RE: [Declude.Virus] W32.Neroma@mm virus in .jpg?
>> Now we have to worry about viruses in picture files? << Nope - it's a normal .EXE attachments (just disguised as 911.exe). It's an old trick - either using double extensions (e.g. .JPG.EXE) or using MIME headers that refer to it as a picture - but the system file type is .EXE. A good virus scanner would be detecting that style virus preventively since at least March 2003. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] W32.Neroma@mm virus in .jpg?
Now we have to worry about viruses in picture files? http://www.eweek.com/article2/0%2C4149%2C1247120%2C00.asp?kc=EWMS102049TX1K0 100487 http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Recipient's alert- Not sent..
I was under the impression that if I put: SKIPIFVIRUSNAMEHAS Sobig In the recip.eml then the recipient of the virus will not be alerted if Sobig is the virus. Correct. This works fine for Sobig but I noticed that I am not receiving a virus notification for other viruses as well. So I tested the Eicar virus with the above in the recip.eml and without it. With that line in the recip.eml I do not get a notification for Eicar and without it I get a notification. Is this a feature, bug, or a misunderstaing on my part... Or possibly all of the above? :) That isn't the intended behavior. The debug mode should help here. To use it, change the "LOGLEVEL LOW" line in \IMail\Declude\virus.cfg to "LOGLEVEL DEBUG". Then, send the test eicar.com file through (using our Test Virus Sender at http://www.declude.com/tools ), and then switch back to "LOGLEVEL LOW" (the debug mode adds huge amounts of information to the log file). You can then send me the \IMail\spool\vir.log file (as an attachment, NOT sent from web messaging), and I can take a look at it to see what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking senders of Vulnerabilities
At 09:51 AM 9/6/2003, you wrote: Question, what do others do to block repeat offenders who send SPAM with vulnerabilities? I know to add the from IP address to the SMTP control access file, but I guess my question is more of do we see the same IP addresses? Would it be a good idea to share the IP addresses of the repeat offenders with others, or is it like viruses where everyone's experience is different? Generally it's some putz with a mis-configured or ancient e-mail program, or some spammer routing through a proxy or open relay. If I can confirm the open relay I'll add them to the IP filter in Imail, or my banned IP filter in Junkmail. Otherwise I just let the virus filter take them out. We're only doing about 35k in e-mail a day, so the load isn't too bad. The problem with global blocking by IP address would be just because one person using that mail server could be the problem. I've got a customer that insists on using some third party mail program written in the 90's on Windows 95. Half of her mail comes back as undeliverable because of it, and she just doesn't get the reason why. It worked in 1998, it should work now :) Maybe a shared file would be in order. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- Rich Griebel [EMAIL PROTECTED] http://www.kendra.com Scanned for Viruses using Declude and F-Prot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS
Is this BS really necessary? If you don't like someone, can't you keep it to yourself? A simple philosophy, don't be annoying and don't be easily annoyed. John may have a big ego...so what?! I haven't met a computer engineer yet worth a darn that doesn't have a big ego. It take a lot of moxy to be responsible for hundreds/thousands of users computers/accounts when the crap is flying all around and you are the one getting yelled at. I've been on/watching this list for a long time. I don't always like the answers I get, but the people here DO HELP ME. That is the bottom line, isn't it? Or is it about hurting egos? Personally, I don't think there is room for ego in the business world. I don't think any of us are here for the fun of it, but to make money, right? If I have to supress my ego to get the answers I need and to get the job done, SO BE IT. Come to think of it, we are usually guilty of what we accuse others of. > In my experience it's people with bloated egos who attempt to publically ridicule and chastise. > Mike Tindor I think it would be helpful to remember that John and others like him are NOT GETTING PAID to help with your issues or mine. This IS THE SPIRIT of the Internet, all of us helping each other, the best we can. That's my 2 cents worth. And I've been in this business a long time, 16 years, 8 of it running ISP's and being responsible for corporate networks. I don't have to like John's approach to *respect* him and his efforts on this list. Now, can we all be nice to each other in this sand box...PLEASE?! Andrew Thumpernet - Original Message - From: "FIRST Internet Declude Virus Account" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 06, 2003 12:25 PM Subject: RE: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS > I'd have to agree. > > I guess all of the letters after John's name have gone to his head. > > In my experience it's people with bloated egos who attempt to publically ridicule and chastise. Seems to me a friendly note directly to the admin would have been more appropriate. > > Mike Tindor > > -- Original Message -- > From: "Tim Collins" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Sat, 30 Aug 2003 07:55:41 -0500 > > >John Tolmachoff, > > > >Personally, I have 2 months experience with my new ISP company and > >Declude. > >Not everyone is as smart as you. > >Maybe you should leave the List and start your own discussion group. > > > >The only stupid question is the one that is not asked. Often, there is > >more than one way to do something. > > > >Please keep your personal comments to yourself. > > > >Tim Collins > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > >(Lists) > >Sent: Saturday, August 30, 2003 12:19 AM > >To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > >[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > >Cc: [EMAIL PROTECTED] > >Subject: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS > >Importance: High > > > > > >After all this has been talked about, that Sobig forges the sender, this > >pisses me off. > > > >Do you not know how to add FORGINGVIRUS and SKIPIFVIRUSNAMEHAS to the > >config and e-mail files? > > > >Get your bleeping act together or forfeit your Declude software to > >someone who knows how to use it. > > > >John Tolmachoff MCSE CSSA > >Engineer/Consultant > >eServices For You > >www.eservicesforyou.com > > > >> -Original Message- > >> From: Postmaster [mailto:[EMAIL PROTECTED] > >> Sent: Friday, August 29, 2003 7:58 PM > >> To: [EMAIL PROTECTED] > >> Subject: WARNING: YOU MAY HAVE A VIRUS > >> > >> The Declude Virus software on lcs.net has reported that you sent an > >> E-mail to [EMAIL PROTECTED], containing the Unknown Virus virus in > >the > >> Unknown File attachment. The subject of the E-mail was "Your > >> details". The E-mail containing the virus has been quarantined to > >> prevent further > >damage. > >> > >> Headers Follow: > >> Received: from ARNOLDS_ROOM [160.36.73.149] by lcs.net with ESMTP > >> (SMTPD32-7.07) id A2A72C08013C; Fri, 29 Aug 2003 22:57:43 -0400 > >> From: <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Subject: Your details > >> Date: Fri, 29 Aug 2003 22:59:36 --0400 > >> X-MailScanner: Found to be clean > >> Importance: Normal > >> X-Mailer: Microsoft Outlook Express 6.00.2600. > >> X-MSMail-Priority: Normal > >> X-Priority: 3 (Normal) > >> MIME-Version: 1.0 > >> Content-Type: multipart/mixed; > >> boundary="_NextPart_000_7E49D478" > >> Message-Id: <[EMAIL PROTECTED]> > >> > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.Virus mailing list. To unsubscribe, > >just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com.
[Declude.Virus] Blocking senders of Vulnerabilities
Question, what do others do to block repeat offenders who send SPAM with vulnerabilities? I know to add the from IP address to the SMTP control access file, but I guess my question is more of do we see the same IP addresses? Would it be a good idea to share the IP addresses of the repeat offenders with others, or is it like viruses where everyone's experience is different? Maybe a shared file would be in order. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Recipient's alert- Not sent..
Hi Scott: I was under the impression that if I put: SKIPIFVIRUSNAMEHAS Sobig In the recip.eml then the recipient of the virus will not be alerted if Sobig is the virus. This works fine for Sobig but I noticed that I am not receiving a virus notification for other viruses as well. So I tested the Eicar virus with the above in the recip.eml and without it. With that line in the recip.eml I do not get a notification for Eicar and without it I get a notification. Is this a feature, bug, or a misunderstaing on my part... Or possibly all of the above? :) Regards, Kami -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Saturday, September 06, 2003 12:33 PM To: [EMAIL PROTECTED] Subject: WARNING: YOU WERE SENT A VIRUS The Declude Virus software [Ver: 1.75i4] on durability.com has reported that you were sent an E-mail from [EMAIL PROTECTED], containing the : EICAR test file NOT a virus. virus in the eicar.com attachment. The subject of the E-mail was "Test eicar.com file [eicarplain]". The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from www.declude.com [216.58.174.203] by foroosh.com (SMTPD32-8.02) id AC4015021C; Sat, 06 Sep 2003 12:33:04 -0400 X-Web-Originating-IP: 12.5.16.247 Message-Id: <[EMAIL PROTECTED]> X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 02 Nov 2000 20:23:17 -0500 From: "WebMaster" <[EMAIL PROTECTED]> To: "User" <[EMAIL PROTECTED]> Subject: Test eicar.com file [eicarplain] Mime-Version: 1.0 Content-Type: multipart/mixed; BounDary="=_307115168==_" --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Batch file from auto e-mail of virus from.
