[Declude.Virus] New Errors under Imail 8.03
Since upgrading to IMail 8.03, I began getting this error several times each day - Error 183 creating temp directory D:\IMAIL\spool\Dfce20c8602461764.vir\. (The error is something like already exists). Have been running 1.69i7 since May and never saw that error. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Swen
Is Swen a forged virus? I tried to get to the .eml links on the manual page but it didn't go. Need to see if I need to update my notification templates. Thanks, Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Swen
Is Swen a forged virus? No (as far as Declude is concerned). The From: header is forged, but the return address (the one that Declude uses) is not forged. It will normally come from an address that the recipient does not recognize, however (since it mostly seems to get addresses from web pages and Usenet newsgroups). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Errors under Imail 8.03
Since upgrading to IMail 8.03, I began getting this error several times each day - Error 183 creating temp directory D:\IMAIL\spool\Dfce20c8602461764.vir\. (The error is something like already exists). Have been running 1.69i7 since May and never saw that error. This is something that we are looking into. Right now, it seems that there is a problem with IMail v8 either locking files that it should not, or possibly calling Declude multiple times for the same E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot - OT
Does anyone know if the F-Prot real time scanner relies on the NTFS Change notification kernel driver? Here's my problem... I use Microsoft Index Server for web indexing. Index Server and ANY Antivirus software that uses the NTFS Change notification journal do not work together. You get index corruptions, race conditions, etc. I'm trying to find a working solution. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] IE Vulnerability
This is a bit off topic, but for anyone who doesn't monitor the NTBugTraq
list, check out the following post. I've already had one user get nailed.
Steve
Yesterday NTBugtraq was informed of an active attack against users of
Internet Explorer. I'd like to thank Steve Shockley for informing me.
The attack comprised of a banner, hosted by FortuneCity.com, which in turn
used JavaScript to redirect the self-closing pop-under banner to a site
hosted by EV1.NET (Everyone's Internet.) An EV1.NET site then delivered
executable code which in turn invoked the HTA vulnerability.
The HTA vulnerability is a known and as yet unpatched vulnerability in IE.
Interestingly, vulnerability was described thoroughly by Thor Larholm on
Monday at the 5th annual NTBugtraq Retreat, prior to notification of the
active attack. He explains it much better than I, but my short version is;
When the Object Data vulnerability is exercised, IE renders and executes the
ActiveX object referenced in the JavaScript code. During the check to
determine whether the content is safe, IE mistakenly believes the ActiveX
object code to be simple HTML/Jscript. Therefore, it does not prompt to save
to disk. Subsequently, it remembers it is HTA content, and invokes MSHTA.EXE
to drop and execute the object code. That code is x[1].hta, which in turn
creates and executes AOLFIX.exe.
AOLFIX.EXE is downloaded into the \temp directory and executed, and deleted.
It caused a variety of actions;
1. It created empty directories called;
%systemdrive%:\bdtemp
%systemdrive%:\bdtemp\temp
2. It deleted AOLFIX.EXE
3. It created the following file, which contains the letter A;
%systemdrive%:\%systemroot%\winlog
4. It created a hosts file in the \%systemroot%\help directory which
contains numerous static IP address to search engine website mappings.
5. It created the following registry entries;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I
nterfaces\windows]
r0x=your s0x
NameServer=69.57.146.14
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I
nterfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
NameServer=69.57.146.14
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DataBasePath=%SystemRoot%\help
At last check (8:15pm EDT 10/1/2003) the banner page at FortuneCity.com was
still serving up the banner which leads to the malcode.
We have received reports from many locations around the world indicating
they have had the effects of this. NAI is calling this QHOSTS-1, see
http://vil.nai.com/vil/content/v_100719.htm for more details.
Thus far there isn't much you can do beyond disabling Active Scripting
(Georgi's old mantra.)
If you apply default deny, the concept that your perimeter only allows out
that which you have permitted, then outbound DNS by clients will fail,
making them unable to browse or do anything involving DNS (including
internal DNS resolution.) If you don't use default deny, consider doing
so, or block outbound DNS (port 53) to thwart the replaced DNS entries.
Personal Firewalls which understand and can block specific applications from
accessing the network (such as Zone Labs, Symantec Personal Firewall, see
what you get if you come to the Retreat!), should be configured not to allow
MSHTA.EXE. The use of MSHTA in this attack doesn't prevent everything, but
it should prevent the redirected DNS from occurring.
