Re: [Declude.Virus] Blocking PIF Files
Thanks, Uwe. Do you know if both of the below techniques work in with Declude Virus Standard? Thanks, Dan - Original Message - From: Info Wind [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 9:47 AM Subject: Re: [Declude.Virus] Blocking PIF Files virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a pif extension like your_letter.pif? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe,
Re: [Declude.Virus] Seemingly bad virus this morning
I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Thanks for the info, Darrell. I'm sure that'll be enough to get me pointed in the right direction. I had another quick question for anyone willing to answer. Typically I get most of my questions answered through these Declude discussion lists. Yesterday afternoon I submitted a request to [EMAIL PROTECTED] regarding this issue (and a few tertiary issues) and I have yet to get any sort of response whatsoever. I checked their web site and they said that e-mail is the best way to get support. Is this typical of Declude's support to be unresponsive like this? TIA, Dan - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 28, 2005 5:35 PM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Dan, I have been running 2.0.6 with no major issues that plague me on a daily basis. The only issue I have encountered is when the server is under high load and Declude spawns processes until the server starts generating errors. Since I upgraded the server it doesnt happen very often. For the install you can grab the package from your account on the declude site. The manual install was pretty easy - just install and select manual along with a directory. The upgrade for 2.0.6.16 the last beta is just an exe download. Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Hi, All, OK, then. Well since it may be some time before I hear anything from Declude perhaps someone on here can help answer my question. We are currently running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. Our Service Agreement expired on June 15th. Since our Service Agreement ended on June 15th I assume this means we can legally upgrade to any version which was released before that date? During the conversations I had with Scott in the past that was the case but I just wanted to make sure before I upgraded to 2.0.6. TIA, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, June 29, 2005 10:02 AM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Yep... I find that typically only a few questions or comments on the list get formal response by Declude nowadays, so email to their support address is the only way to get a response. There's just not the same level of service or customer attention. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, June 29, 2005 9:28 AM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Thanks for the info, Darrell. I'm sure that'll be enough to get me pointed in the right direction. I had another quick question for anyone willing to answer. Typically I get most of my questions answered through these Declude discussion lists. Yesterday afternoon I submitted a request to [EMAIL PROTECTED] regarding this issue (and a few tertiary issues) and I have yet to get any sort of response whatsoever. I checked their web site and they said that e-mail is the best way to get support. Is this typical of Declude's support to be unresponsive like this? TIA, Dan - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 28, 2005 5:35 PM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Dan, I have been running 2.0.6 with no major issues that plague me on a daily basis. The only issue I have encountered is when the server is under high load and Declude spawns processes until the server starts generating errors. Since I upgraded the server it doesnt happen very often. For the install you can grab the package from your account on the declude site. The manual install was pretty easy - just install and select manual along with a directory. The upgrade for 2.0.6.16 the last beta is just an exe download. Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - -- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Hello, All, I just upgraded to Declude 2.0.6 using the manual method. I had 2 questions... --- #1) I added the following test to my virus.cfg file... # # The ALLOWVULNERABILITIESFROM option will... # ALLOWVULNERABILITIESFROM @domain.com It wasn't clear where to put this in virus.cfg so I just dropped it at the end. Will that get the job done? --- --- #2) Now that I've upgraded is there a specific file I should watch closely to make sure that I'm not experiencing any of the bugs I've read about in the newer versions? I'd rather not hear it from the customer but instead would like to monitor things closely myself. Perhaps evidence of any issues will show up in the log file? --- Thanks, Much! Dan - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 28, 2005 4:05 PM Subject: Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANCRVIRUSES OFF for 1 Domain
