Re: [clamav-users] clamav-milter reject and quarantine?

[Dennis Peterson]

This isn't the place for this debate, but if you accept a message you own it and 
are compelled to deliver it. If you reject it before the final protocol ". [cr] 
you can to anything you want with it forensically, but you can't deliver it. The 
sender still owns it. If people don't accept this then messaging as we know it 
is doomed to mail loops and law suits.


dp

On 2/18/16 5:52 PM, Noel Jones wrote:

On 2/18/2016 7:25 PM, Gene Heskett wrote:

On Thursday 18 February 2016 12:48:42 Michael Grant wrote:


Then let me be more clear...

I want to reject the message.  I do not want the message arriving at
the recipient.  However, the message that is passed to clamd, if this
is discovered to contain a virus, I want to save that into a file in a
directory so that I can come back later and look at it.

Ignore anything about delivering it.  That is not pertinent.  For all
intents and purposes, the message with a virus is rejected at the SMTP
level before the SMTP connection goes away.

You simply can not do both.

Of course you can reject and quarantine for inspection, but it must
happen at the internet-facing MTA during the initial SMTP, not later.

The only change required is the infected message is saved to
quarantine for inspection rather than discarded.  The sender still
receives a 5xx reject notice.  Other software can do this already,
but clamav-milter doesn't offer this feature yet, other than the
option to save (all) temporary files.


What you can do is quaranteen it for later
inspection so here, I use a procmail recipe to run it thru clamscand,

Right, it's not possible to reject & quarantine with procmail since
the message has already been received and it's too late to reject
it.  Reject & quarantine can only be done at the internet facing MTA
during the initial SMTP, where it's trivial.



   -- Noel Jones
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Noel Jones]

On 2/18/2016 7:25 PM, Gene Heskett wrote:
> On Thursday 18 February 2016 12:48:42 Michael Grant wrote:
> 
>> Then let me be more clear...
>>
>> I want to reject the message.  I do not want the message arriving at
>> the recipient.  However, the message that is passed to clamd, if this
>> is discovered to contain a virus, I want to save that into a file in a
>> directory so that I can come back later and look at it.
>>
>> Ignore anything about delivering it.  That is not pertinent.  For all
>> intents and purposes, the message with a virus is rejected at the SMTP
>> level before the SMTP connection goes away.
> 
> You simply can not do both. 

Of course you can reject and quarantine for inspection, but it must
happen at the internet-facing MTA during the initial SMTP, not later.

The only change required is the infected message is saved to
quarantine for inspection rather than discarded.  The sender still
receives a 5xx reject notice.  Other software can do this already,
but clamav-milter doesn't offer this feature yet, other than the
option to save (all) temporary files.

> What you can do is quaranteen it for later 
> inspection so here, I use a procmail recipe to run it thru clamscand, 

Right, it's not possible to reject & quarantine with procmail since
the message has already been received and it's too late to reject
it.  Reject & quarantine can only be done at the internet facing MTA
during the initial SMTP, where it's trivial.



  -- Noel Jones
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Gene Heskett]

On Thursday 18 February 2016 12:48:42 Michael Grant wrote:

> Then let me be more clear...
>
> I want to reject the message.  I do not want the message arriving at
> the recipient.  However, the message that is passed to clamd, if this
> is discovered to contain a virus, I want to save that into a file in a
> directory so that I can come back later and look at it.
>
> Ignore anything about delivering it.  That is not pertinent.  For all
> intents and purposes, the message with a virus is rejected at the SMTP
> level before the SMTP connection goes away.

You simply can not do both.  What you can do is quaranteen it for later 
inspection so here, I use a procmail recipe to run it thru clamscand, 
and if clamav has a tummy ache, procmail puts it in a mailfile 
on /var/spool/mail named virii. That triggers inotifywait which is 
watching that directory, and if the filename inotifywait reports is 
virii, then the bash script that called inotifywait in the first place 
ignores it.  If its valid email however, it sends kmail a msg over dbus 
to go get the mail so I can read the rest of it.  Getting the mail does 
not include a user named virii.

All fed by fetchmail of course. I am lazy, so a lot of the email activity 
here is automated, reducing my job to reading what comes in, replying if 
I need to. Otherwise I just tap the + key until I am out of mail to be 
read.

> On 18 February 2016 at 18:25, Dennis Peterson  
wrote:
> > On 2/18/16 9:21 AM, Michael Grant wrote:
> >> The reason I want to do this is that I want to reject virus
> >> messages while
> >>
> >> >>the smtp connection is still alive, but after the fact, if there
> >> >> was a false positive, I'd like to be able to send the message on
> >> >> through
> >>
> >> anyway
> >>
> >> >>after the fact.
> >
> > You say here you would "want to reject virus messages... like to be
> > able to send the message on through anyway after the fact". You
> > can't have it both ways. Reject it or send it through or rephrase
> > what you wish to do.
> >
> > dp
> >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Noel Jones]

You may have more luck with the POSIX character class [[:space:]]
rather than shorthand \s.


