date:20030820

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread Andy Schmidt

FWIW - I have have turned off the notifications for Sobig.F and it has been
working fine since this afternoon.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of andyb
Sent: Wednesday, August 20, 2003 11:49 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Skipping Sobig.F virus notifications


I'm experiencing the same issue...it is only happening with sobig.  I did
check the file and it appears to be formatted correctly.

Andy

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 7:27 PM
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


> >
> >The first thing to do is make sure that there is only one space (or 
> >tab) anywhere on the line.
> >
> >The second thing to do is make sure that there aren't any blank lines 
> >before that line (that the first blank line in the file is after the 
> >SKIPIF... lines and the To:/From:/Subject: lines).
> >
> >-Scott
>
> Yes, I understand, and I checked both of those first. As I said, this
"SKIPIF..." line has been working fine throughout the earlier versions of
Sobig, as have all the other lines in those notification files, it was just
today that these phantom notifications went out for sobig.f specifically.
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread andyb

I'm experiencing the same issue...it is only happening with sobig.  I did
check the file and it appears to be formatted correctly.

Andy

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 7:27 PM
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


> >
> >The first thing to do is make sure that there is only one space (or tab)
> >anywhere on the line.
> >
> >The second thing to do is make sure that there aren't any blank lines
> >before that line (that the first blank line in the file is after the
> >SKIPIF... lines and the To:/From:/Subject: lines).
> >
> >-Scott
>
> Yes, I understand, and I checked both of those first. As I said, this
"SKIPIF..." line has been working fine throughout the earlier versions of
Sobig, as have all the other lines in those notification files, it was just
today that these phantom notifications went out for sobig.f specifically.
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses

2003-08-20 Thread Matthew Lohr

That's funny I know someone who works there and they were not allowed to
use their computer at all today because of the virus

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 7:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses


>The Pentagon?  REALLY???  That's friggin scary as hell

Yup.  They got infected about 1PM yesterday, we found out and notified
them 
about 8PM, and they responded quickly saying that they were aware of 
it.  As of a couple hours ago, though, they were still sending them out.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] X-MailScanner line

2003-08-20 Thread Karen D. Oland

Using the logic that all  servers on DSL are spammers, then, sure, all linux
servers with mailscanners are guilty by associatio.

> -Original Message-
> From: Fritz Squib
>
>
> So you're saying if I send you an email from my Linux servers... which IS
> running MailScanner, then I am guilty by association and it is
> assumed to be
> an infected message to be deleted?
>
> I manage 4 Linux mail servers for different companies and they all run
> SendMail/MailScanner/Spam Assassin.
>
> Oh Yeah, I also manage mail services for a large ISP, rumming
> Imail/Declude
> JM & Virus.
>
> See http://www.mailscanner.info
>
> Fritz
>
> Frederick P. Squib, Jr.
> Network Operations
> Citizens Telephone Company of Kecksburg
> Citizens Internet Services
> http://www.wpa.net
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of i360 Support
> Sent: Wednesday, August 20, 2003 5:36 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] X-MailScanner line
>
>
> It is put there by the Sobig.F virus.
>
> So if you see it, that means it is an infected mail.
>
>
> - Original Message -
> From: Bonno Bloksma
> To: [EMAIL PROTECTED]
> Sent: Wednesday, August 20, 2003 4:16 PM
> Subject: [Declude.Virus] X-MailScanner line
>
>
> Hi,
>
> I''ve found this line in some mails but can not determine which
> program put
> it there.
>
> X-MailScanner: Found to be clean
>
> The reason I realy want to know is because this line was in several
> virusinfected e-mails. So, which program decided the e-mail was clean, and
> it what sense was it clean?
> Groetjes,
>
> Bonno Bloksma
>  Back up my hard drive? How do I put it in reverse?
>
> ---
> [This E-mail scanned by Citizens Internet Services with Declude Virus.]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread jssubs

>
>The first thing to do is make sure that there is only one space (or tab) 
>anywhere on the line.
>
>The second thing to do is make sure that there aren't any blank lines 
>before that line (that the first blank line in the file is after the 
>SKIPIF... lines and the To:/From:/Subject: lines).
>
>-Scott

Yes, I understand, and I checked both of those first. As I said, this "SKIPIF..." line 
has been working fine throughout the earlier versions of Sobig, as have all the other 
lines in those notification files, it was just today that these phantom notifications 
went out for sobig.f specifically.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses

2003-08-20 Thread R. Scott Perry


The Pentagon?  REALLY???  That's friggin scary as hell
Yup.  They got infected about 1PM yesterday, we found out and notified them 
about 8PM, and they responded quickly saying that they were aware of 
it.  As of a couple hours ago, though, they were still sending them out.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Delete or Hold for Viruses?