Thanks, David! So what's the first safe version of Declude 2.x that I can upgrade to without going through all of the grief that the current beta testers are going through yet gain this functionality? - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, March 24, 2005 3:20 PM Subject: RE: [Declude.Virus] BANCRVIRUSES OFF for 1 Domain In version 2.0+ ALLOWVULNERABILITIESFROM option instructs Declude Virus to allow vulnerabilities from a specific E-mail address or domain. Details: A line such as ALLOWVULNERABILITIESFROM @ual.com will force Declude Virus to bypass vulnerability detection if an E-mail is sent from @ual.com. This works with a partial match on the return address, so just ual.com would also match [EMAIL PROTECTED]. Allowing a user to send vulnerabilities Occasionally, legitimate mailers will send out E-mails with vulnerabilities. Usually, they stop doing so quickly, as any up-to-date mailserver virus scanner should block their E-mail. The best thing to do if this happens is to contact the sender, and get them to fix the problem. However, in the rare cases where this is not possible, you can instruct Declude Virus to allow the user to send vulnerabilities. To do so, you can add a line such as ALLOWVULNERABILITIESFROM [EMAIL PROTECTED] to your Imail Declude virus.cfg file. In this case, it would allow any vulnerabilities from [EMAIL PROTECTED], while not allowing detected viruses from [EMAIL PROTECTED] That means that a virus not using any mailserver AV vulnerabilities would get caught, but a virus that does use a mailserver AV vulnerability might not be caught. This is a big risk, but there is no risk-free way to allow someone to send potentially dangerous E-mail. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Thursday, March 24, 2005 3:13 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] BANCRVIRUSES OFF for 1 Domain Hello, All, An e-mail hosting customer is complained because some e-mails were blocked by Declude AV with the Outlook 'Boundary Space Gap' Vulnerability. I know we can use BANCRVIRUSES OFF in \IMail\Declude\virus.cfg to turn this off but I also assume that this will turn it off for all domains. Is there a way to turn these off for one domain or set of domains? We are currently running Declude 1.82. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ NOD32 1.1034 (20050324) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Supress Universal Footer for 1 Domain
Hello, All, First some details about the version of Declude that we are using... Declude 1.81 (C) Copyright 2000-2004 Computerized Horizons. Declude JunkMail: Config file found (D:\iMail\Declude\global.CFG). Declude Virus: Config file found (D:\iMail\Declude\Virus.CFG). Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. Given this information is it possible to supress the Universal Footer which is attached to all e-mails which are scanned by Declude Virus for just one domain or set of domains? Including incoming and outgoing e-mail? Thanks, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Regular Zip Blocked by Declude as EZIP
Hello, All, I sent a e-mail from a customer site to myself with a regular ZIP file attached. I received the following message back... Microsoft Mail Internet Headers Version 2.0 Received: from mail.maildesk.net ([199.218.9.5]) by mail.jhb.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 28 Oct 2004 16:23:36 -0400 Date: Thu, 28 Oct 2004 16:23:35 -0400 Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Postmaster [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Undeliverable Mail X-Mailer: IMail v6.05 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 28 Oct 2004 20:23:36.0785 (UTC) FILETIME=[01191C10:01C4BD2C] Delivery Failed: [EMAIL PROTECTED] The mail server for mail.maildesk.net does not accept E-mail with attachments that contain the EZIP extension. Original message follows: Received: from mail.jhb.com [66.162.117.226] by mail.maildesk.net with ESMTP (SMTPD32-6.06) id A52D2A9900DC; Thu, 28 Oct 2004 16:23:09 -0400 MIME-Version: 1.0 Content-Type: application/x-zip-compressed; name=NexusHelpDesk.zip Content-Transfer-Encoding: base64 Content-Description: NexusHelpDesk.zip Content-Disposition: attachment; filename=NexusHelpDesk.zip Subject: Nexus Help Desk X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message Date: Thu, 28 Oct 2004 16:22:29 -0400 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: Nexus Help Desk Thread-Index: AcS9K9dYbM1yZh4zQ5qUfOlVVt7wdQ== From: Network Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] The thing is the file I sent to myself is NOT an encrypted zip file. Any idea why a non-encrypted zip file would be interpreted as an EZIP file? I believe this rejecttion was generated by Declude. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Post-Declude 1.75 Password Zipped Virus Detection
When messages with Encrypted Zip Attachments are caught where do the messages end up? Is it in the SPAM directory, the VIRUS directory or somewhere else? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 9:10 AM Subject: Re: [Declude.Virus] Post-Declude 1.75 Password Zipped Virus Detection Over the last day or so one of my users has been inundated with viruses archived in password protected zip files. I know that this technique has been around for many months now but unfortunately when it was discussed on this list I did not have a current service agreement so I didn't pay close attention to the discussion regarding any new features which were added to Declude to combat this situation. Are there any new features in Declude which will help mitigate this issue or is it just a matter of the user being vigilant? We are currently using Declude v1.75. 100% of them will get caught if you upgrade to the latest beta (1.79) and use a line BANEXT EZIP in your \IMail\Declude\virus.cfg file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Post-Declude 1.75 Password Zipped Virus Detection
Hello, All, Over the last day or so one of my users has been inundated with viruses archived in password protected zip files. I know that this technique has been around for many months now but unfortunately when it was discussed on this list I did not have a current service agreement so I didn't pay close attention to the discussion regarding any new features which were added to Declude to combat this situation. Are there any new features in Declude which will help mitigate this issue or is it just a matter of the user being vigilant? We are currently using Declude v1.75. Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
[Declude.Virus] OT: Animal Messages with Viruses?