  -- Noel Jones


On 2/18/2016 5:22 PM, Dennis Peterson wrote:
> ^New\ Doc.* (<- that is from the below example but is actually a
> poorly constructed regex because it will search to end of
> line/string) should work to escape the space char but that is one of
> the oddities of regex - knowing which implementation is being used.
> 
> dp
> 
> On 2/18/16 3:13 PM, Steven Morgan wrote:
>>
>> Looks like ClamAV uses what is called the "old library." I don't
>> think this
>> is POSIX compliant with regard to regular expressions.
>>
>> Hope this helps,
>> Steve
>>
>> On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu
>> 
>> wrote:
>>
 On Feb 18, 2016, at 8:14 PM, Steven Morgan 
>>> wrote:
 cdb signatures use a regex library known as "Henry Spencer's
 regular
 expressions." Googling documentation for that should give what
 you want.
>>> Thank you for the information. I searched out for that and found
>>> documentation, but am not able to get the desired outcome. Henry
>>> Spencer’s
>>> regular expressions are supposed to be POSIX compliment and "\s"
>>> is valid
>>> for space but I cannot get it to work.
>>>
>>> For example I am able to use "^New.Doc.*" to match for "New
>>> Doc.xls" but
>>> "^New\sDoc.*" or "^New Doc.*" does not.
>>>
>>> Thanks
>>>
>>> -- 
>>> Mehmet Avcioglu
>>> meh...@activecom.net
>>>
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steven Morgan]

Whoops, I take that back. The code used in ClamAV appears more similar to
the "BSD library." Comments state:

 * This code is derived from OpenBSD's libc/regex, original license follows:
 *
 * Copyright (c) 1992, 1993, 1994 Henry Spencer.
 * Copyright (c) 1992, 1993, 1994
 *The Regents of the University of California.  All rights reserved.
 *
 * This code is derived from software contributed to Berkeley by
 * Henry Spencer.
 *

So, I can't say for sure what is the POSIX support without additional
research. Best bet is to follow Steve Basford's sanesecurity example to get
you going. I don't see any .cdb in the official ClamAV virus database.

Steve

On Thu, Feb 18, 2016 at 6:13 PM, Steven Morgan 
wrote:

> Please see https://garyhouston.github.io/regex/.
>
> Looks like ClamAV uses what is called the "old library." I don't think
> this is POSIX compliant with regard to regular expressions.
>
> Hope this helps,
> Steve
>
> On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu 
> wrote:
>
>>
>> > On Feb 18, 2016, at 8:14 PM, Steven Morgan 
>> wrote:
>> >
>> > cdb signatures use a regex library known as "Henry Spencer's regular
>> > expressions." Googling documentation for that should give what you want.
>>
>> Thank you for the information. I searched out for that and found
>> documentation, but am not able to get the desired outcome. Henry Spencer’s
>> regular expressions are supposed to be POSIX compliment and "\s" is valid
>> for space but I cannot get it to work.
>>
>> For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but
>> "^New\sDoc.*" or "^New Doc.*" does not.
>>
>> Thanks
>>
>> --
>> Mehmet Avcioglu
>> meh...@activecom.net
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Dennis Peterson]

^New\ Doc.* (<- that is from the below example but is actually a poorly 
constructed regex because it will search to end of line/string) should work to 
escape the space char but that is one of the oddities of regex - knowing which 
implementation is being used.


dp

On 2/18/16 3:13 PM, Steven Morgan wrote:


Looks like ClamAV uses what is called the "old library." I don't think this
is POSIX compliant with regard to regular expressions.

Hope this helps,
Steve

On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu 
wrote:


On Feb 18, 2016, at 8:14 PM, Steven Morgan 

wrote:

cdb signatures use a regex library known as "Henry Spencer's regular
expressions." Googling documentation for that should give what you want.

Thank you for the information. I searched out for that and found
documentation, but am not able to get the desired outcome. Henry Spencer’s
regular expressions are supposed to be POSIX compliment and "\s" is valid
for space but I cannot get it to work.

For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but
"^New\sDoc.*" or "^New Doc.*" does not.

Thanks

--
Mehmet Avcioglu
meh...@activecom.net

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steven Morgan]

Please see https://garyhouston.github.io/regex/.

Looks like ClamAV uses what is called the "old library." I don't think this
is POSIX compliant with regard to regular expressions.