2003-08-20 Thread Rich

At 02:26 PM 8/20/2003, you wrote:
With this latest Sobig variant, I have been starting to wonder whether it 
is still the best idea to be wasting storage space for the 2,000+ viruses 
that have been intercepted in the last couple days.  What is everyone else 
doing?  Are you holding viruses intercepted or just setting Declude to 
delete them?
We have a hold directory that is purged every 7 days.  The customers know 
that if they get a message telling them the e-mail was intercepted, that 
they have 7 days to claim it.  Some have actually requested the mail, and 
ended up infecting their machine...

Jim Matuska Jr.
Computer Tech II
CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
--
Rich Griebel
[EMAIL PROTECTED]
http://www.kendra.com
Scanned for Viruses using Declude and F-Prot 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses

2003-08-20 Thread Marc Catuogno

The Pentagon?  REALLY???  That's friggin scary as hell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 06:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses



>Does anyone else bother to look at the header, do a who is on the IP and
>notify the responsible party of the possible problem on their IP?

We occasionally do so (that's how we found out that Disney and the Pentagon
were infected by Sobig).

>I see the IPs in the e-mail headers so if someone was notified do you
>think they can
>find the actually infected user?  Would they bother?

They should be able to find the user, and many (but not all) would bother.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] McAfee Enterprise 7.0 not picking up Sobig.F

2003-08-20 Thread Bill Newberg

I use two scanners, F-Prot and McAfee Enterprise 7.0. F-Prot is picking up
Sobig.F, but McAfee is not. I have the latest definitions, 4288, and the
latest engine 4.2.60. When I send the test eicar file as a zip, both
scanners detect it, so I know both scanners are functioning. Does anyone
have any ideas as to why my McAfee is not detecting Sobig.F? 

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] X-MailScanner line

2003-08-20 Thread i360 Support

Nah, you did fine..

I jumped the gun by far.

But my second statement should be right :)


- Original Message -
From: "Fritz Squib" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 5:17 PM
Subject: RE: [Declude.Virus] X-MailScanner line


Sorry if I came off sounding a little harsh, just didn't want anyone jumping
the gun and getting bitten in the...

I contacted MailScanners author today...

>Julian,
>  Just FYI, Did you know that the latest variant of the Sobig virus
>Adds "X-MailScanner: Found to be clean" to the headers of all
>infected messages in the attempt to bypass Virus scanning?

>Yes, I did. Thanks for letting me know anyway.

>As far as I can see, it is the first time a virus has actively attempted to

>discredit a virus-scanning package. However, please do note that the
>presence of this header has no effect whatsoever on whether MailScanner
>actually scans a message or not.

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Notifying Postmasters/ISPs etc of viruses

2003-08-20 Thread R. Scott Perry


Does anyone else bother to look at the header, do a who is on the IP and
notify the responsible party of the possible problem on their IP?
We occasionally do so (that's how we found out that Disney and the Pentagon 
were infected by Sobig).

I see the IPs in the e-mail headers so if someone was notified do you 
think they can
find the actually infected user?  Would they bother?
They should be able to find the user, and many (but not all) would bother.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] X-MailScanner line

2003-08-20 Thread Fritz Squib

Sorry if I came off sounding a little harsh, just didn't want anyone jumping
the gun and getting bitten in the...

I contacted MailScanners author today...

>Julian,
>  Just FYI, Did you know that the latest variant of the Sobig virus 
>Adds "X-MailScanner: Found to be clean" to the headers of all
>infected messages in the attempt to bypass Virus scanning?

>Yes, I did. Thanks for letting me know anyway.

>As far as I can see, it is the first time a virus has actively attempted to

>discredit a virus-scanning package. However, please do note that the 
>presence of this header has no effect whatsoever on whether MailScanner 
>actually scans a message or not.