Thor Larholm explained to me why disabling the HTA MIME type works. I really
should've been paying closer attention to his talk rather than trying to
talk over him...;-] Anyway, although IE is failing to properly handle the
content type application/hta when it checks if it should do a save-as
dialog, it does use it when it comes to render. Hence, it doesn't pop up,
but it does use the MIME type to determine what to invoke when it renders.
If you lose the key, even if only temporarily, it won't find MSHTA.EXE.
It is worth noting that disabling ActiveX (any of the number IE entries
which relate to ActiveX) will do nothing to prevent exploitation of this
vulnerability. The problem lies in the way IE perceives the content, and
while it should recognize it as ActiveX, it does not. Hence disabling
ActiveX will not provide a mitigator.
More tomorrow.
Cheers,
Russ - NTBugtraq Editor
---
This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc.
The information contained in or attached to this message is intended
solely for the personal and confidential use of the designated
recipients named in the body of the e-mail or within the attached documents.
This message may be legally privileged, and as such is confidential. If the
reader of this message is not the intended recipient or any agent responsible
for delivering it to the intended recipient, you are hereby notified that you
have received this document in error, and that any review, dissemination,
distribution or copying of this message is strictly prohibited.
RE: [Declude.Virus] MS Security Patch Emails
Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot vs Other brands
With the problems I've seen with F-Prot like the one mentioned below. Why did you F-Prot users choose F-Prot over other brands like McAfee? Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot vs Other brands
Hi; We have never had any problem with F-Prot. It has always been working perfectly.. In all these years the Message.zip was the only incident that they were late in releasing the signature but that was because of the nature of the virus that required them to fix something in their code. F-Prot: $50 McAfee: cost per mailbox.. At what it will cost you to add McAfee you can add: F-Prot, AVG, and F-Secure and still have money left in the bank. We have multiple scanners (3) and even if F-Prot fails the other two pick it up. I highly recommend that you consider having at least 2 scanners... Declude virus pro allows you to do this and it is a much safer path to travel. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks Sent: Thursday, October 02, 2003 11:19 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-Prot vs Other brands With the problems I've seen with F-Prot like the one mentioned below. Why did you F-Prot users choose F-Prot over other brands like McAfee? Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot vs Other brands
With the problems I've seen with F-Prot like the one mentioned below. Why did you F-Prot users choose F-Prot over other brands like McAfee? Something is probably not right in his configuration, as this problem has not been reported on machines running the latest f-prot version. We certainly stop everything that is thrown at us, at least as I write this! F-Prot had a 100% record for us in terms of timely releases until they messed up with one of the latest viruses and did not get a satisfactory release out until 3 days later. This has prompted many of us to add a 2nd scanner, but nevertheless their history has been very, very good. The biggest reason I think F-Prot is so popular is that their license is very straight-forward. With the bigger players, they really want you to buy one license for each of your mailboxes. There are often legal or at least plausibly legal way around this in some cases, but I know I feel better about having a license with F-Prot that seems about as clear as you can make it. Additionally it is cheap and I have had good luck with support from them. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MS Security Patch Emails
I would suggest a notification to users telling them that as of X date, the e-mail system will no longer accept/transmit e-mails that have .exe/.bat/or whatever extentions attached. Then give them a breif, and honest explanation of the risks that it poses them and you. You can even include information on how to continue to send these files, but in a faster way (zip) Keeping up front and honest with your customers will always result in better satisfaction. You are perceived as looking out for them. Jason - Original Message - From: Chad Killion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:36 AM Subject: RE: [Declude.Virus] MS Security Patch Emails We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
Hmm, I'd just send out an e-mail stating that due to recent influx of virus's and virus's contained within EXE files, you're updating the mail server security policy. Then state that beginning %on this date% the following file extensions will be blocked: yadda-yadda-yadda. Most will be angry that you're doing this, but ask them to zip the files if they wish for them to be sent. I know about the customer support aspect of it, but if you explain that you're watching out for their well-being from a possible virus infection stand-point, a lot will see your point and that'll be the end of it. Sometimes it's good to be the administrator.. Hahaha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