Hope this helps,
Steve

On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu 
wrote:

>
> > On Feb 18, 2016, at 8:14 PM, Steven Morgan 
> wrote:
> >
> > cdb signatures use a regex library known as "Henry Spencer's regular
> > expressions." Googling documentation for that should give what you want.
>
> Thank you for the information. I searched out for that and found
> documentation, but am not able to get the desired outcome. Henry Spencer’s
> regular expressions are supposed to be POSIX compliment and "\s" is valid
> for space but I cannot get it to work.
>
> For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but
> "^New\sDoc.*" or "^New Doc.*" does not.
>
> Thanks
>
> --
> Mehmet Avcioglu
> meh...@activecom.net
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steve basford]

On 18 February 2016 20:14:14 Mehmet Avcioglu  wrote:





For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but 
"^New\sDoc.*" or "^New Doc.*" does not.


> http://www.clamav.net/contact.html#ml


If you look at foxhole databases it should give you an idea, if you want to 
block macro malware try badmacro.ndb


Sorry this is brief , I'm on my mobile

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Mehmet Avcioglu]

> On Feb 18, 2016, at 8:14 PM, Steven Morgan  wrote:
> 
> cdb signatures use a regex library known as "Henry Spencer's regular
> expressions." Googling documentation for that should give what you want.

Thank you for the information. I searched out for that and found documentation, 
but am not able to get the desired outcome. Henry Spencer’s regular expressions 
are supposed to be POSIX compliment and "\s" is valid for space but I cannot 
get it to work.

For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but 
"^New\sDoc.*" or "^New Doc.*" does not.

Thanks

-- 
Mehmet Avcioglu
meh...@activecom.net

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steven Morgan]

cdb signatures use a regex library known as "Henry Spencer's regular
expressions." Googling documentation for that should give what you want.

Steve

On Thu, Feb 18, 2016 at 6:39 AM, Mehmet Avcioglu 
wrote:

>
> What is the format for Filename Regex pattern used in cdb signature files?
>
> I have not been able to find a documentation for this and some of the
> valid regex strings I use are not recognized. For example I cannot find a
> way to match for '@' character, or use '\s' for white space.
>
> Thanks
>
> --
> Mehmet Avcioglu
> meh...@activecom.net
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BlackEnergy malware detection

[Alain Zidouemba]

Here are some I could quickly identify:

Win.Trojan.DropBear
Win.Trojan.BlackEnergy2Driver
Win.Trojan.BlackEnergy3

- Alain

On Thu, Feb 18, 2016 at 7:37 AM, Volcy, Georges 
wrote:

> Good Morning,
>
> Does ClamAV detect the Blackenergy malware and is there any way for me to
> verify it.
> Thanks,
>
> Georges Volcy
> SCADA Engineer - EMS
> PSEG Long Island
> CNI - EMS Provisioning  & Support
> (516) 949-7417(Desk)
> (516) 949-7400 (Office)
> (516) 492-9773 (Cell)
>
>
>
> -
> The information contained in this e-mail, including any attachment(s), is
> intended solely for use by the named addressee(s).  If you are not the
> intended recipient, or a person designated as responsible for delivering
> such messages to the intended recipient, you are not authorized to
> disclose, copy, distribute or retain this message, in whole or in part,
> without written authorization from PSEG.  This e-mail may contain
> proprietary, confidential or privileged information. If you have received
> this message in error, please notify the sender immediately. This notice is
> included in all e-mail messages leaving PSEG.  Thank you for your
> cooperation.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Dennis Peterson]

You could try (man clamd.conf)

*LeaveTemporaryFiles BOOL*
   Do not remove temporary files (for debug purpose).
   Default: no 


dp

On 2/18/16 9:48 AM, Michael Grant wrote:

Then let me be more clear...

I want to reject the message.  I do not want the message arriving at the
recipient.  However, the message that is passed to clamd, if this is
discovered to contain a virus, I want to save that into a file in a
directory so that I can come back later and look at it.

Ignore anything about delivering it.  That is not pertinent.  For all
intents and purposes, the message with a virus is rejected at the SMTP
level before the SMTP connection goes away.

On 18 February 2016 at 18:25, Dennis Peterson  wrote:


On 2/18/16 9:21 AM, Michael Grant wrote:


The reason I want to do this is that I want to reject virus messages while

the smtp connection is still alive, but after the fact, if there was a
false positive, I'd like to be able to send the message on through

anyway

after the fact.

You say here you would "want to reject virus messages... like to be able
to send the message on through anyway after the fact". You can't have it
both ways. Reject it or send it through or rephrase what you wish to do.

dp

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Dennis Peterson]

Nobody is questioning that - it is the desire to deliver it after rejecting it 
that is wrong on several levels. For example the sender will get a reject 
message and the recipient will not know that.


dp

On 2/18/16 9:48 AM, Noel Jones wrote:

It is not a violation of protocol to reject a message during SMTP,
and save a copy for forensic inspection.  Be aware it is likely to
cause confusion if you later deliver that message.

clamav-milter does not currently have a reject+inspect option, but
it probably wouldn't be much effort to add.  Open a bug/feature request.


