RE: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.

[Peter Lowish]

I have added 

BANEXT  EZIP
BANEZIPEXT  ON

To my virus.cfg file and tested it. No doubt that the passworded .zip files
are not getting thru, but also normal .zip files are not either.

I am getting a little confused (but hey that's easy for me) about it all now

Is there something else I should or not be doing?

Peter  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Monday, 8 March 2004 9:21 p.m.
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Bagle.J / news.com article on AV software
opening zipped files.

BANEXT  EZIP
BANEZIPEXT  ON

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
> [EMAIL PROTECTED] On Behalf Of Bennie
> Sent: Sunday, March 07, 2004 4:03 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software 
> opening zipped files.
> 
> how would you ban encrypted zips...
> 
> signed
> Confused (aka Bennie)
> 
> 
> - Original Message -
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, March 04, 2004 6:22 PM
> Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software 
> opening zipped files.
> 
> 
> >
> > >that is going to be a chalenge for scott to incorporate in declude 
> > >:)
> >
> > It's unlikely that we will do this.  It makes for a great marketing 
> > gimmick, but won't work in the long term.  All it will take is for a
> virus
> > to say "The password is  1 2 3 4 5" or "The password is 12344 plus 
> > 1",
> and
> > those AV programs will quickly leave the spotlight.
> >
> > >We are an isp, and for us blocking zips is out of the question.
> >
> > Remember that all AV programs can catch viruses in standard .ZIP 
> > files.  It's only the encrypted .ZIP files that pose a problem, and 
> > it
> is
> > recommended that people block all encrypted .ZIP files (but allow
> standard
> > .ZIP files through).  That way, extremely few people are 
> > inconvenienced, but it would be very hard for a virus to get through.
> >
> > -Scott
> > ---
> > Declude JunkMail: The advanced anti-spam solution for IMail 
> > mailservers since 2000.
> > Declude Virus: Catches known viruses and is the leader in mailserver 
> > vulnerability detection.
> > Find out what you've been missing: Ask for a free 30-day evaluation.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Netsky.K is out

[John Tolmachoff \(Lists\)]

This is too funny: (From the Sophos report)

On 10 March 2004 W32/Netsky-K plays random sounds between 10 a.m. and 11
a.m.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
> Sent: Monday, March 08, 2004 12:58 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] Netsky.K is out
> 
> At this rate, they are going to run out of version letters by the end of
> next week.
> 
> As it is, these new versions are merely the manifestation of the Netsky,
> MyDoom and Bagle authors fighting each other.
> 
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] CSonline Virus Log analyser

[smb]

John,

My apologies as I completely missed your first message.

Yes this is somthing will look into adding.


Stu




>Any comments?
>
>John Tolmachoff
>Engineer/Consultant/Owner
>eServices For You
>
>
>> -Original Message-
>> 
>> Feature request:
>> 
>> List number by extension messages held for banned extension.
>> 
>> John Tolmachoff
>> Engineer/Consultant/Owner
>> eServices For You
-
CSOnline Technical Support Normal hours - Monday thru Saturday 7am - 1am 
CSOnline Technical Support Summer hours - Monday thru Saturday 8am - 12pm 
 (June - July - August) 
CSOnline Technical Support Numbers 
Seneca814-677-2447   Clarion   814-227-3638   Cochranton   814-425-1696
Parker724-399-1158   GremLan   814-337-7060 
http://www.csonline.net  http://www.cshowcase.com  http://www.learncenter.com
http://www.gremlan.org  
-

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Netsky.K is out

[John Tolmachoff \(Lists\)]

At this rate, they are going to run out of version letters by the end of
next week.

As it is, these new versions are merely the manifestation of the Netsky,
MyDoom and Bagle authors fighting each other.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] CSonline Virus Log analyser

[Rodney Bertsch]

I'll kick in my two cents, I'd love to see that option.  I always like to
know more info about how well Declude is protecting us.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Monday, March 08, 2004 2:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] CSonline Virus Log analyser


Any comments?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
> Sent: Tuesday, March 02, 2004 3:05 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] CSonline Virus Log analyser
>
> Feature request:
>
> List number by extension messages held for banned extension.
>
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
>
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Unknown Virus

[R. Scott Perry]

I'm getting LOTS of unknown viruses with Subject lines that look like 
W32/[EMAIL PROTECTED]
http://vil.nai.com/vil/content/v_101083.htm

McAfee does not yet have DAT 4335 released. Netsky.J likes to use *.pif files.
The "Unknown virus" will occur when a virus is detected, but the AV program 
doesn't know the name of it.  This normally happens either if the scanner 
doesn't report the name in a way that Declude Virus can find it (in which 
case it will affect all viruses that are detected), or if heuristics are 
used to detect the virus (in which case it will just catch one specific new 
virus, or several new viruses).

Question:
The new vulnerability tests for *.pif files, how do we expect them to appear?
If an invalid .PIF file arrives, it should appear as "[Invalid PIF 
Vulnerability]".