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Notifying Postmasters/ISPs etc of viruses

2003-08-20 Thread Marc Catuogno

Does anyone else bother to look at the header, do a who is on the IP and
notify the responsible party of the possible problem on their IP?  I see the
IPs in the e-mail headers so if someone was notified do you think they can
find the actually infected user?  Would they bother?
I checked some of my border appliances and saw repeated scans on port 135 -
when I tried to tell some of the ISPs who owned the IP block that I thought
they might have the blaster worm, I met with hostile "abuse bots" telling me
that I didn't send them enough info or I got no reply at all.  I know I'd
appreciate it if someone found that one of the systems in my network was
compromised.  Is anyone doing this at all?  I mean could we find some of
these computers with sobig and alert the cable company and they can call the
user to get it stopped?  I know this would be very time consuming, but even
if we got a few

Marc

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] X-MailScanner line

2003-08-20 Thread Andy Schmidt

Uh - thanks. I was afraid that there was some legitimate use for that line.
Darn.

Of course, you COULD change the header to use a different header name and/or
a slightly different message to distinguish your legitimate mails from the
virus generated ones.

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fritz Squib
Sent: Wednesday, August 20, 2003 05:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] X-MailScanner line


So you're saying if I send you an email from my Linux servers... which IS
running MailScanner, then I am guilty by association and it is assumed to be
an infected message to be deleted?

I manage 4 Linux mail servers for different companies and they all run
SendMail/MailScanner/Spam Assassin.

Oh Yeah, I also manage mail services for a large ISP, rumming Imail/Declude
JM & Virus. 

See http://www.mailscanner.info

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of i360 Support
Sent: Wednesday, August 20, 2003 5:36 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] X-MailScanner line


It is put there by the Sobig.F virus.

So if you see it, that means it is an infected mail.


- Original Message - 
From: Bonno Bloksma 
To: [EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2003 4:16 PM
Subject: [Declude.Virus] X-MailScanner line


Hi,

I''ve found this line in some mails but can not determine which program put
it there.

X-MailScanner: Found to be clean

The reason I realy want to know is because this line was in several
virusinfected e-mails. So, which program decided the e-mail was clean, and
it what sense was it clean? Groetjes,

Bonno Bloksma
 Back up my hard drive? How do I put it in reverse?

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] X-MailScanner line

2003-08-20 Thread i360 Support

I guess I jumped the gun on this one but:

If you have the line, an attachment and one of the following subjects:
Subject:
  a.. Re: Details
  b.. Re: Approved
  c.. Re: Re: My details
  d.. Re: Thank you!
  e.. Re: That movie
  f.. Re: Wicked screensaver
  g.. Re: Your application
  h.. Thank you!
  i.. Your details
Then it just might be a virus :)




- Original Message -
From: "Fritz Squib" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 4:39 PM
Subject: RE: [Declude.Virus] X-MailScanner line


So you're saying if I send you an email from my Linux servers... which IS
running MailScanner, then I am guilty by association and it is assumed to be
an infected message to be deleted?

I manage 4 Linux mail servers for different companies and they all run
SendMail/MailScanner/Spam Assassin.

Oh Yeah, I also manage mail services for a large ISP, rumming Imail/Declude
JM & Virus.

See http://www.mailscanner.info

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of i360 Support
Sent: Wednesday, August 20, 2003 5:36 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] X-MailScanner line


It is put there by the Sobig.F virus.

So if you see it, that means it is an infected mail.


- Original Message -
From: Bonno Bloksma
To: [EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 4:16 PM
Subject: [Declude.Virus] X-MailScanner line


Hi,

I''ve found this line in some mails but can not determine which program put
it there.

X-MailScanner: Found to be clean

The reason I realy want to know is because this line was in several
virusinfected e-mails. So, which program decided the e-mail was clean, and
it what sense was it clean?
Groetjes,

Bonno Bloksma
 Back up my hard drive? How do I put it in reverse?

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] X-MailScanner line

2003-08-20 Thread John Tolmachoff \(Lists\)

True Fritz, his reply was to general and broad.