   -- Noel Jones



On 2/18/2016 11:21 AM, Michael Grant wrote:

I don't want to deliver the message, I want to quarantine it (like put it
in a directory somewhere), and then refuse it at the milter/smtp level.
There is not a violation of the protocol here.

On 18 February 2016 at 17:59, Dennis Peterson  wrote:


What you want to do is best done using the local mailer and not SMTP.
Technically and literally you have accepted the message in your scheme and
are therefore responsible for delivery. You can't both send a reject and
deliver the mail - it violates the protocol and integrity of the messaging
system.

dp


On 2/18/16 5:14 AM, Michael Grant wrote:


Using clamav-milter, is there anyway to reject virus infected messages AND
put them into a quarantine directory?

The reason I want to do this is that I want to reject virus messages while
the smtp connection is still alive, but after the fact, if there was a
false positive, I'd like to be able to send the message on through anyway
after the fact.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Michael Grant]

Then let me be more clear...

I want to reject the message.  I do not want the message arriving at the
recipient.  However, the message that is passed to clamd, if this is
discovered to contain a virus, I want to save that into a file in a
directory so that I can come back later and look at it.

Ignore anything about delivering it.  That is not pertinent.  For all
intents and purposes, the message with a virus is rejected at the SMTP
level before the SMTP connection goes away.

On 18 February 2016 at 18:25, Dennis Peterson  wrote:

> On 2/18/16 9:21 AM, Michael Grant wrote:
>
>> The reason I want to do this is that I want to reject virus messages while
>> >>the smtp connection is still alive, but after the fact, if there was a
>> >>false positive, I'd like to be able to send the message on through
>> anyway
>> >>after the fact.
>>
> You say here you would "want to reject virus messages... like to be able
> to send the message on through anyway after the fact". You can't have it
> both ways. Reject it or send it through or rephrase what you wish to do.
>
> dp
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Noel Jones]

It is not a violation of protocol to reject a message during SMTP,
and save a copy for forensic inspection.  Be aware it is likely to
cause confusion if you later deliver that message.

clamav-milter does not currently have a reject+inspect option, but
it probably wouldn't be much effort to add.  Open a bug/feature request.


  -- Noel Jones



On 2/18/2016 11:21 AM, Michael Grant wrote:
> I don't want to deliver the message, I want to quarantine it (like put it
> in a directory somewhere), and then refuse it at the milter/smtp level.
> There is not a violation of the protocol here.
> 
> On 18 February 2016 at 17:59, Dennis Peterson  wrote:
> 
>> What you want to do is best done using the local mailer and not SMTP.
>> Technically and literally you have accepted the message in your scheme and
>> are therefore responsible for delivery. You can't both send a reject and
>> deliver the mail - it violates the protocol and integrity of the messaging
>> system.
>>
>> dp
>>
>>
>> On 2/18/16 5:14 AM, Michael Grant wrote:
>>
>>> Using clamav-milter, is there anyway to reject virus infected messages AND
>>> put them into a quarantine directory?
>>>
>>> The reason I want to do this is that I want to reject virus messages while
>>> the smtp connection is still alive, but after the fact, if there was a
>>> false positive, I'd like to be able to send the message on through anyway
>>> after the fact.
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Dennis Peterson]

On 2/18/16 9:21 AM, Michael Grant wrote:

The reason I want to do this is that I want to reject virus messages while
>>the smtp connection is still alive, but after the fact, if there was a
>>false positive, I'd like to be able to send the message on through anyway
>>after the fact.
You say here you would "want to reject virus messages... like to be able to send 
the message on through anyway after the fact". You can't have it both ways. 
Reject it or send it through or rephrase what you wish to do.


dp
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Michael Grant]

I don't want to deliver the message, I want to quarantine it (like put it
in a directory somewhere), and then refuse it at the milter/smtp level.
There is not a violation of the protocol here.

On 18 February 2016 at 17:59, Dennis Peterson  wrote:

> What you want to do is best done using the local mailer and not SMTP.
> Technically and literally you have accepted the message in your scheme and
> are therefore responsible for delivery. You can't both send a reject and
> deliver the mail - it violates the protocol and integrity of the messaging
> system.
>
> dp
>
>
> On 2/18/16 5:14 AM, Michael Grant wrote:
>
>> Using clamav-milter, is there anyway to reject virus infected messages AND
>> put them into a quarantine directory?
>>
>> The reason I want to do this is that I want to reject virus messages while
>> the smtp connection is still alive, but after the fact, if there was a
>> false positive, I'd like to be able to send the message on through anyway
>> after the fact.
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

[Dennis Peterson]

What you want to do is best done using the local mailer and not SMTP. 
Technically and literally you have accepted the message in your scheme and are 
therefore responsible for delivery. You can't both send a reject and deliver the 
mail - it violates the protocol and integrity of the messaging system.


dp

On 2/18/16 5:14 AM, Michael Grant wrote:

Using clamav-milter, is there anyway to reject virus infected messages AND
put them into a quarantine directory?