Hello, All, Has anyone see an influx of messages with subjects, bodies and attachments related to animals that might contain a virus? I've seen such things as "the snake" and "horse" with attachment like "fish.com" but I can't find anything about this on Symantec or the usual virus discussion arenas. Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
Re: [Declude.Virus] Spamlist scam?
I feel that Blars is free to put whomever he wants on his blacklist. He basically says that he uses the list to block spam being sent to him. He makes the blacklist publically available for others that want to use it. No one is forced to usehis blacklist. As far as getting removed from the list he is basically saying that he will help you figure out why the reputation of your IP has become tarnished but to do this he is going to charge you his normal consulting rates. We would do the same for any of our customers if they came to us and asked us to figure out why they were being blacklisted on any blacklist on the Internet. We bill for our time, always. - Original Message - From: Mark To: [EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 11:04 AM Subject: [Declude.Virus] Spamlist scam? Our IP or block got listed on this guys list. He doesn't provide any information as to how the IP or block got listed and seems more interested in taking money to have an IP de-listed. Wonder how long it will take for him to tick off the wrong company.It would be nice if Declude would remove BlarsBL off their list of available list to prevent him from being used by someone that really shouldn't be managing an email server."If you would like a site be added or removed from BlarsBL, you may hire Blars at his normal consulting rates (currently $250/hour, 2 hour minimum, $1000 deposit due in advance for non-established customers) to investigate your evidence about the site. If it is found that the entry was a mistake, no charge will be made and the entire deposit will be refunded. Send Blars email from a non-listed account to verify current rates and arrange payment. "
[Declude.Virus] SKIPIFRECIP SKIPIFVIRUSNAMEHAS
Hello, All, I know that I can use SKIPIFRECIP to skip Virus Warnings for specific Domain Names and I can use SKIPIFVIRUSNAMEHAS to skip Virus Warnings for specific Virus Names. But is there any way I can supress Virus for a specific Virus Name for just one domain name? Specifically I have one customer who doesn't want to receive the "Vulnerability" warnings any longer. Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
Fw: [Declude.Virus] Has McAfee fixed Virus Definition Corruptions Yet?
Hello, All, I have a follow-up to the McAfee issues that we were having in late June. Since we upgraded from 4.1.5.0 to 4.3.2.0 the Automatic DAT Update in NetShield Console has quit working. I've been updating them manually since then. I was hoping to create a Scheduled Task to do them and I thought that the MCUPDATE.EXE program is what would do that but it doesn't appear to have that functionality. Does anyone know if there's a command line virus definition updater that I can use in the above scenario? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 11:28 AM Subject: Re: [Declude.Virus] Has McAfee fixed Virus Definition Corruptions Yet? Hello, All, Just an update to our McAfee issues of last week. We updated from version 4.1.5.0 of SCAN.EXE to 4.3.2.0 of SCAN.EXE over the weekend and everything appears to be working swimmingly now. Has everyone else had luck with the engine upgrade? Thanks, Much! Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 12:33 PM Subject: [Declude.Virus] Has McAfee fixed Virus Definition Corruptions Yet? Hello, All, Yesterday at 1:04pm are McAfee got new virus definitions, updating from version 4366 to 4367, and immediately the command line scanner started spazzing out, generating tons of Dr. Watson errors. It took us a long time to diagnose the issue and after trial and error we finally got the server acting normally by disabling Declude Virus Scanning. We then analyzed a manual virus scan and saw that it was actually McAfee that was generating the Dr. Watson so we reverted to the old 4366 virus definitions and then everything started working normally. Currently we have disabled auto-updates on McAfee. I see from this e-mail that some others maybe have experienced this issue. Does anyone know if McAfee has released a new upgrade post-4367 which doesn't cause McAfee to flake out? Thanks In Advance, Dan Geiser --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Deactivation
I'm confused. Why is it a worse situation? - Original Message - From: Mitch Hegstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 1:01 PM Subject: RE: [Declude.Virus] Deactivation I can't argue with that. I just wish I wasn't left in a worse situation than I was prior to setting up declude when it deactivated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Wednesday, April 07, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Deactivation One would think that prior to the 30 day trial one would purchase declude and it would run forever! At 12:20 PM 4/7/2004 -0400, you wrote: What happens when the 30 days is up and declude deactivates? At that point, mail will be handled almost exactly the same as it was before Declude was installed (the core Declude code will still run, but E-mail will be delivered exactly as it had before). Are the virus's passed on to the users? Correct. The Declude Virus code will not run, so viruses will not be detected, and will be delivered to users exactly as they would be before the Declude Virus evaluation was installed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications