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Unknown Virus

[Greg Little]

I'm getting LOTS of unknown viruses with Subject lines that look like W32/[EMAIL PROTECTED]
http://vil.nai.com/vil/content/v_101083.htm

McAfee does not yet
have DAT 4335 released. Netsky.J likes to use *.pif files.


Question: 
The new vulnerability tests for *.pif files, how do we expect them
to appear?


Declude Virus Ver. 1.78i11 caught the
Unknown Virus virus in Unknown File
  from [EMAIL PROTECTED].
to: [EMAIL PROTECTED].
  
Date: 03/08/2004 14:39:19
Subject: Re: Word file
Spool File: Dcbc1003201a89dfa.SMD
Remote IP: 63.251.31.9
  
In or Out: incoming
recipient host: thecourier.com
Sender Host: .dc.
  
Headers:
Received: from thecourier.com [63.251.31.9] by aristotle.thecourier.com
with ESMTP
(SMTPD32-8.05) id ABC13201A8; Mon, 08 Mar 2004 14:38:41 -0500
From: [EMAIL PROTECTED].
To: [EMAIL PROTECTED]
Subject: Re: Word file
Date: Mon, 8 Mar 2004 14:39:15 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0007_4DE0.4424"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <[EMAIL PROTECTED]>
X-IMAIL-SPAM-DNSBL:
(fiveten,3277224,internap.com.spam-support.blackholes.five-ten-sg.com)
  


or Similar to this

  Declude Virus Ver. 1.78i11 caught the [Outlook 'CR' Vulnerability] virus in [No attachment]
from [EMAIL PROTECTED] to:  [EMAIL PROTECTED].

Date:   03/08/2004 14:44:16
Subject:you could be john holmes
Spool File: Dcd0614ef022c9307.SMD
Remote IP:  4.60.6.94


-- 

	Greg Little




---
[This E-mail scanned for viruses by Findlay Internet]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] CSonline Virus Log analyser

[John Tolmachoff \(Lists\)]

Any comments?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
> Sent: Tuesday, March 02, 2004 3:05 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] CSonline Virus Log analyser
> 
> Feature request:
> 
> List number by extension messages held for banned extension.
> 
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Swen not tagged as forging?

[R. Scott Perry]

I'm not seeing both a "From" and a "Mail from" listed in the headers that 
come back from Declude.
So, it must be in some detail that not in %headers%.

I take it that Declude will send it to the "Mail from". Looks like I'll be 
testing with Swen Not  forging.
You'll see the return address in the X-Declude-Sender: header.  That's the 
only one that Declude Virus will use (for notifications, for example), and 
is not forged.  As others have pointed out, the From: header may be forged 
(but Declude Virus does not use that header).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Swen not tagged as forging?

[Greg Little]

I'm not seeing both a "From" and a "Mail from" listed in the headers 
that come back from Declude.
So, it must be in some detail that not in %headers%.

I take it that Declude will send it to the "Mail from". Looks like I'll 
be testing with Swen Not  forging.

Greg  Little

Declude Virus Ver. 1.78i11 caught the  the W32/[EMAIL PROTECTED] virus !!! virus in 
installer87.exe
from [Forged] to:  [EMAIL PROTECTED]
Date:   03/06/2004 04:26:40
Subject:New Upgrade
Spool File: D994a044a012c7b3e.SMD
Remote IP:  211.1.69.194
In or Out:  incoming
recipient host: thecourier.com
Sender Host:watv.ne.jp
Headers:
Received: from mail.watv.ne.jp [211.1.69.194] by aristotle.thecourier.com with ESMTP
 (SMTPD32-8.05) id A94A44A012C; Sat, 06 Mar 2004 04:26:34 -0500
Received: from vdtpw (watv061215118115.watv.ne.jp [61.215.118.115])
by mail.watv.ne.jp (3.7Wpl21.0) with SMTP id SAA29658;
Sat, 6 Mar 2004 18:23:36 +0900 (JST)
Date: Sat, 6 Mar 2004 18:23:36 +0900 (JST)
Message-Id: <[EMAIL PROTECTED]>
FROM: "MS Technical Support" <[EMAIL PROTECTED]>
TO: "Microsoft Corporation Partner" <[EMAIL PROTECTED]>
SUBJECT: New Upgrade
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ereflgesxiszas"
---
[This E-mail scanned for viruses by Findlay Internet]