The reason I want to do this is that I want to reject virus messages while
the smtp connection is still alive, but after the fact, if there was a
false positive, I'd like to be able to send the message on through anyway
after the fact.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BlackEnergy malware detection

[Steve Basford]

On Thu, February 18, 2016 12:37 pm, Volcy, Georges wrote:
> Good Morning,
>
>
> Does ClamAV detect the Blackenergy malware and is there any way for me to
> verify it. Thanks,

Just added Sanesecurity_BlackEnergy.yara to the Sanesecurity mirrors,
if that's a help.

It hit on a sample I downloaded.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Groach]

The original topic has been 'discussed' enough and reached its natural end.



On 18/02/2016 16:41, Joel Esler (jesler) wrote:

Yeah, I know, it unfortunately has nothing to do with how I read the email, it 
has to do with whatever changes they made to handling quoting in the newer 
versions.

Well, I think we’ve drifted far enough off topic now ;)

--
Joel Esler
Manager, Talos Group


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BlackEnergy malware detection

[Al Varnell]

daily.cvd  Win.Trojan.Blackenergy
daily.cvd  PUA.Win32.Packer.BlackenergyDdos

But I have submitted a False Positive sample against the first one.

-Al-

On Feb 18, 2016, at 4:37 AM, Volcy, Georges  wrote:

> Does ClamAV detect the Blackenergy malware and is there any way for me to 
> verify it.
> Thanks,
> 
> Georges Volcy


smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Joel Esler (jesler)]

Yeah, I know, it unfortunately has nothing to do with how I read the email, it 
has to do with whatever changes they made to handling quoting in the newer 
versions.

Well, I think we’ve drifted far enough off topic now ;)


--
Joel Esler
Manager, Talos Group




On Feb 18, 2016, at 10:37 AM, Mark Allan 
> wrote:


On 18 Feb 2016, at 3:28 pm, Joel Esler (jesler) 
> wrote:


Bottom posting with Mail.app now.

Yeah, it’s how I did it that was the problem.  I tried to make the email nice 
and neat, and Mail.app (prior to…  I’d say..  Yosemite?) dealt with how I did 
it fine.  But ever since they did the rewrite  of the three pane/conversation 
based layout, it doesn’t work correctly.

If you go to the Mail menu -> Preferences -> Viewing, there's an option to 
toggle between the new and classic layouts.  Sounds like maybe you prefer the 
Classic view.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Mark Allan]

> On 18 Feb 2016, at 3:28 pm, Joel Esler (jesler)  wrote:
> 
> 
> Bottom posting with Mail.app now.
> 
> Yeah, it’s how I did it that was the problem.  I tried to make the email nice 
> and neat, and Mail.app (prior to…  I’d say..  Yosemite?) dealt with how I did 
> it fine.  But ever since they did the rewrite  of the three pane/conversation 
> based layout, it doesn’t work correctly.

If you go to the Mail menu -> Preferences -> Viewing, there's an option to 
toggle between the new and classic layouts.  Sounds like maybe you prefer the 
Classic view.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Joel Esler (jesler)]

SEE.  Didn’t do it right!

Stupid mail.app.


--
Joel Esler
Manager, Talos Group




On Feb 18, 2016, at 10:28 AM, Joel Esler (jesler) 
> wrote:



On Feb 18, 2016, at 4:01 AM, Mark Allan 
>
 wrote:


On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler) 
> wrote:

For my, I use Mail.app the majority of the time.  Apparently if I delete lines 
and inline reply like I do in Thunderbird, Mail.app just tells me to eat dust 
and unthreads the whole thing.  Guess I should file a bug with Apple.

That's strange. I use Mail.app as well, and as far as I'm aware, there's never 
been a problem replying to emails and keeping the threading and quoted text.

If you change something and a chunk of text gets unquoted (or your reply gets 
quoted accidentally) you can hit cmd-' to increase or cmd-opt-' to decrease the 
quote level.

Mark

Bottom posting with Mail.app now.

Yeah, it’s how I did it that was the problem.  I tried to make the email nice 
and neat, and Mail.app (prior to…  I’d say..  Yosemite?) dealt with how I did 
it fine.  But ever since they did the rewrite  of the three pane/conversation 
based layout, it doesn’t work correctly.

Oh well.

J
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Joel Esler (jesler)]

On Feb 18, 2016, at 4:01 AM, Mark Allan 
> wrote:


On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler) 
> wrote:

For my, I use Mail.app the majority of the time.  Apparently if I delete lines 
and inline reply like I do in Thunderbird, Mail.app just tells me to eat dust 
and unthreads the whole thing.  Guess I should file a bug with Apple.