Hi, Scott, Sorry about that. I included the wrong message. I had 2 issues confused with each other. Here is the one I was referring to where Declude blocks the message... --- -Original Message- From: Postmaster Sent: Fri 4/2/2004 1:29 AM To: [EMAIL PROTECTED] Cc: Subject: WARNING: YOU WERE SENT A VIRUS The virus scanner software at Nexus Technology Group on NexusTechGroup.com has reported someone sent you an E-mail from [EMAIL PROTECTED], containing the [Outlook 'Blank Folding' Vulnerability] virus in the [No attachment] attachment. The subject of the E-mail was Backup Exec Alert: Job Failed (Server: BHFSERVER) (Job: Backup 0001) . The E-mail containing the virus has been deleted to prevent any damage. Headers Follow: Received: from bhfserver [68.74.44.200] by NexusTechGroup.com (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 02 Apr 2004 01:29:56 -0400 Subject: Backup Exec Alert: Job Failed (Server: BHFSERVER) (Job: Backup 0001) X-Mailer: VERITAS SMTP Mail Component MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Message-Id: [EMAIL PROTECTED] --- Any ideas? Thanks, Again, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 05, 2004 6:54 PM Subject: Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications We have a customer who is running Veritas Backup Exec. When their backup runs a notification is triggered by Backup Exec and we bounce that notification through our IMail server and then on to the appropriate parties. This notification system has been running fine for months now using our IMail server as a relay. In the past week or so IMail has had trouble routing these messages. Here is an example message... - From: Postmaster mailto:[EMAIL PROTECTED][EMAIL PROTECTED] undeliverable to mailto:[EMAIL PROTECTED][EMAIL PROTECTED] This one indicates that IMail can't deliver the E-mail to mailto:[EMAIL PROTECTED][EMAIL PROTECTED] However: Original message follows. Subject: Backup Exec Alert: Job Success ... There is no indication that Declude blocked this E-mail. For those of you with a trained eye... 1) Why does Declude flag the original notification message as having the blank folding vulnerability? I'm OK with that I'm just curious to know why. I don't see any indication that it did. 2) Secondly and actually more importantly. Why is my IMail system unable to deliver the notification to mailto:[EMAIL PROTECTED][EMAIL PROTECTED] There appears to be a space right before mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in the to line of the original notification. I believe that space is being added by Backup Exec. Would that cause the message to be undeliverable? That would likely cause the message to be undeliverable. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications
Hello, All, We have a customer who is running Veritas Backup Exec. When their backupruns a notification is triggered by Backup Exec and we bounce that notification through our IMail server and then on to the appropriate parties. This notification system has been running fine for months now using our IMail server as a relay. In the past week or so IMail has had trouble routing these messages. Here is an example message... - Date: Fri, 2 Apr 2004 09:27:16 -0500Message-Id: [EMAIL PROTECTED]From: "Postmaster" [EMAIL PROTECTED]Sender: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: Undeliverable MailX-Mailer: SMTP32 v20010131X-UIDL: 354778710Status: U undeliverable to [EMAIL PROTECTED] Original message follows. Received: from jacob_file01 [66.166.116.226] by maildesk.net (SMTPD32-6.06) id A4723E800F6; Fri, 02 Apr 2004 09:10:58 -0500From: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Date: Fri, 02 Apr 2004 09:10:58 -0400Subject: Backup Exec Alert: Job SuccessX-Mailer: VERITAS SMTP Mail ComponentMIME-Version: 1.0Content-Type: multipart/mixed;boundary=unique-boundary-1Message-Id: [EMAIL PROTECTED]X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e].X-Declude-Sender: [EMAIL PROTECTED] [66.166.116.226]X-Note: Sent from: [EMAIL PROTECTED] ([66.166.116.226])X-Note: Sent from Reverse DNS: h-66-166-116-226.sfldmidn.covad.netX-Note: This E-mail was scanned by Declude [1.75] for viruses. --unique-boundary-1Content-Type: text/plain; charset=utf-8 (Server: "JACOB_FILE01") (Job: "Weeknight Full Backup") Completed Successfully.--unique-boundary-1Content-Type: application/octet-streamname="BEX01319.htm"Content-Transfer-Encoding: Base64Content-Disposition: attachment;filename="BEX01319.htm" //48AEgAVABNAEwAPgANAAoAPABIAEUAQQBEAD4ADQAKADwATQBFAFQAQQAgAGgAdAB0AHAALQBlAHEAdQBpAHYAPQAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAIABjAG8AbgB0AGUA [message truncated] - For those of you with a trained eye... 1) Why does Declude flag the original notification message as having the blank folding vulnerability? I'm OK with that I'm just curious to know why. 2) Secondly and actually more importantly. Why is my IMail system unable to deliver the notification to [EMAIL PROTECTED]? There appears to be a space right before [EMAIL PROTECTED] in the to line of the original notification. I believe that space is being added by Backup Exec. Would that cause the message to be undeliverable? I think this client just upgraded from Backup Exec 9.0 to Backup Exec 9.1 and I'm thinking that maybe Veritas has unintentionally introduced the Blank Folding Vulnerability from one version to the next. Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