Scott explained it best.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Fritz Squib
> Sent: Wednesday, August 20, 2003 2:39 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] X-MailScanner line
> 
> So you're saying if I send you an email from my Linux servers... which IS
> running MailScanner, then I am guilty by association and it is assumed to
be
> an infected message to be deleted?
> 
> I manage 4 Linux mail servers for different companies and they all run
> SendMail/MailScanner/Spam Assassin.
> 
> Oh Yeah, I also manage mail services for a large ISP, rumming
Imail/Declude
> JM & Virus.
> 
> See http://www.mailscanner.info
> 
> Fritz
> 
> Frederick P. Squib, Jr.
> Network Operations
> Citizens Telephone Company of Kecksburg
> Citizens Internet Services
> http://www.wpa.net
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of i360 Support
> Sent: Wednesday, August 20, 2003 5:36 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] X-MailScanner line
> 
> 
> It is put there by the Sobig.F virus.
> 
> So if you see it, that means it is an infected mail.
> 
> 
> - Original Message -
> From: Bonno Bloksma
> To: [EMAIL PROTECTED]
> Sent: Wednesday, August 20, 2003 4:16 PM
> Subject: [Declude.Virus] X-MailScanner line
> 
> 
> Hi,
> 
> I''ve found this line in some mails but can not determine which program
put
> it there.
> 
> X-MailScanner: Found to be clean
> 
> The reason I realy want to know is because this line was in several
> virusinfected e-mails. So, which program decided the e-mail was clean, and
> it what sense was it clean?
> Groetjes,
> 
> Bonno Bloksma
>  Back up my hard drive? How do I put it in reverse?
> 
> ---
> [This E-mail scanned by Citizens Internet Services with Declude Virus.]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] X-MailScanner line

2003-08-20 Thread i360 Support




It is put there by the Sobig.F virus.
 
So if you see it, that means it is an infected 
mail.
 
 

  - Original Message - 
  From: 
  Bonno Bloksma 
  
  To: [EMAIL PROTECTED] 
  Sent: Wednesday, August 20, 2003 4:16 
  PM
  Subject: [Declude.Virus] X-MailScanner 
  line
  
  Hi,
   
  I''ve found this line in some mails but can not 
  determine which program put it there.
   
  X-MailScanner: Found to be clean
   
  The reason I realy want to know is because this 
  line was in several virusinfected e-mails. So, which program decided the 
  e-mail was clean, and it what sense was it clean?Groetjes,
   
  Bonno Bloksma Back up my hard drive? How do I put it in 
  reverse?

RE: [Declude.Virus] X-MailScanner line

2003-08-20 Thread Fritz Squib

So you're saying if I send you an email from my Linux servers... which IS
running MailScanner, then I am guilty by association and it is assumed to be
an infected message to be deleted?

I manage 4 Linux mail servers for different companies and they all run
SendMail/MailScanner/Spam Assassin.

Oh Yeah, I also manage mail services for a large ISP, rumming Imail/Declude
JM & Virus. 

See http://www.mailscanner.info

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of i360 Support
Sent: Wednesday, August 20, 2003 5:36 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] X-MailScanner line


It is put there by the Sobig.F virus.

So if you see it, that means it is an infected mail.


- Original Message - 
From: Bonno Bloksma 
To: [EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2003 4:16 PM
Subject: [Declude.Virus] X-MailScanner line


Hi,

I''ve found this line in some mails but can not determine which program put
it there.

X-MailScanner: Found to be clean

The reason I realy want to know is because this line was in several
virusinfected e-mails. So, which program decided the e-mail was clean, and
it what sense was it clean?
Groetjes,

Bonno Bloksma
 Back up my hard drive? How do I put it in reverse?

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] X-MailScanner line

2003-08-20 Thread R. Scott Perry


I''ve found this line in some mails but can not determine which program 
put it there.

X-MailScanner: Found to be clean

The reason I realy want to know is because this line was in several 
virusinfected e-mails. So, which program decided the e-mail was clean, and 
it what sense was it clean?
That line is normally added by a program called "MailScanner".  However, 
Sobig.F adds that line as well (apparently, they think that some people 
will see it and assume the virus is a safe one).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Delete or Hold for Viruses?

2003-08-20 Thread Jim Matuska




With this latest Sobig variant, I have been 
starting to wonder whether it is still the best idea to be wasting storage space 
for the 2,000+ viruses that have been intercepted in the last couple days.  
What is everyone else doing?  Are you holding viruses intercepted or just 
setting Declude to delete them?  
 
Jim Matuska Jr.Computer Tech IICCNANez 
Perce TribeInformation Systems[EMAIL PROTECTED]

Re: [Declude.Virus] banext notification

2003-08-20 Thread R. Scott Perry


I'm thinking of leaving the banext in place but want to allert the sender 
and/or recipient when a mail is being held. I've downloaded the 
BANnotify.eml file but don't see how Declude decides when to use it. Do I 
need to put any extra control lines at the beginning?
Declude knows by the name of the file, so you don't need to worry about 
control lines in there.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread R. Scott Perry


Twice today I have been sitting at local users machines for unrelated tasks,
and in both cases I noticed notifications in their local email inboxes
warning about inbound sobig messages. I didn't give it a lot of notice at
the time, I knew we got a zillion of them already. The problem is that I
have had "SKIPIFVIRUSNAMEHAS Sobig" in both recip.eml and sender.eml for a
long time now, long enough that several other entries are in there now under
the Sobig lines. Something's wacky, but I haven't had a spare moment to do
any log investigation yet.
The first thing to do is make sure that there is only one space (or tab) 
anywhere on the line.