That's strange. I use Mail.app as well, and as far as I'm aware, there's never 
been a problem replying to emails and keeping the threading and quoted text.

If you change something and a chunk of text gets unquoted (or your reply gets 
quoted accidentally) you can hit cmd-' to increase or cmd-opt-' to decrease the 
quote level.

Mark

Bottom posting with Mail.app now.

Yeah, it’s how I did it that was the problem.  I tried to make the email nice 
and neat, and Mail.app (prior to…  I’d say..  Yosemite?) dealt with how I did 
it fine.  But ever since they did the rewrite  of the three pane/conversation 
based layout, it doesn’t work correctly.

Oh well.

J
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav-milter reject and quarantine?

[Michael Grant]

Using clamav-milter, is there anyway to reject virus infected messages AND
put them into a quarantine directory?

The reason I want to do this is that I want to reject virus messages while
the smtp connection is still alive, but after the fact, if there was a
false positive, I'd like to be able to send the message on through anyway
after the fact.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BlackEnergy malware detection

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
BlackEnergy uses cryptor and, therefore, can't have stable signature.

18.02.16 18:37, Volcy, Georges ?:


-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWxcJSAAoJENNXIZxhPexGrp4H/1u0Pf/+avO//BUnB9OjiEC8
Z2+e3h8oRc1RjpD9H6CrOFkJddVziurlAwbmKKApH9avBqIiALKeW9py1SEPfTE8
f9ohgwZmz4DWY7N9bkCBeeW14SfWoIVvDkkuZUulMZG8rhvCIUCOmv2qQsaVU4aK
/xY4omvWYlv54mXtvAl1WF+ScH4dQo9hunGU/OyJwcud3rFONEVhXqgwLppI4Xyg
19UZ0GaqEqcZ1N/YiEfrx+StNw43G6S1PRTrTwCYFX2m/sK+AhbzMFUbX6eHPClI
KVPXu/S1LrMhmQqiRUvyY/jWyMRtn7lEZO8jI6Extgc9Wh1GkdF1guT7VoCO9zg=
=PqiC
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BlackEnergy malware detection

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
BlackEnergy uses cryptor and, therefore, can't have stable signature.

18.02.16 18:37, Volcy, Georges ?:
> Good Morning,
>
> Does ClamAV detect the Blackenergy malware and is there any way for me
to verify it.
> Thanks,
>
> Georges Volcy
> SCADA Engineer - EMS
> PSEG Long Island
> CNI - EMS Provisioning  & Support
> (516) 949-7417(Desk)
> (516) 949-7400 (Office)
> (516) 492-9773 (Cell)
>
>
>
> -
> The information contained in this e-mail, including any attachment(s),
is intended solely for use by the named addressee(s).  If you are not
the intended recipient, or a person designated as responsible for
delivering such messages to the intended recipient, you are not
authorized to disclose, copy, distribute or retain this message, in
whole or in part, without written authorization from PSEG.  This e-mail
may contain proprietary, confidential or privileged information. If you
have received this message in error, please notify the sender
immediately. This notice is included in all e-mail messages leaving
PSEG.  Thank you for your cooperation.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWxcJTAAoJENNXIZxhPexGwzgIALfgL54UST2s2NACPsAddFbh
6wcqrn9ir5pIa7XRdgQ7tYW4islW90m5p1nVhMthpKsqoGNmpov+JlOyZIqFEvRX
dkMKyfawu2zD9ic3MZKq3WTnOuIX23bF9wFt61Ih4Gj/eWVBwB3H/nCdQekjilqm
8qjdyRoH2IglA6VIfJAtCepkyuWiXOt0PD00VpHGUuATw49ooHbuqchs9PyyGcBI
ndVEsD7WQ5ZEHlFdS0i26n46IdYFLzJ02r0gxijzVg5WmulvgvNyw5ZoBoKpsjzu
MFeKb57s2UmtFuzQskTMM41JrdfkjAsyIqHwMvXVfQAgfcZ2+EZfiElth44fuPw=
=PfJw
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] BlackEnergy malware detection

[Volcy, Georges]

Good Morning,

Does ClamAV detect the Blackenergy malware and is there any way for me to 
verify it.
Thanks,

Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning  & Support
(516) 949-7417(Desk)
(516) 949-7400 (Office)
(516) 492-9773 (Cell)



-
The information contained in this e-mail, including any attachment(s), is 
intended solely for use by the named addressee(s).  If you are not the intended 
recipient, or a person designated as responsible for delivering such messages 
to the intended recipient, you are not authorized to disclose, copy, distribute 
or retain this message, in whole or in part, without written authorization from 
PSEG.  This e-mail may contain proprietary, confidential or privileged 
information. If you have received this message in error, please notify the 
sender immediately. This notice is included in all e-mail messages leaving 
PSEG.  Thank you for your cooperation.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Filename Regex

[Mehmet Avcioglu]

What is the format for Filename Regex pattern used in cdb signature files?