Scott, Am I correct that if we don't have a current service agreement then we can't upgrade to any version above 1.75? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:39 AM Subject: Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications Is there a quick way that I can suppress the notifications being sent to the sender... and the sender's postmaster The options are: [1] Upgrade to v1.77, which automatically supresses them, or [2] Delete the \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files, or [3] Manually update those two files by adding a line SKIPIFVIRUSNAMEHAS Mydoom (exactly like that, with no extra spaces/tabs) to the top of those files. ... the recipient ... from our postmaster that the MyDoom virus has been blocked by our mail system? This is handled in exactly the same way (but a bit less important, as they are accurate notifications). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications
Scott, The current version number that we are running is 1.75. Our service agreement expired on 12/31/03. What is the highest version number we can upgrade to? Thanks, Much! Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 12:12 PM Subject: Re: [Declude.Virus] Suppressing MYDoom Postmaster Notifications Am I correct that if we don't have a current service agreement then we can't upgrade to any version above 1.75? It depends on when the Service Agreement expired. You are entitled to run any version that is released while your Service Agreement is active. Although we prefer that people run the release versions, it's OK to run a beta or interim release that was released while still under your Service Agreement. -Scott --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
Can anyone share the McAfee definition files for this? Our's is currently at 4286 and I can't get in manually or automatically to download the current definition files. Thanks, Dan - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:42 PM Subject: Re: [Declude.Virus] Sobig.F McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
Forget it. I finally got through to McAfee's web site. Sorry for bothering y'all!!! - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 5:12 PM Subject: Re: [Declude.Virus] Sobig.F Can anyone share the McAfee definition files for this? Our's is currently at 4286 and I can't get in manually or automatically to download the current definition files. Thanks, Dan - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:42 PM Subject: Re: [Declude.Virus] Sobig.F McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Stopping WARNING: YOU WERE SENT A VIRUS Messages For One Domain
Scott, I've read through the archives and release notes concerning the SKIPIFRECIP option. If the domain name which we want to skip notifications for was sample.com then I think the correct syntax for SKIPIFRECIP is... SKIPIFRECIP @sample.com ...and I want to add that line to the top of recip.eml? Is that correct? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] I think we're thinking about two different things here: Blocking all notifications versus blocking the vulnerability notifications. I'm suggesting the later. That's just it. The customer doesn't want to receive any notifications whatsoever that viruses have been blocked by Declude Virus. It's not just limited to vulnerability notifications. They don't want any notifications. In that case, the SKIPIFRECIP option would be needed. Given that they don't want any notifications, is my only option to use SKIPIFRECIP then? Correct. :) This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Stopping WARNING: YOU WERE SENT A VIRUS Messages For One Domain
Hi, Scott, The best (in my opinion) would be to add a line SKIPIFVIRUSNAMEHAS Vulnerability to the top of the \IMail\Declude\*.eml files, which will prevent the notifications from getting sent out when spam gets caught (since spam seems to be the main source of vulnerabilities). If I use this option, wouldn't that effect all domains which are currently receiving e-mail through us? I think 99% of customers like receiving those notifications. I think we're thinking about two different things here: Blocking all notifications versus blocking the vulnerability notifications. I'm suggesting the later. That's just it. The customer doesn't want to receive any notifications whatsoever that viruses have been blocked by Declude Virus. It's not just limited to vulnerability notifications. They don't want any notifications. Since virtually all of the vulnerabilities that are caught are spam, few people want to receive the notifications of them. The SKIPIFVIRUSNAMEHAS Vulnerability option will prevent the notifications from getting sent when vulnerabilities are detected, but will allow the virus notifications through. If that doesn't work, you can use SKIPIFRECIP to pervent the E-mail notification from getting sent out for specific recipient(s), but that probably won't be necessary with the SKIPIFVIRUSNAMEHAS Vulnerability option. And this would allow me to isolate specific recipients? Correct. This option (in the latest beta) will allow you to prevent the notifications from getting sent out for specific users or domains. Given that they don't want any notifications, is my only option to use SKIPIFRECIP then? Thanks for your feedback! Take Care, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Stopping WARNING: YOU WERE SENT A VIRUS Messages For One Domain