The second thing to do is make sure that there aren't any blank lines 
before that line (that the first blank line in the file is after the 
SKIPIF... lines and the To:/From:/Subject: lines).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] X-MailScanner line

2003-08-20 Thread Bonno Bloksma




Hi,
 
I''ve found this line in some mails but can not 
determine which program put it there.
 
X-MailScanner: Found to be clean
 
The reason I realy want to know is because this 
line was in several virusinfected e-mails. So, which program decided the e-mail 
was clean, and it what sense was it clean?Groetjes,
 
Bonno Bloksma Back up my hard drive? How do I put it in 
reverse?

[Declude.Virus] banext notification

2003-08-20 Thread Bonno Bloksma




Hi,
 
I'm thinking of leaving the banext in place but 
want to allert the sender and/or recipient when a mail is being held. I've 
downloaded the BANnotify.eml file but don't see how Declude decides when to use 
it. Do I need to put any extra control lines at the beginning? 

Groetjes,
 
Bonno Bloksma Back up my hard drive? How do I put it in 
reverse?

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread John Shacklett

I'm running late catching up on my Declude lists today, so forgive me for
jumping in here - not only late but in the middle of the thread.

Twice today I have been sitting at local users machines for unrelated tasks,
and in both cases I noticed notifications in their local email inboxes
warning about inbound sobig messages. I didn't give it a lot of notice at
the time, I knew we got a zillion of them already. The problem is that I
have had "SKIPIFVIRUSNAMEHAS Sobig" in both recip.eml and sender.eml for a
long time now, long enough that several other entries are in there now under
the Sobig lines. Something's wacky, but I haven't had a spare moment to do
any log investigation yet.

The only thing that's unusual here is I was also seeing something that
others have mentioned: my f-prot is catching this and my mcafee was not, so
I was only getting hits using my Scanner2, and not my Scanner1. I can't
imagine what that might matter, but I do know that the "SKIPIF..." lines
ordinarily work without fail.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Wednesday, 20 August 2003 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


Ah, but that is why in the virus.cfg file, you put a line in like this:

FORGINGVIRUSsobig

This way, the sender e-mail address is replaced with [Forged].

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
> Sent: Wednesday, August 20, 2003 6:58 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
>
> Yes but ist not good marketing when then the receiver phones the sender
which
> are an innocent victim ant threats him with some less
> nice things
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
> Sent: 20. august 2003 15:44
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
>
>
> I put it in the sender.eml and otherpostmaster.eml. I still want the
> recipient to get it. Good marketing. We are doing our job. Of course, I
want
> to see it.
>
> John Tolmachoff MCSE CSSA
> Engineer/Consultant
> eServices For You
> www.eservicesforyou.com
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> > [EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
> > Sent: Wednesday, August 20, 2003 6:31 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
> >
> > you put it in every .eml file in the declude folder
> >
> > as the first line
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> > [EMAIL PROTECTED] On Behalf Of Tim Collins
> > Sent: 20. august 2003 15:08
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
> >
> >
> > What configuration file do you put 'SKIPIFVIRUSNAMEHAS Sobig' in and
> > what exactly does it do with the message.
> >
> > New ISP owner,
> >
> > Tim Collins
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
> > Sent: Wednesday, August 20, 2003 7:00 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications
> >
> >
> > just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook
> > Sent: 20. august 2003 14:45
> > To: Declude Virus Mailing list (E-mail)
> > Subject: [Declude.Virus] Skipping Sobig.F virus notifications
> >
> >
> > I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
> > success:
> >
> > SKIPIFVIRUSNAMEHAS W32/Sobig.F
> > SKIPIFVIRUSNAMEHAS Sobig.F
> >
> > There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
> > What is everyone else using?  Also, for the next time, will the
> > vulnerability name be what is reported by the %VIRUSNAME% variable or
> > something else?
> >
> > Thanks,
> > Steve
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> >
> > ---
> > [This E-mail was sca

RE: [Declude.Virus] BANEXT to delete all .pif?