If you don't start to block these dangerous extensions it's just going to continue to cause you problems in the future. My users where not happy at first but after I explained why they were all more than happy to help fight the spread of viruses. Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason Newland Sent: Thursday, October 02, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails I would suggest a notification to users telling them that as of X date, the e-mail system will no longer accept/transmit e-mails that have .exe/.bat/or whatever extentions attached. Then give them a breif, and honest explanation of the risks that it poses them and you. You can even include information on how to continue to send these files, but in a faster way (zip) Keeping up front and honest with your customers will always result in better satisfaction. You are perceived as looking out for them. Jason - Original Message - From: Chad Killion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:36 AM Subject: RE: [Declude.Virus] MS Security Patch Emails We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]
RE: [Declude.Virus] MS Security Patch Emails
Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Have you checked to see that: [1] They actually have an .exe (or similar) attachment? [2] The attachment is not 0 bytes? [3] The attachment is complete, and not truncated? Any E-mails that don't meet those three requirements will normally not get caught (as they are safe, just annoying). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Forging Swen
Maybe I'm mistaken, but this appears to be a Swen that was forged... First one of seen. Declude Virus v1.75 caught the W32/[EMAIL PROTECTED] virus !!! in cgzkcu.exe from [EMAIL PROTECTED] to: [EMAIL PROTECTED] *** Date: 10/02/2003 12:12:02 Subject:Error Advice Spool File: D5c59512801169399.SMD Remote IP: 212.216.176.221 Headers: Received: from vsmtp1.tin.it [212.216.176.221] by mail.parallax.ws with ESMTP (SMTPD32-7.15) id AC5951280116; Thu, 02 Oct 2003 12:11:53 -0500 Received: from pldozduz (80.180.60.160) by vsmtp1.tin.it (7.0.019) id 3F7A7F5E000EFB46; Thu, 2 Oct 2003 18:59:10 +0200 Date: Thu, 2 Oct 2003 18:59:10 +0200 (added by [EMAIL PROTECTED]) Message-ID: [EMAIL PROTECTED] (added by [EMAIL PROTECTED]) FROM: Admin [EMAIL PROTECTED] TO: Inet Recipient [EMAIL PROTECTED] SUBJECT: Error Advice Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=fievnuwaehso *** -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, October 02, 2003 1:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, exe is the absolute first extension that should be banned. In the three years I have been doing this, I have had a handful of complaints about this. Once I explained the reason, they agreed. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 8:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
With Declude Virus. In the Virus.cfg file, for each banned extension, you have a line like so: BANEXT exe BANEXT pif And so forth. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 1:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, October 02, 2003 1:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, exe is the absolute first extension that should be banned. In the three years I have been doing this, I have had a handful of complaints about this. Once I explained the reason, they agreed. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 8:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
RE: [Declude.Virus] MS Security Patch Emails
So with that done, what does the user sending the executable get? Do they get a returned email with an error, and if so, would you be so kind as to show me what message you show people. I just hate to jump in blind, if someone already has it figured out. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, October 02, 2003 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails With Declude Virus. In the Virus.cfg file, for each banned extension, you have a line like so: BANEXT exe BANEXT pif And so forth. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 1:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, October 02, 2003 1:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, exe is the absolute first extension that should be banned. In the three years I have been doing this, I have had a handful of complaints about this. Once I explained the reason, they agreed. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 8:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails We have never filtered EXE before, so it would just cause too many problems to do this now. We have well over 25 thousand customers using this server, and I hate to spring something like that on them. The others, sure, we can exclude those, but just don't want to do EXE. Thanks. Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Thursday, October 02, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad, Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Well, I have upgraded to 3.14, but still see TONS of these viruses getting through. Please help if you can... Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, October 01, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MS Security Patch Emails No wonder I'm still getting slammed with systems trying to send this virus to my users. This was a big thread back in July. F-Prot was only catching the Blaster worm if it tried to run (Desktop Real Time). But it was not detected in the scanning of email even after the definition file updates. F-Prot released 3.14a to fix this in the actual engine. I was blocking it by banned file extensions! So this was another valid reason to block certain extensions. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by
RE: [Declude.Virus] MS Security Patch Emails
Chad: This is what we have in our virus.cfg file. No regrets and no apologies for blocking them. We think of this as a fact of life... BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw This has been discussed in the list a while back and there are links on Microsoft web site that explains most of these.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
Ok thanks, but what does a user who sends this type of ext get from our server? Is there some sort of eml file I need to add? Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, October 02, 2003 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad: This is what we have in our virus.cfg file. No regrets and no apologies for blocking them. We think of this as a fact of life... BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw This has been discussed in the list a while back and there are links on Microsoft web site that explains most of these.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Spoofed Addresses
I am sure this has been discussed many times in the past, but I have been out of the loop, so forgive me for asking again. How do you notify your customers who send viruses without notifying the ones with spoofed return addresses? When we had the SoBig virus going around, we had to literally shut off our notifications because people were blacklisting us because we were sending them Virus messages even though they didn't send the virus. Thanks in advance. Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS Security Patch Emails
If you look at the manual site you will the email called: Bannotify.eml That is what is sent when a banned extension is sent. I will send you a copy off list of what we have. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 5:30 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Ok thanks, but what does a user who sends this type of ext get from our server? Is there some sort of eml file I need to add? Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, October 02, 2003 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails Chad: This is what we have in our virus.cfg file. No regrets and no apologies for blocking them. We think of this as a fact of life... BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw This has been discussed in the list a while back and there are links on Microsoft web site that explains most of these.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MS Security Patch Emails What is the best way to exclude these in your opinion??? Can Declude do it, or Imail? Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Spoofed Addresses
I am sure this has been discussed many times in the past, but I have been out of the loop, so forgive me for asking again. How do you notify your customers who send viruses without notifying the ones with spoofed return addresses? When we had the SoBig virus going around, we had to literally shut off our notifications because people were blacklisting us because we were sending them Virus messages even though they didn't send the virus. There are two ways to handle this. Originally, the SKIPIFVIRUSNAMEHAS option was used to handle this. If you do that, you need to keep your \IMail\Declude\sender.eml and \IMail\Declude\otherpostmaster.eml files up-to-date as new forging viruses appear. However, starting with v1.76, Declude Virus will automatically check with our server to see if a virus is a forging virus, and automatically suppress the appropriate notifications if it is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Spoofed Addresses
Use the SKIPIFVIRUSNAMEHAS command in your sender.eml, that way a notification will not be sent to sender if an specific virus is caught For example.. here is what we have in sender.eml at the beginning of the file SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Hybris SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Sobig SKIPIFSENDER @boss.com Make sure there is only one space between the command and the name of the virus or vulnerability. I am also sending you a table with the available commands. They are very useful, you may want to take a look at them. The following table is from the manual Each command needs to be on a line by itself. You need to make sure that these options (and any To:, From:, or Subject: lines) appear before the first blank line in the E-mail template file. Command Restriction Usage ONLYSENDIFLOCALSENDER Will only send the notification if the sender of the virus is a local user. ONLYSENDIFLOCALSENDER ONLYSENDIFREMOTESENDER Will only send the notification if the sender of the virus is a remote user. ONLYSENDIFREMOTESENDER ONLYSENDIFSENDER Will only send the notification if the sender of the virus is one you specify. ONLYSENDIFSENDER [EMAIL PROTECTED] ONLYSENDIFSENDER @example.com ONLYSENDIFLOCALRECIPIENT Will only send the notification if the recipient of the virus is a local user. ONLYSENDIFLOCALRECIPIENT ONLYSENDIFREMOTERECEIPIENT Will only send the notification if the recipient of the virus is a remote user. ONLYSENDIFREMOTERECIPIENT SKIPIFSENDER Will not send the notification if the sender of the virus is one that you specify. SKIPIFSENDER [EMAIL PROTECTED] SKIPIFSENDER @example.com SKIPIFRECIP Will not send the notification if the recipient of the virus is one that you specify. SKIPIFRECIP [EMAIL PROTECTED] SKIPIFRECIP @example.com SKIPIFVIRUSNAMEHAS Will not send the notification if the virus name has the text that you specify. SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEDOESNOTHAVE Will not send the notification if the virus name does not have the text that you specify. SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability I hope it helps.. regards Luis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chad Killion Sent: Thursday, October 02, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Spoofed Addresses I am sure this has been discussed many times in the past, but I have been out of the loop, so forgive me for asking again. How do you notify your customers who send viruses without notifying the ones with spoofed return addresses? When we had the SoBig virus going around, we had to literally shut off our notifications because people were blacklisting us because we were sending them Virus messages even though they didn't send the virus. Thanks in advance. Chad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-]