Hello, All, First let me preface my message by saying I don't have a lot of experience with Declude Virus. I have used Declude JunkMail extensively but Declude Virus, not so much. It was set up by someone else and has worked exactly as expected so there hasn't been any real need to touch it. Our installation of Declude Virus was configured so that if one of the recipients on our e-mail system is sent a virus they get a message from postmaster@domain.com saying something to the effect... Date: Fri, 13 Jun 2003 04:23:37 -0400 From: Postmaster [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: WARNING: YOU WERE SENT A VIRUS X-Mailer: IMail v6.05 The virus scanner software at Nexus Technology Group on american-apex.com has reported someone sent you an E-mail from [EMAIL PROTECTED] RHome Loans!... Debt Consolidation... Refinance The E-mail containing the virus has been deleted to prevent any damage. Headers Follow: [Deleted due to dangerous content] One of our customers does not want to receive these messages any more. Obviously they still want the viruses to be caught by I guess they don't care of see the notifications. I was wondering if there is a way that I can isolate their domain name and stop Declude Virus from sending these WARNING: YOU WERE SENT A VIRUS messages to just the one domain. Thanks In Advance For Any and All Feedback Take Care, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Stopping WARNING: YOU WERE SENT A VIRUS Messages For One Domain
Hi, Scott, RHome Loans!... Debt Consolidation... Refinance One of our customers does not want to receive these messages any more. Obviously they still want the viruses to be caught by I guess they don't care of see the notifications. I was wondering if there is a way that I can isolate their domain name and stop Declude Virus from sending these WARNING: YOU WERE SENT A VIRUS messages to just the one domain. There are a couple options here. The best (in my opinion) would be to add a line SKIPIFVIRUSNAMEHAS Vulnerability to the top of the \IMail\Declude\*.eml files, which will prevent the notifications from getting sent out when spam gets caught (since spam seems to be the main source of vulnerabilities). If I use this option, wouldn't that effect all domains which are currently receiving e-mail through us? I think 99% of customers like receiving those notifications. If that doesn't work, you can use SKIPIFRECIP to pervent the E-mail notification from getting sent out for specific recipient(s), but that probably won't be necessary with the SKIPIFVIRUSNAMEHAS Vulnerability option. And this would allow me to isolate specific recipients? Thanks, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] [Outlook 'MIME segment in MIME Preamble' Vulnerability]
Hello, All, We have a client that had an e-mail caught by Declude Virus because of what it refers to as the [Outlook 'MIME segment in MIME Preamble' Vulnerability] virus. Can someone tell me more about this virus? Am I correct in assuming that this is not specifically a virus as much as it is a vulnerability which could indicate a virus? Is it common practice to block for these or is this something that can be safely passed through? Is there any way to fix this from the sender's side? Any tips on how to persuade the sender to actually fix the issue? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] A Couple of Declude Questions
Hello, All, I have a couple of questions about Declude; one regarding their Virus product and another regarding their Spam product. #1) Regarding Declude Virus I have inherited an server running IMail 6.06. I have been told that the server is running Declude Virus and I can find traces of Declude around the server but I'm having a hard time figuring out how Declude interfaces with IMail. Underneath my IMail directory there is a directory called Declude which contains the files: installed.bin postmaster.eml otherpostmaster.eml recip.eml sender.eml virus.cfg virus_domains.txt In the IMail folder itself is a file called Declude.exe. I am trying to figure out how IMail calls Declude to help it scan for viruses. Is this some sort of setting in IMail? Where is it located in the IMail administration screens? Is there any documentation which comes with Declude Virus? I am trying to understand how Declude Virus works because we are also thinking about adding Declude Spam into the mix. Which brings me to my next set of questions? #2) Regarding Declude Spam How do I get a trial copy of Declude Spam to try out? Is it's installation affected by having Declude Virus already on the server? All comments are appreciated. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
