were not the original senders because of a forged virus. Is that correct??? If so wouldn't adding the Virus name to the declude forged tag solve that?? I am asking here so please do not assume I know much ... >>bracketfl - returned messages should have the original headers so I'm looking for the >>beginning of an IP address -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Thursday, May 06, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] blocking auto reply messages on 4/30/04 12:41 PM, Jeffrey Di Gregorio wrote: > Does anyone have a suggestion on what to do about the growing number > of auto reply messages being received by clients because of the > current amount of forging viruses. I am getting daily complaints from > clients who say they never sent anything to someone but are receiving > multiple auto response messages (user unknown, mailbox full, virus > warnings, etc.) I am at a loss on what to do about this. I was having the same problem as you and I came up with these filters that seem to work for me. UNKNOWNUSERF filter e:\imail\declude\unknownuserf.txt x 0 0 BRACKETFLfilter e:\imail\declude\bracketfl.txt x 0 0 BRACKETFRfilter e:\imail\declude\bracketfr.txt x 0 0 ACSMAILF filter e:\imail\declude\acsmailf.txt x 0 0 NEVERSENTF filter e:\imail\declude\neversentf.txt x 0 0 unknownuserf - SKIPIFWEIGHT 50 BODY 0 CONTAINS unknown user BODY 0 CONTAINS user unknown bracketfl - returned messages should have the original headers so I'm looking for the beginning of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS [1 BODY 0 CONTAINS [2 BODY 0 CONTAINS [3 BODY 0 CONTAINS [4 BODY 0 CONTAINS [5 BODY 0 CONTAINS [6 BODY 0 CONTAINS [7 BODY 0 CONTAINS [8 BODY 0 CONTAINS [9 bracketfr - looking for the end of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS 0] BODY 0 CONTAINS 1] BODY 0 CONTAINS 2] BODY 0 CONTAINS 3] BODY 0 CONTAINS 4] BODY 0 CONTAINS 5] BODY 0 CONTAINS 6] BODY 0 CONTAINS 7] BODY 0 CONTAINS 8] BODY 0 CONTAINS 9] acsmailf - contains the IP and name of my outgoing mail server (obviously substitute yours), if the message contains one of these values it is possible the message did originate here. SKIPIFWEIGHT 50 BODY 0 CONTAINS 12.4.184.4 BODY 0 CONTAINS mail.acsworld.com neversentf - if the message was about an "unknown user" and had header records, but they were not from my mail server, then it didn't come from my mail server so we add 40 to the weight. We delete on 40 weight. SKIPIFWEIGHT 50 TESTSFAILED END CONTAINS acsmailf TESTSFAILED 40 CONTAINS unknownuserf bracketfl bracketfr If anyone is interested, our newest nigerian filter is available for download at http://www.acsworld.net/declude/nigerianf.zip . It's a work in progress but it seems to catch some scam messages everyday. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] problems with the F-Prot updater
I have seen this as well. You could write a batch file that tests for the website first and if it resolves correctly runs the updater. If not it loops through and delays 10 minutes and then tries again. I have been planning to do just that myself. I run the updates every hour so I am more likely to see this issue than someone that runs it daily at 3AM. Good luck DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hermann Strassner Sent: Thursday, May 06, 2004 4:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] problems with the F-Prot updater > Is any one else having problems getting updates from the f-prot site? > I get a runtime error from the updater program, and when I go to the website > to download the updates, I get a page can not be found. I can`t reach the website and i got an runtime error 1 time. Half an hour later everything worked fine again. I think the website was down or there was too much traffic. Hermann --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[5]: [Declude.Virus] Missed virus reports
Hello Patrick, Monday, May 3, 2004, 6:44:52 PM, you wrote: PC> Hello David, >> BANEZIPEXTS ON PC> Sorry to jump in but just a couple of thoughts. PC> Are you running the "Pro" version of Declude? I don't think BANEZIPEXTS PC> works on the "Standard" version. Secondly, I believe, in special PC> circumstances, some admins configure "Declude Junkmail" to run before PC> "Declude AV". I think this configuration could cause this behavior. Good thoughts on both of them there. Unfortunately, yes... we are running Pro and no, we haven't switched the JM/AV scanning order. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking auto reply messages
on 4/30/04 12:41 PM, Jeffrey Di Gregorio wrote: > Does anyone have a suggestion on what to do about the growing number of auto > reply messages being received by clients because of the current amount of > forging viruses. I am getting daily complaints from clients who say they > never sent anything to someone but are receiving multiple auto response > messages (user unknown, mailbox full, virus warnings, etc.) I am at a loss on > what to do about this. I was having the same problem as you and I came up with these filters that seem to work for me. UNKNOWNUSERF filter e:\imail\declude\unknownuserf.txt x 0 0 BRACKETFLfilter e:\imail\declude\bracketfl.txt x 0 0 BRACKETFRfilter e:\imail\declude\bracketfr.txt x 0 0 ACSMAILF filter e:\imail\declude\acsmailf.txt x 0 0 NEVERSENTF filter e:\imail\declude\neversentf.txt x 0 0 unknownuserf - SKIPIFWEIGHT 50 BODY 0 CONTAINS unknown user BODY 0 CONTAINS user unknown bracketfl - returned messages should have the original headers so I'm looking for the beginning of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS [1 BODY 0 CONTAINS [2 BODY 0 CONTAINS [3 BODY 0 CONTAINS [4 BODY 0 CONTAINS [5 BODY 0 CONTAINS [6 BODY 0 CONTAINS [7 BODY 0 CONTAINS [8 BODY 0 CONTAINS [9 bracketfr - looking for the end of an IP address SKIPIFWEIGHT 50 BODY 0 CONTAINS 0] BODY 0 CONTAINS 1] BODY 0 CONTAINS 2] BODY 0 CONTAINS 3] BODY 0 CONTAINS 4] BODY 0 CONTAINS 5] BODY 0 CONTAINS 6] BODY 0 CONTAINS 7] BODY 0 CONTAINS 8] BODY 0 CONTAINS 9] acsmailf - contains the IP and name of my outgoing mail server (obviously substitute yours), if the message contains one of these values it is possible the message did originate here. SKIPIFWEIGHT 50 BODY 0 CONTAINS 12.4.184.4 BODY 0 CONTAINS mail.acsworld.com neversentf - if the message was about an "unknown user" and had header records, but they were not from my mail server, then it didn't come from my mail server so we add 40 to the weight. We delete on 40 weight. SKIPIFWEIGHT 50 TESTSFAILED END CONTAINS acsmailf TESTSFAILED 40 CONTAINS unknownuserf bracketfl bracketfr If anyone is interested, our newest nigerian filter is available for download at http://www.acsworld.net/declude/nigerianf.zip . It's a work in progress but it seems to catch some scam messages everyday. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] problems with the F-Prot updater
Leave it. Sometimes the check goes as fast as hell (part of a second). Sometimes it took e few minutes to finish (not the update, just the check). The 1 time it ended with an error message. Hermann > I see this all the time. It works fine for a while and then > all of a sudden > in one update it goes 1/2 way and then stops. > > Cancel does not work and it just hangs.. The way I have found > out of it is > to launch Updater manually then end task it. > > I think at times their server gets overloaded. > > Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.