I have not been able to find a documentation for this and some of the valid 
regex strings I use are not recognized. For example I cannot find a way to 
match for '@' character, or use '\s' for white space.

Thanks

-- 
Mehmet Avcioglu
meh...@activecom.net

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Gene Heskett]

On Thursday 18 February 2016 04:06:07 Groach wrote:

> Hi Gene, I will clarify my terminology for you, if it helps
>
> On 18/02/2016 09:48, Gene Heskett wrote:
> > I
> >
> >> Receive notification of someones reply, click REPLY, write
> >> answer...SEND.
> >
> > Notification? I have used t-bird in the past, but I am not familiar
> > with that term.  Here I am subscribed to the list, so I get
> > everything posted to the list. No notification involved.
>
> I am subscribed to the mail list.  Everytime someone posts something
> to the list I receive an email (to which I 'REPLY' in Thunderbird with
> my own comments as I am doing now).  It is this email that I call
> 'Notification' (as in an email that notifies me that someone has
> posted something).
>
> >> My original question really was how to REPLY to a thread thats
> >> already started when you dont have a notification for it in the
> >> first place. (Maybe you were not subscribed at the time or you have
> >> since deleted email notifications).
> >
> > That could happen, but if the expire time set for that folder is a
> > month or more, that rarely happens.
>
> Consider my explanation of 'notification' above.  So now, how do I
> post a 'reply' to someone elses comment if I no longer have an "email
> notification" (to click 'REPLY' on)?

That should be the default behaviour when you click on "reply to list".  
Do not make major changes to the subject.  "Reply to list" automatically 
puts your reply into that messages thread.  Or should, if not I'd call 
it badly bent if not broken.  This should apply to the message and 
thread you are viewing, independently of having the OP thread starter 
still in the read-mail category and available on you machine.

I haven't used t-bird recently enough to remember all the details, and my 
memory is suffering from 81 years of bit-rot, but I have 3 reply icons 
on the top bar of this TDE version of kmail, one for Reply to:, one for 
Reply to all:, and one for Reply-to-mailing-list:.  They change the To: 
line, and you can even setup separate sigs, but I've not felt I needed 
to in 18 years of a linux only house.

Thanks Groach.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Threading (Was: How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?)

[Simon Hobson]

Mark Allan  wrote:

> 
>> For my, I use Mail.app the majority of the time.  Apparently if I delete 
>> lines and inline reply like I do in Thunderbird, Mail.app just tells me to 
>> eat dust and unthreads the whole thing.  Guess I should file a bug with 
>> Apple.
> 
> That's strange. I use Mail.app as well, and as far as I'm aware, there's 
> never been a problem replying to emails and keeping the threading and quoted 
> text.

Me too, never come across that. But then I'm still on 10.8 (Mountain Lion) so 
can't speak for later versions, I know Apple does have a history of taking 
something that works and "fixing" it - in the same way people talk of taking 
their dog to the vet to be "fixed" (by removing bits that worked).


Groach  wrote:

> Consider my explanation of 'notification' above.  So now, how do I post a 
> 'reply' to someone elses comment if I no longer have an "email notification" 
> (to click 'REPLY' on)?

What I usually do in that situation is to carefully copy the email subject as 
it appears in the archives and create a new email. The new email won't have any 
references headers to link it to the thread, but any half decent client and 
list archive should be capable of recognising the subject as being the same as 
the existing thread and link it in that way.
Your message won't appear in the right place in the threaded view in the 
archives, but it should appear in the same thread.

The same issue occurs for people getting a list digest.


In theory, if it's presented, you could copy the message header from the 
archive and add that as a custom header (In-Replay-To:) to your email. Looking 
at the Mailman archive for the list it doesn't seem to be presented, but I 
suspect some archives may keep and display it.
The key headers are :

Message-Id:
This should be a globally unique ID generated by your mail client.

In-Reply-To:
If you reply to an email, the In-Reply-To: header should be set to the 
Message-Id: of the message you reply to.

References:
This builds up as a message gets replied to over time. Each reply should be 
adding the Message-Id: to this so there ends up a chain of which messages let 
to this one.

In-Reply-To: should be sufficient to put your message in the right place in the 
thread.



What you must never ever do is select some random list message in an unrelated 
thread and hit reply - either to respond to an existing thread or to start a 
new one. Because this reply will include In-Reply-To: and probably References: 
headers, this will cause your unrelated message to get threaded into the wrong 
thread. If you are browsing an archive and find a seemingly unrelated thread 
intermingled with another one - this is probably the cause.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Mark Allan]

> On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler)  wrote:
> 
> For my, I use Mail.app the majority of the time.  Apparently if I delete 
> lines and inline reply like I do in Thunderbird, Mail.app just tells me to 
> eat dust and unthreads the whole thing.  Guess I should file a bug with Apple.