Some of us out here are not command line savvy. I am one. Thanks to Scott's posting of creating a file to find the from address of virus infected files, I have created a batch to run scheduled. Amazingly, it works. For those like me, here is the batch file for others to use. Please remember to change the paths to those relevant to your setup. This creates and e-mails the sorted file, then moves the existing .smd files to the hold subfolder of virus and clears all files out of the virus folder. NOTE: If you do not have a hold folder under virus, I would suggest creating it first, or move it where ever. The virusfrombody.txt has a single line: Yesterday's virus from report. @echo off cd f:\spool\virus f: find "Received:" D*.SMD > file1.txt sort < file1.txt > file2.txt xcopy *.smd f:\spool\virus\hold del *.smd c:\imail\imail1.exe -f c:\batchfiles\virusfrombody.txt -s "Virus From Report" -t [EMAIL PROTECTED] -u [EMAIL PROTECTED] -a f:\spool\virus\file2.txt del file1.txt del file2.txt Now, you could also do this hourly or every 4 hours or what ever. Question, if done hourly or so, how would you include the time and or date either in the subject line or in the body? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS
I'd have to agree. I guess all of the letters after John's name have gone to his head. In my experience it's people with bloated egos who attempt to publically ridicule and chastise. Seems to me a friendly note directly to the admin would have been more appropriate. Mike Tindor -- Original Message -- From: "Tim Collins" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Sat, 30 Aug 2003 07:55:41 -0500 >John Tolmachoff, > >Personally, I have 2 months experience with my new ISP company and >Declude. >Not everyone is as smart as you. >Maybe you should leave the List and start your own discussion group. > >The only stupid question is the one that is not asked. Often, there is >more than one way to do something. > >Please keep your personal comments to yourself. > >Tim Collins > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff >(Lists) >Sent: Saturday, August 30, 2003 12:19 AM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; >[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: [Declude.Virus] FW: WARNING: YOU MAY HAVE A VIRUS >Importance: High > > >After all this has been talked about, that Sobig forges the sender, this >pisses me off. > >Do you not know how to add FORGINGVIRUS and SKIPIFVIRUSNAMEHAS to the >config and e-mail files? > >Get your bleeping act together or forfeit your Declude software to >someone who knows how to use it. > >John Tolmachoff MCSE CSSA >Engineer/Consultant >eServices For You >www.eservicesforyou.com > >> -Original Message- >> From: Postmaster [mailto:[EMAIL PROTECTED] >> Sent: Friday, August 29, 2003 7:58 PM >> To: [EMAIL PROTECTED] >> Subject: WARNING: YOU MAY HAVE A VIRUS >> >> The Declude Virus software on lcs.net has reported that you sent an >> E-mail to [EMAIL PROTECTED], containing the Unknown Virus virus in >the >> Unknown File attachment. The subject of the E-mail was "Your >> details". The E-mail containing the virus has been quarantined to >> prevent further >damage. >> >> Headers Follow: >> Received: from ARNOLDS_ROOM [160.36.73.149] by lcs.net with ESMTP >> (SMTPD32-7.07) id A2A72C08013C; Fri, 29 Aug 2003 22:57:43 -0400 >> From: <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Subject: Your details >> Date: Fri, 29 Aug 2003 22:59:36 --0400 >> X-MailScanner: Found to be clean >> Importance: Normal >> X-Mailer: Microsoft Outlook Express 6.00.2600. >> X-MSMail-Priority: Normal >> X-Priority: 3 (Normal) >> MIME-Version: 1.0 >> Content-Type: multipart/mixed; >> boundary="_NextPart_000_7E49D478" >> Message-Id: <[EMAIL PROTECTED]> >> > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > > > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > Sent via the WebMail system at 1st.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig more prolific now?
"There ain't no cure for stupidity." --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig more prolific now?
Last night I got hammered with about 3,000 "sobigs" in the course of about 2 hours from one infected computer - it seems this particular computer had almost every address from my domain on it. This morning I got about 100 from another computer - the strange thing was that all 100 were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. When will people stop opening this attachment.? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.