2003-08-20 Thread R. Scott Perry


I thought BANEXT worked before the scanner?
Both are done on all E-mail, and if a virus is found, it takes priority 
over the banned file extension.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread Fritz Squib

Hmmm...

I'm only seeing one flavor fo Sobig as of 4:30PM Eastern


Count  Inbound/OutboundName
2,504   2,504 / 0   W32/Sobig.F
97 14 / 83  W32/[EMAIL PROTECTED]
57 57 / 0   W32/[EMAIL PROTECTED]
33  2 / 31  W32/Hybris.worm.B
31 31 / 0   W32/Dumaro.A
6   6 / 0   W32/[EMAIL PROTECTED]
4   4 / 0   W32/[EMAIL PROTECTED] (corrupted)
2   0 / 2   W32/[EMAIL PROTECTED]
1   1 / 0   W32/[EMAIL PROTECTED]
1   1 / 0   W32/[EMAIL PROTECTED]
1   1 / 0   W32/[EMAIL PROTECTED]

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net 

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BANEXT to delete all .pif?

2003-08-20 Thread Marc Catuogno

I just ran a manual scan on the spool virus directory with F-protect and it
identified all the held viruses as [EMAIL PROTECTED] - BUT I did run an update
immediately before that even though I ran it this morning.

Marc

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 04:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] BANEXT to delete all .pif?



>Just like everyone else, we are getting hammered by Sobig.F.  Declude seems
>to be catching and holding the virus e-mails with the attachments because
of
>the BANEXT option.  The potential exists to overload our hard drive. There
>were over 3,000 held messages today (that is about 2x what we would
normally
>do in a day)and I'm worried that with some minor modification some idiot
>could make this send out a larger file. Is anyone else setting to
>Deletevirus to "on" to address this and will that cause the held messages
to
>be deleted for BANEXT?

No, there isn't.

However, if the E-mail is caught due to a banned file extension, that means
that the virus scanner is not catching it, which is normally a serious
problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BANEXT to delete all .pif?

2003-08-20 Thread Marc Catuogno

I thought BANEXT worked before the scanner?  DAMN... maybe my f-protect.exe
is old and not catching viruses?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August 20, 2003 04:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] BANEXT to delete all .pif?



>Just like everyone else, we are getting hammered by Sobig.F.  Declude seems
>to be catching and holding the virus e-mails with the attachments because
of
>the BANEXT option.  The potential exists to overload our hard drive. There
>were over 3,000 held messages today (that is about 2x what we would
normally
>do in a day)and I'm worried that with some minor modification some idiot
>could make this send out a larger file. Is anyone else setting to
>Deletevirus to "on" to address this and will that cause the held messages
to
>be deleted for BANEXT?

No, there isn't.

However, if the E-mail is caught due to a banned file extension, that means
that the virus scanner is not catching it, which is normally a serious
problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread i360 Support

Oh please...
We don't need no stenkin program, we kick it old school and count them
manually :)

This is a nice program: http://www.csonline.net/imailstuff/viruslog.htm


- Original Message -
From: "Keith Johnson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 2:27 PM
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


What are you using (program wise) for your virus counts...thanks

Keith

-Original Message-
From: Jeff Kratka [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 3:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications

Yep I'm getting there here also.

Count  Inbound/OutboundName
330   330 / 0  W32/Sobig.F
40 40 / 0  W32/[EMAIL PROTECTED]
3   3 / 0  W32/[EMAIL PROTECTED]
2   2 / 0  W32/[EMAIL PROTECTED]
2   0 / 2  W32/Hybris.worm.B
1   1 / 0  W32/[EMAIL PROTECTED] (corrupted)


Jeff Kratka
*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
*


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of paul
Sent: Wednesday, August 20, 2003 12:51 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Skipping Sobig.F virus notifications


Anybody else notice 2 different Sobig.F catches, Sobig.f, and
[EMAIL PROTECTED]
here's our virus log file as of 2:50PM:

Virus Summary by Count ---

Count  Inbound/Outbound Name
4,099   4,099 / 0W32/Sobig.F
257   257 / 0W32/[EMAIL PROTECTED]
32 27 / 5W32/[EMAIL PROTECTED]
3   3 / 0W32/[EMAIL PROTECTED] (corrupted)
3   3 / 0W32/[EMAIL PROTECTED]
3   3 / 0W32/[EMAIL PROTECTED]
1   1 / 0W32/Hybris.worm.B


Paul


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] BANEXT to delete all .pif?

