Re: [Declude.Virus] Current Forging Virus list

[Djerr C. de Meijer]

Hy,

To go OT a bit, what the hell is forging dns?

I know dns but forging.. Probabaly something simple though. :P

D.C.

- Original Message - 
From: Bonno Bloksma [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: R. Scott Perry [EMAIL PROTECTED]
Sent: Tuesday, November 25, 2003 9:09 PM
Subject: Re: [Declude.Virus] Current Forging Virus list


 Hi,

 My list is a bit longer and isn't it Dumaru in stead of Dumar?

 FORGINGVIRUS Avril
 FORGINGVIRUS Braid
 FORGINGVIRUS Bridex
 FORGINGVIRUS Bugbear
 FORGINGVIRUS Dumaru
 FORGINGVIRUS Fizzer
 FORGINGVIRUS Gibe
 FORGINGVIRUS Hybris
 FORGINGVIRUS Klez
 FORGINGVIRUS Lentin
 FORGINGVIRUS Magistr
 FORGINGVIRUS Mimail
 FORGINGVIRUS Palyh
 FORGINGVIRUS Sefex
 FORGINGVIRUS Sober
 FORGINGVIRUS Sobig
 FORGINGVIRUS Swen
 FORGINGVIRUS Yaha

 Scott, my list also longer then the list in the sender.eml file. You are
 missing
 Avril, Gibe, Hybris, Sefex and Swen. Are those not forging virusses? I
only
 add them to my list after receiving delivery errors which state unkown
 mailbox or something like it.

 Also you have Dumar in stead of Dumaru. Sophos does not know a Dumar virus
 but does know of a Dumaru virus. Same for F-prot.

 Maybe a good idea to have these standard in the virus.cfg file and adapt
the
 *.eml files into using the line SKIPIFSENDER [Forged], that way all
 maintenance is done at one place, no need to update multiple eml files, no
 confusing the user with invalid e-mail addresses. Of course you forging
dns
 server is even better but this is a good starting place for those that
don't
 want that for whatever reason.

 Groetjes,

 Bonno Bloksma
  Back up my hard drive? How do I put it in reverse?

 - Original Message -
 From: Karen D. Oland [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, November 25, 2003 7:46 PM
 Subject: RE: [Declude.Virus] Current Forging Virus list


  I've also seen these identified with forged addresses:
 
  FORGINGVIRUS Mimail
  FORGINGVIRUS Dumar
  FORGINGVIRUS Sober
  FORGINGVIRUS Holar
 
   Is this a good current list?
  
   FORGINGVIRUS Braid
   FORGINGVIRUS Bridex
   FORGINGVIRUS Bugbear
   FORGINGVIRUS Hybris
   FORGINGVIRUS Lentin
   FORGINGVIRUS Klez
   FORGINGVIRUS Magistr
   FORGINGVIRUS Sobig
   FORGINGVIRUS Vulnerability
   FORGINGVIRUS Yaha
   FORGINGVIRUS Fizzer
   FORGINGVIRUS Palyh
  ---
  [This E-mail scanned for viruses by Declude Virus]
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.Virus mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.Virus.The archives can be found
  at http://www.mail-archive.com.
  ---
  [This E-mail scanned for viruses by Declude Virus using f-prot and
Sophos]
 
 

 ---
 [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos]

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Current Forging Virus list

[Bonno Bloksma]

Hi,

 To go OT a bit, what the hell is forging dns?

You know what a forging virus is?

 I know dns

And you know what dns is. Now of course you have heard of spammers and
probably also of dns blacklists? Well The forging dns is a dns-alike
server that keeps a list of virus names which are forging viruses and is
maintained by/for Declude.

 but forging..

Yeah. :) It's not the dns which is being forged which kinda gets you on the
wrong track.

 Probabaly something simple though. :P

Yup. ;-)

Groetjes,

Bonno Bloksma
 Back up my hard drive? How do I put it in reverse?

---
[This E-mail scanned for viruses by Declude Virus using f-prot and Sophos]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Current Forging Virus list

[Djerr C. de Meijer]

Tnx,

That explained alot. Silly names. _

I shall lookup more info on it once, when I have time. (lol.. thats gona be
a while) Sounds interesting to find out how it works. :)

Tnx again,

D.C.

- Original Message - 
From: Bonno Bloksma [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 8:54 AM
Subject: Re: [Declude.Virus] Current Forging Virus list


 Hi,

  To go OT a bit, what the hell is forging dns?

 You know what a forging virus is?

  I know dns

 And you know what dns is. Now of course you have heard of spammers and
 probably also of dns blacklists? Well The forging dns is a dns-alike
 server that keeps a list of virus names which are forging viruses and is
 maintained by/for Declude.

  but forging..

 Yeah. :) It's not the dns which is being forged which kinda gets you on
the
 wrong track.

  Probabaly something simple though. :P

 Yup. ;-)

 Groetjes,

 Bonno Bloksma
  Back up my hard drive? How do I put it in reverse?

 ---
 [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos]

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] f-prot question

[Keith Johnson]

Does anyone know what the command line string is for scanning your sig file to see if 
it is catching a certain named virus file?  I saw it posted over 6 months ago, 
however, I guess my search isn't picking it up.  Thanks,
 
Keith
+,qyo r[yXm
ynu(8bIWkax7^V*f)+-Nrz;uj)l^r[yjwmmr[yXy+mwZm
   Vry

Re: [Declude.Virus] f-prot question

[Djerr C. de Meijer]

I honestly have no clue. I force all my messages in textmode.
(makes this Nfyu  u dj)jgnr[yX XX:m fyu *{nyu  rzj j) 
in
your sig alot more interesting lol)

But I wonder, shouldn't it be somewhere in the f-prot manual? Or there site?

D.C.

- Original Message - 
From: Keith Johnson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 2:40 PM
Subject: [Declude.Virus] f-prot question


 Does anyone know what the command line string is for scanning your sig
file to see if it is catching a certain named virus file?  I saw it posted
over 6 months ago, however, I guess my search isn't picking it up.  Thanks,

 Keith
 Nfyu  u dj)jgnr[yX XX:m fyu *{nyu  rzj j)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Install for first time message repeats

[Greg]

I have declude running on my companies primary mail server and have 

no problems what so ever with that install and config.
However one of my colo customers purchased IMAIL and declude lite virus
version.
I set the server up just like mine but I keep getting an error when it
fires up.
declude.exe continues to say;
INSTALLING DECLUDE FOR THE FIRST TIME
INSTALLATION COMPLETE!
The above is written to the dec log file and NO vir log file is even
created.
What have I missed here?
Is'nt the declude.exe file the same for all versions?
As I understand it the serial key is what determines what mode it runs
in, i.e. pro, standard or lite, virus spam and or hijack.
Please help me out as these folks have been getting virus scanned 
emails from my server and now today they have no scanning taking
place.

Greg Hedgepath
[EMAIL PROTECTED]
http://www.CFHosting.net/

ICQ#: 290276 | AIM: colFu
Yahoo: cfhosting
msn:
[EMAIL PROTECTED]

[Declude.Virus] SysBug

[Gufler Markus]

I've received an alert about a new virus (not a worm) intended to gain remote access 
over a backdoor. The virus has no replication functionality but is send out like a 
spam message directly to many many recipients.

In the meantime I reccomend to add a line

BANNAME private.zip

to your virus.cfg file.



---
Gufler Markus 
 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Install for first time message repeats

[R. Scott Perry]

However one of my colo customers purchased IMAIL and declude lite virus 
version.
I set the server up just like mine but I keep getting an error when it 
fires up.
declude.exe continues to say;

INSTALLING DECLUDE FOR THE FIRST TIME
INSTALLATION COMPLETE!
The above is written to the dec log file and NO vir log file is even created.
What have I missed here?
What I would recommend is following the Emergency Uninstall procedure in 
the manual, and then re-installing it.  It looks like there may have been a 
problem writing to the registry the first time it was installed.

Is'nt the declude.exe file the same for all versions?
As I understand it the serial key is what determines what mode it runs in, 
i.e. pro, standard or lite, virus spam and or hijack.
That is correct.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Install for first time message repeats

[Djerr C. de Meijer]

perhaps you should include the virus.cfg (code 
blanked out unless its directed to scott alone)A nice thing to check is 
if the SMTP service sees "Declude.exe" as its executable.If not put it up 
manually, check the registry (read the manual at http://www.declude.com/virus/manual.htmfor 
more details) en reload the SMTP service.And to make it real easy:the 
key to check is HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendNameyet if you 
can change it in IMail its probably ok.

I am guessing here but I think it fails to setup 
declude.exe als the SMTP .exe.

D.C.

  - Original Message - 
  From: 
  Greg 
  To: [EMAIL PROTECTED] 
  Sent: Wednesday, November 26, 2003 2:53 
  PM
  Subject: [Declude.Virus] Install for 
  first time message repeats 
  
  I have declude running on my companies primary mail server and 
  have no problems what so ever with that install and config.However 
  one of my colo customers purchased IMAIL and declude lite virus version.I 
  set the server up just like mine but I keep getting an error when it fires 
  up.declude.exe continues to say;INSTALLING DECLUDE FOR THE FIRST 
  TIMEINSTALLATION COMPLETE!The above is written to the dec log file and 
  NO vir log file is even created.What have I missed here?Is'nt 
  the declude.exe file the same for all versions?As I understand it the 
  serial key is what determines what mode it runs in, i.e. pro, standard or 
  lite, virus spam and or hijack.Please help me out as these folks have 
  been getting virus scanned emails from my server and now today they have 
  no scanning taking place.Greg Hedgepath[EMAIL PROTECTED]http://www.CFHosting.net/ICQ#: 290276 | 
  AIM: colFuYahoo: cfhostingmsn: [EMAIL PROTECTED]

RE: [Declude.Virus] New virus in town..

[Rick Klinge]

Yes.. I think another poster recommended adding Private.zip into the declude
virus.cfg file to block that attachment

~Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan
Sent: Wednesday, November 26, 2003 12:00 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] New virus in town..


Hi;
I think this is the one that was reported by Matt earlier..

Here is some release..

http://www.eweek.com/article2/0,4149,1396835,00.asp?kc=EWNWS112603DTX1K5
99

The Trojan arrives in an e-mail with an attachment that is zipped and
contains an executable. The e-mail begins:
Hello my dear Mary,
I have been thinking about you all night. I would like to apologize for the
other night when .
The message then goes into more explicit detail.
The e-mail comes from [EMAIL PROTECTED] and the subject line says
Re[2]: Mary.
===
Perhaps a block on:  [EMAIL PROTECTED]  is in order just in case.
Regards,
Kami

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.