That's strange. I use Mail.app as well, and as far as I'm aware, there's never 
been a problem replying to emails and keeping the threading and quoted text.

If you change something and a chunk of text gets unquoted (or your reply gets 
quoted accidentally) you can hit cmd-' to increase or cmd-opt-' to decrease the 
quote level.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Gene Heskett]

On Thursday 18 February 2016 02:59:56 Groach wrote:

> Nope.
>
> Im using thunderbird.  Only thunderbird, and nothing else but
> thunderbird.
>
I see that in the header, I must have missed it previously.  My bad.

> Receive notification of someones reply, click REPLY, write
> answer...SEND.

Notification? I have used t-bird in the past, but I am not familiar with 
that term.  Here I am subscribed to the list, so I get everything posted 
to the list. No notification involved.

> My original question really was how to REPLY to a thread thats already
> started when you dont have a notification for it in the first place.
> (Maybe you were not subscribed at the time or you have since deleted
> email notifications).

That could happen, but if the expire time set for that folder is a month 
or more, that rarely happens.
>
> Cheers.
>
> On 18/02/2016 02:53, Gene Heskett wrote:
> > On Wednesday 17 February 2016 14:54:02 Groach wrote:
> >> (How do people reply to keep threading? And can they if hey odnt
> >> have a recent reply by email?  Humph!!)
> >
> > Since you came in thru yahoo, you probably cannot without starting
> > your own thread.  IMO yahoo is somewhat busted, and google-groups
> > should be terminated, with prejudice.
> >
> > Does your ISP provide an email server?  Most do.  I can help you get
> > setup, but not on this list, its off-topic.
> >
> >> On 17/02/2016 20:48, Joel Esler wrote:
> >>> On 2/17/16 1:34 PM, Gene Heskett wrote:
>  On Wednesday 17 February 2016 12:01:11 Noel Jones wrote:
> > On 2/17/2016 10:40 AM, Joel Esler (jesler) wrote:
> >> Okay, so this is a long email, let me respond inline:
> >>
> >>
> >> --
> >> Joel Esler
> >> Manager, Talos Group
> >
> > Unfortunately, due to lack of quoting it's impossible to tell
> > which parts are yours.
> >
> >
> > -- Noel Jones
> 
>  That is also one of my pet peeves Joel. PLEASE fix your quoting
>  so the rest of us CAN track who wrote what.
> 
>  Cheers, Gene Heskett
> >>>
> >>> Yes, sorry about that, for some reason my mail client, when I do
> >>> inline replies, breaks threads.  Stupid.
> >
> > There are other clients a plenty even for windoze users.  That
> > however I am guessing as the client you are useing identifies itself
> > as something yahoo probably wrote.
> >
> > THanks Groach.
> >
> > Cheers, Gene Heskett
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Groach]

Nope.

Im using thunderbird.  Only thunderbird, and nothing else but thunderbird.

Receive notification of someones reply, click REPLY, write answer...SEND.

My original question really was how to REPLY to a thread thats already 
started when you dont have a notification for it in the first place. 
(Maybe you were not subscribed at the time or you have since deleted 
email notifications).


Cheers.


On 18/02/2016 02:53, Gene Heskett wrote:

On Wednesday 17 February 2016 14:54:02 Groach wrote:


(How do people reply to keep threading? And can they if hey odnt have
a recent reply by email?  Humph!!)

Since you came in thru yahoo, you probably cannot without starting your
own thread.  IMO yahoo is somewhat busted, and google-groups should be
terminated, with prejudice.

Does your ISP provide an email server?  Most do.  I can help you get
setup, but not on this list, its off-topic.


On 17/02/2016 20:48, Joel Esler wrote:

On 2/17/16 1:34 PM, Gene Heskett wrote:

On Wednesday 17 February 2016 12:01:11 Noel Jones wrote:

On 2/17/2016 10:40 AM, Joel Esler (jesler) wrote:

Okay, so this is a long email, let me respond inline:


--
Joel Esler
Manager, Talos Group

Unfortunately, due to lack of quoting it's impossible to tell
which parts are yours.


-- Noel Jones

That is also one of my pet peeves Joel. PLEASE fix your quoting so
the rest of us CAN track who wrote what.

Cheers, Gene Heskett

Yes, sorry about that, for some reason my mail client, when I do
inline replies, breaks threads.  Stupid.

There are other clients a plenty even for windoze users.  That however I
am guessing as the client you are useing identifies itself as something
yahoo probably wrote.

THanks Groach.

Cheers, Gene Heskett


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml