Re: [Declude.Virus] SMTP AUTH - Imail v6.06
- Original Message - > >(IMail v6.06 - SMTP AUTH) > > > >We need to enable SMTP AUTH for all of our clients -- we've found some > >device/person (IP) on the outside of our network spoofing emails to lists by > >the few users who are authorized list posters. > > > >In order to do this, is it best that we just check "No Mail Relay" on the > >server and make all of our users go through the few steps to do SMTP AUTH? > > However, I don't believe that will prevent people from sending mail to the > list using forged return addresses, since SMTP AUTH only applies to > outgoing (relayed) E-mail. > -Scott In reply, doesn't IMail (SMTP AUTH) not allow email to be relayed unless a password is supplied during login? If that is true -- then how could someone forge a return address without having a password to send mail? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] SMTP AUTH - Imail v6.06
> > >We need to enable SMTP AUTH for all of our clients -- we've found some > > >device/person (IP) on the outside of our network spoofing emails to lists > > >by the few users who are authorized list posters. > > > > However, I don't believe that will prevent people from sending mail to the > > list using forged return addresses, since SMTP AUTH only applies to > > outgoing (relayed) E-mail. > >In reply, doesn't IMail (SMTP AUTH) not allow email to be relayed unless a >password is supplied during login? If that is true -- then how could >someone forge a return address without having a password to send mail? If you require SMTP AUTH, then users have to supply a valid E-mail address and password. However, that only applies to *relayed* mail (outgoing mail). For incoming mail (such as to a mailing list), SMTP AUTH is not required (or else you wouldn't be able to receive any mail from anyone who didn't have an account on the server). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] SMTP AUTH - Imail v6.06
>If you require SMTP AUTH, then users have to supply a valid E-mail address > and password Do Imail compare this adress to the from adress you use ? - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 16, 2002 3:36 PM Subject: Re: [Declude.Virus] SMTP AUTH - Imail v6.06 > > > > >We need to enable SMTP AUTH for all of our clients -- we've found some > > > >device/person (IP) on the outside of our network spoofing emails to lists > > > >by the few users who are authorized list posters. > > > > > > However, I don't believe that will prevent people from sending mail to the > > > list using forged return addresses, since SMTP AUTH only applies to > > > outgoing (relayed) E-mail. > > > >In reply, doesn't IMail (SMTP AUTH) not allow email to be relayed unless a > >password is supplied during login? If that is true -- then how could > >someone forge a return address without having a password to send mail? > > If you require SMTP AUTH, then users have to supply a valid E-mail address > and password. However, that only applies to *relayed* mail (outgoing > mail). For incoming mail (such as to a mailing list), SMTP AUTH is not > required (or else you wouldn't be able to receive any mail from anyone who > didn't have an account on the server). > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] klez
Is anyone else being drove to insanity by klez? We are catching the virus, but that doesn't stop everyone else on different Isp's thinking we are sending them because of the spoofed from address. blblblbl Ken Bird --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] SMTP AUTH - Imail v6.06
> >If you require SMTP AUTH, then users have to supply a valid E-mail address > > and password > >Do Imail compare this adress to the from adress you use ? I do not know for sure, but most likely it does not. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] klez
>Is anyone else being drove to insanity by klez? Klez is nasty. Very nasty. >We are catching the virus, but that doesn't stop everyone else on different >Isp's thinking we are sending them because of the spoofed from address. And that's the problem. Although Declude Virus now has the ability not to send out the notifications to the sender for the Klez virus, most other AV software does. So it may look like a user of yours sent it. However, (most) admins should know that Klez forges the return address, and that the virus didn't come from your mailserver. Making it worse is that quite a few people have the Klez virus and don't realize it, and it is difficult to find out who (on a remote mailserver) has it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] klez
It is insane! And the spoofing is a pain in the butt also. The volume of them is just incredible. Harry Vanderzand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Bird Sent: Thursday, May 16, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] klez Is anyone else being drove to insanity by klez? We are catching the virus, but that doesn't stop everyone else on different Isp's thinking we are sending them because of the spoofed from address. blblblbl Ken Bird --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
KITHRUP:RE: [Declude.Virus] klez
The worst part was about two weeks ago when the first big slug of infected "outgoing" messages hit. I was scrambling trying to disinfect the sender's computers before realizing the FROM: address was being faked. Since then we implemented the SKIPIFVIRUSNAMEHAS feature on the notifications we normally send to the sender and intended recipients of an infected message. We also changed relay from using the sender's name to IP address (all our senders are at fixed locations). The Email admins set up Outlook rules to route the KLEZ notifications to a special folder and just keep an eye out for any outgoing (none so far, thanks to Declude). The steps above cut out the main two problems we were having of: 1) Mail server having to process a bunch of infected mail as far as the virus trap 2) Calls from concerned users about floods of "someone tried to send you a virus" or "you tried to send a virus" messages. Good luck, -Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Bird Sent: Thursday, May 16, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] klez Is anyone else being drove to insanity by klez? We are catching the virus, but that doesn't stop everyone else on different Isp's thinking we are sending them because of the spoofed from address. blblblbl Ken Bird --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] klez