2003-08-20 Thread R. Scott Perry


Just like everyone else, we are getting hammered by Sobig.F.  Declude seems
to be catching and holding the virus e-mails with the attachments because of
the BANEXT option.  The potential exists to overload our hard drive. There
were over 3,000 held messages today (that is about 2x what we would normally
do in a day)and I'm worried that with some minor modification some idiot
could make this send out a larger file. Is anyone else setting to
Deletevirus to "on" to address this and will that cause the held messages to
be deleted for BANEXT?
No, there isn't.

However, if the E-mail is caught due to a banned file extension, that means 
that the virus scanner is not catching it, which is normally a serious problem.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Virus name in Log File

2003-08-20 Thread R. Scott Perry


I am running Fprot and I am wanting to know how I can put the virus name in
the Declude LogFile when it reports in the log file.
If you use LOGLEVEL MID, it should get recorded in the log file.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] BANEXT to delete all .pif?

2003-08-20 Thread Marc Catuogno

Please excuse this if it has already been answered-

Just like everyone else, we are getting hammered by Sobig.F.  Declude seems
to be catching and holding the virus e-mails with the attachments because of
the BANEXT option.  The potential exists to overload our hard drive. There
were over 3,000 held messages today (that is about 2x what we would normally
do in a day)and I'm worried that with some minor modification some idiot
could make this send out a larger file. Is anyone else setting to
Deletevirus to "on" to address this and will that cause the held messages to
be deleted for BANEXT?

Thanks - Marc

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread Jeff Kratka

Virus Log Analyzer http://www.csonline.net/imailstuff/viruslog.htm
 Works very well.

Jeff

*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
*


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Keith Johnson
Sent: Wednesday, August 20, 2003 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


What are you using (program wise) for your virus counts...thanks

Keith

-Original Message-
From: Jeff Kratka [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 3:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications

Yep I'm getting there here also.

Count  Inbound/OutboundName
330   330 / 0   W32/Sobig.F
40 40 / 0   W32/[EMAIL PROTECTED]
3   3 / 0   W32/[EMAIL PROTECTED]
2   2 / 0   W32/[EMAIL PROTECTED]
2   0 / 2   W32/Hybris.worm.B
1   1 / 0   W32/[EMAIL PROTECTED] (corrupted)


Jeff Kratka
*
TymeWyse Internet
P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
*


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of paul
Sent: Wednesday, August 20, 2003 12:51 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Skipping Sobig.F virus notifications


Anybody else notice 2 different Sobig.F catches, Sobig.f, and
[EMAIL PROTECTED]
here's our virus log file as of 2:50PM:

Virus Summary by Count ---

Count  Inbound/Outbound Name
4,099   4,099 / 0W32/Sobig.F
257   257 / 0W32/[EMAIL PROTECTED]
32 27 / 5W32/[EMAIL PROTECTED]
3   3 / 0W32/[EMAIL PROTECTED] (corrupted)
3   3 / 0W32/[EMAIL PROTECTED]
3   3 / 0W32/[EMAIL PROTECTED]
1   1 / 0W32/Hybris.worm.B


Paul


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] SoBig.f email coming through

2003-08-20 Thread John Tolmachoff \(Lists\)

While everyone was reporting catching them starting yesterday morning, I did
not see the first one until mid afternoon. Go figure.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Rodney Bertsch
> Sent: Wednesday, August 20, 2003 6:27 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] SoBig.f email coming through
> 
> I understand that SoBig comes with a .pif attachment.  I have .pif files
> among my banned extensions but haven't seen a single incident of this
virus
> coming in.  It hasn't been caught as a virus or a banned extension.  Are
we
> just extremely lucky or should I be worried I'm missing something?  No
> reports from any users that their desktop scanners have detected it yet
> either.  As far as I can tell we're safe here.
> 
> Rodney Bertsch
> IS Coordinator
> Kirk NationaLease Co.
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] SoBig.f email coming through

2003-08-20 Thread Rodney Bertsch

I understand that SoBig comes with a .pif attachment.  I have .pif files
among my banned extensions but haven't seen a single incident of this virus
coming in.  It hasn't been caught as a virus or a banned extension.  Are we
just extremely lucky or should I be worried I'm missing something?  No
reports from any users that their desktop scanners have detected it yet
either.  As far as I can tell we're safe here.