A further point on this. We have had incidents of our postmaster account being the spoofed address that is used. Does anyone have any ideas how Klez is doing this? Harry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Bird Sent: Thursday, May 16, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] klez Is anyone else being drove to insanity by klez? We are catching the virus, but that doesn't stop everyone else on different Isp's thinking we are sending them because of the spoofed from address. blblblbl Ken Bird --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
KITHRUP:RE: [Declude.Virus] klez
I'm guessing that it is making some guesses at generic names associated with domains. I've seen an unnatural amount of traffic to/from "webmaster@" our various domains. Our webmaster is not very chatty, so I'm thinking that KLEZ tries a few common names to see if the relay will let them slip through. -Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Harry Vanderzand Sent: Thursday, May 16, 2002 12:53 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] klez A further point on this. We have had incidents of our postmaster account being the spoofed address that is used. Does anyone have any ideas how Klez is doing this? Harry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Bird Sent: Thursday, May 16, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] klez Is anyone else being drove to insanity by klez? We are catching the virus, but that doesn't stop everyone else on different Isp's thinking we are sending them because of the spoofed from address. blblblbl Ken Bird --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] klez
>We have had incidents of our postmaster account being the spoofed address >that is used. > >Does anyone have any ideas how Klez is doing this? Klez sometimes makes up addresses, by combining a known username with a known hosthame. So if you have "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]" in your address book, it could send to "[EMAIL PROTECTED]". It also gets addresses from the web cache, so if someone was recently at a page with "[EMAIL PROTECTED]", you could see Klez sending E-mail from "[EMAIL PROTECTED]". -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] W32/Yaha-C
FYI, there is a new virus "W32/Yaha-C" that looks like it has a chance of spreading rapidly. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: KITHRUP:RE: [Declude.Virus] klez
I just searched the manual for SKIPIFVIRUSNAMEHAS and could not find anything on it. Can anyone give me the method one uses it? Looks like it would be worthwhile -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Naber Sent: Thursday, May 16, 2002 12:57 PM To: [EMAIL PROTECTED] Subject: KITHRUP:RE: [Declude.Virus] klez The worst part was about two weeks ago when the first big slug of infected "outgoing" messages hit. I was scrambling trying to disinfect the sender's computers before realizing the FROM: address was being faked. Since then we implemented the SKIPIFVIRUSNAMEHAS feature on the notifications we normally send to the sender and intended recipients of an infected message. We also changed relay from using the sender's name to IP address (all our senders are at fixed locations). The Email admins set up Outlook rules to route the KLEZ notifications to a special folder and just keep an eye out for any outgoing (none so far, thanks to Declude). The steps above cut out the main two problems we were having of: 1) Mail server having to process a bunch of infected mail as far as the virus trap 2) Calls from concerned users about floods of "someone tried to send you a virus" or "you tried to send a virus" messages. Good luck, -Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Bird Sent: Thursday, May 16, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] klez Is anyone else being drove to insanity by klez? We are catching the virus, but that doesn't stop everyone else on different Isp's thinking we are sending them because of the spoofed from address. blblblbl Ken Bird --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] virus scan question
>I also work for a school and we've been hit hard lately by viruses. I tell >them. :) we run postfix and just can not afford imail at the school. I >know declude will not work with any other program but do you have any >suggestions for something like declude that would? Do you have something >else that might? Although we may end up adding support for other platforms, it will be a while before it does happen. For Unix, you might want to check out Amavis, which I believe is low cost. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Default eml files - Klez
>How about an option that globally prevents any notifies to the forged >sender or remote postmaster & sets the %MAILFROM% var to a specific >value (ie. ) for certain viruses? (As not to incriminate the >forged sender to the recipient). Now that is an interesting idea. That would definitely help cut down on all those angry E-mails that people send to innocent victims of Klez, that don't have the virus. It's been added to the suggestion database (and may be a likely candidate for that next beta...). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Default eml files - Klez
> sets the %MAILFROM% var to a specific > value (ie. ) for certain viruses? (As not to incriminate the > forged sender to the recipient). Very interesting, as this is causing much confusion in our user base. we have user who take it on themselve to notify the "forged" sender. also, the ONLYSENDIFVIRUSHAS can resolve this issue, as we can have 2 different types of recipient.eml, one with no sender adress and onlysendifvirushas klez,magistr, ... the other with skipifvirushas klez,magistr,... - Original Message - From: "Terrence Koeman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 17, 2002 2:59 AM Subject: RE: [Declude.Virus] Default eml files - Klez > How about an option that globally prevents any notifies to the forged > sender or remote postmaster & sets the %MAILFROM% var to a specific > value (ie. ) for certain viruses? (As not to incriminate the > forged sender to the recipient). > > -- > Regards, > > Terrence Koeman > > Technical Director/Administrator > MediaMonks B.V. (www.mediamonks.nl) > > Please quote all replies in correspondence. > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry > > Sent: Friday, May 17, 2002 00:03 > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.Virus] Default eml files - Klez > > > > > > > > >If I use the default "sender.eml" file will it send the > > e-mail to the > > >correct person if it catches the Klez virus? > > > > No -- there is no way of knowing who the real sender was. > > Using the latest > > default sender.eml file, no notification will be sent out to > > the sender of > > the virus (since it is forged). > > -Scott > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. > You can visit our web site at http://www.declude.com . > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