Rodney Bertsch
IS Coordinator
Kirk NationaLease Co.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread ISPhuset Nordic AS

you put it in every .eml file in the declude folder

as the first line

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Collins
Sent: 20. august 2003 15:08
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


What configuration file do you put 'SKIPIFVIRUSNAMEHAS Sobig' in and
what exactly does it do with the message.

New ISP owner,

Tim Collins

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
Sent: Wednesday, August 20, 2003 7:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook
Sent: 20. august 2003 14:45
To: Declude Virus Mailing list (E-mail)
Subject: [Declude.Virus] Skipping Sobig.F virus notifications


I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
success:

SKIPIFVIRUSNAMEHAS W32/Sobig.F
SKIPIFVIRUSNAMEHAS Sobig.F

There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
What is everyone else using?  Also, for the next time, will the
vulnerability name be what is reported by the %VIRUSNAME% variable or
something else?

Thanks,
Steve
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread Tim Collins

What configuration file do you put 'SKIPIFVIRUSNAMEHAS Sobig' in and
what exactly does it do with the message.

New ISP owner,

Tim Collins

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ISPhuset Nordic AS
Sent: Wednesday, August 20, 2003 7:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Skipping Sobig.F virus notifications


just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook
Sent: 20. august 2003 14:45
To: Declude Virus Mailing list (E-mail)
Subject: [Declude.Virus] Skipping Sobig.F virus notifications


I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
success:

SKIPIFVIRUSNAMEHAS W32/Sobig.F
SKIPIFVIRUSNAMEHAS Sobig.F

There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
What is everyone else using?  Also, for the next time, will the
vulnerability name be what is reported by the %VIRUSNAME% variable or
something else?

Thanks,
Steve
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread ISPhuset Nordic AS

just using SKIPIFVIRUSNAMEHAS Sobig and that seems to work

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Flook
Sent: 20. august 2003 14:45
To: Declude Virus Mailing list (E-mail)
Subject: [Declude.Virus] Skipping Sobig.F virus notifications


I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
success:

SKIPIFVIRUSNAMEHAS W32/Sobig.F
SKIPIFVIRUSNAMEHAS Sobig.F

There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
What is everyone else using?  Also, for the next time, will the
vulnerability name be what is reported by the %VIRUSNAME% variable or
something else?

Thanks,
Steve
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Skipping Sobig.F virus notifications

2003-08-20 Thread Steve Flook

I have tried a couple of different SKIPIFVIRUSNAMEHAS variations without
success:

SKIPIFVIRUSNAMEHAS W32/Sobig.F
SKIPIFVIRUSNAMEHAS Sobig.F

There is just one space betweent the SKIPVIRUSNAMEHAS and vulnerability.
What is everyone else using?  Also, for the next time, will the
vulnerability name be what is reported by the %VIRUSNAME% variable or
something else?

Thanks,
Steve
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] SoBig.f email coming through

2003-08-20 Thread Paul Ingram

Hello,

  It seems I am getting the Sobig email coming throught to my users
  but with ot a payload.  In other words tey are getting the message
  with all chaistics of SoBig.f but no attachment.

  Anyone know why this maybe.  I can not filter on some of the subject
  such as  'd e t a i l s ... or... A p p r o v e d" So filtering in
  junkmail is out.

  I do stripp all attahesments that could care a payload so I am good
  there.  Users are just worried they are enfected which they should
  not since all attachments are stripped.  And as far as share on the
  LAN I am very carefull with those so but I do have to have open
  shaers for the last of our Win95 systems.

  I have been slammed with an AS/400 down the last three days so if
  this is a dumb question please let it pass till I have more sleep.

-- 
Best regards,
 ~Paul~  mailto:[EMAIL PROTECTED]

---
{This E-mail scanned for viruses by Declude Virus/McAfee}

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sobig - Easy to Detect?

2003-08-20 Thread Fritz Squib

I have informed the fine folks at MailScanner of this.

For those of you supporting MailScanner on a Linux box, MailScanner has a
couple of options in the config file for the headers:

Append the new data to the existing header
Add a new header
Replace the existing header

I have set mine to replace the existing headers, this *should* remove any
forged X-MailScanner headers

Fritz

Frederick P. Squib, Jr.
Network Operations
Citizens Telephone Company of Kecksburg
Citizens Internet Services
http://www.wpa.net 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt
Sent: Tuesday, August 19, 2003 11:11 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Sobig - Easy to Detect?


Hi,

Is it just me, or is Sobig.F always adding the fake header:

X-MailScanner: Found to be clean

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]


---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

42 matches

Mail list logo