Declude Virus Ver. 1.78i11 caught the  the W32/[EMAIL PROTECTED] virus !!! virus in 
aibogwws.exe
from [Forged] to:  [EMAIL PROTECTED]
Date:   03/06/2004 04:39:22
Subject:Error Announcement
Spool File: D9c44046401481b33.SMD
Remote IP:  211.1.69.194
In or Out:  incoming
recipient host: thecourier.com
Sender Host:watv.ne.jp
Headers:
Received: from mail.watv.ne.jp [211.1.69.194] by aristotle.thecourier.com with ESMTP
 (SMTPD32-8.05) id AC444640148; Sat, 06 Mar 2004 04:39:16 -0500
Received: from vdfuwqjk (watv061215118115.watv.ne.jp [61.215.118.115])
by mail.watv.ne.jp (3.7Wpl21.0) with SMTP id SAA29776;
Sat, 6 Mar 2004 18:24:15 +0900 (JST)
Date: Sat, 6 Mar 2004 18:24:15 +0900 (JST)
Message-Id: <[EMAIL PROTECTED]>
FROM: "MS Inet Storage Service" <[EMAIL PROTECTED]>
TO: "Inet Recipient" <[EMAIL PROTECTED]>
SUBJECT: Error Announcement
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="kmjwmzz"
---
[This E-mail scanned for viruses by Findlay Internet]


Matt wrote:

Just to clarify.  Swen forges the From address, but not the Mail From 
address.

I'm reevaluating my choice to only send recipient notices.  I may just 
change to sender notifications only with SKIPIFFORGING.

Matt



R. Scott Perry wrote:


Yes, Swen forges.


FWIW, we haven't yet seen a single copy of Swen that forges.

   -Scott



---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Swen not tagged as forging?

[Matt]

Just to clarify.  Swen forges the From address, but not the Mail From 
address.

I'm reevaluating my choice to only send recipient notices.  I may just 
change to sender notifications only with SKIPIFFORGING.

Matt



R. Scott Perry wrote:


Yes, Swen forges.


FWIW, we haven't yet seen a single copy of Swen that forges.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Swen not tagged as forging?

[R. Scott Perry]

Yes, Swen forges.
FWIW, we haven't yet seen a single copy of Swen that forges.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Swen not tagged as forging?

[Greg Little]

Yes, Swen forges.

I don't send any auto-notice to sender or recipient on forging viruses.
You don't know who the "real" sender is and it does nothing useful for
the recipient to hear "an unknown PC Sent you a virus, but it was
blocked by the server".

For most of the Macro viruses (and some of the other non-forging) you
do want both to get a notice.

Greg Little


This is from F-Secures site
http://www.f-secure.com/v-descs/swen.shtml

  The attachment name,
subject and part of the infected message is
randomly composed from text strings hardcoded in the worm's body.
  
  The fake
sender's address is selected from the following parts:
  
  
   MS
 Microsoft
 Corporation
 Program
 Internet
 Network
 Security
 Division
 Section
 Department
 Center
 Technical
 Public
 Customer
 Bulletin
 Services
 Assistance
 Support

  
The domain name for these e-mails is selected from the following
parts:
  
  
   news
 bulletin
 confidence
 advisor
 updates
 technet
 support
 newsletters

  
The domain suffix for these e-mails is selected from the
following parts:
  
  
   ms
 msn
 msdn
 microsoft

  
followed by one of the following:
  
  
   .com
 .net




John Tolmachoff (Lists) wrote:

  
  
  
  
  SWEN is not
known to be forging. Every one
that I have seen came from the sender that was indeed infected.
   
  
  John
Tolmachoff
  Engineer/Consultant/Owner
  eServices
For You
  
  





---
[This E-mail scanned for viruses by Findlay Internet]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

CBL:Re: [Declude.Virus] Swen not tagged as forging?

[Matt]

Swen does forge.  Sometimes it sends a fake bounce message to spread
which is different from the primary payload.  The message also will
forge the From address while using the Mail From of the infected
computer.

I'm thinking this is more so the difference between what we consider
forging, and why we individually use SKIPIFFORGING.  My only reason for
sending virus notifications to my own clients right now is to show them
when something like an infected document was intercepted from a real
sender, and anything that forges whatsoever would be considered
something to skip.  For instance, I used to have a form for one client
where people could upload resumes, and my server would forward these
resumes to them in E-mail, but they were regularly infected with macro
viruses and it would be nice to drop them a note in that case instead
of just making the message and attachment totally disappear.

Seems like SKIPIFFORGING was really intended to handle bounces to the
sender and not to the receiver by the way it is being applied.

Matt



John Tolmachoff (Lists) wrote:

  
  
  
  
  SWEN is not
known to be forging. Every one
that I have seen came from the sender that was indeed infected.
   
  
  John
Tolmachoff
  Engineer/Consultant/Owner
  eServices
For You
  
   
  
  -Original
Message-
  From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
  Sent: Sunday,
March 07, 2004 6:27
PM
  To:
[EMAIL PROTECTED]
  Subject:
[Declude.Virus] Swen not
tagged as forging?
   
  I just had a
client ask me to turn off all virus
notifications, and the message that they sent back was for Swen.A.
  
  
     Date: 03/07/2004 17:37:53
     Subject: Abort Notice
     Host: cybermatsa.com.mx [148.233.93.6]
     Attachment: enqofe.exe
     Virus: W32/[EMAIL PROTECTED]
  Is it possible
that this isn't in the forging
database, or could this have been a failed lookup, or is it possible
that this
is a bug in the version of Declude Virus that I am running.  I'm on
1.78i14 currently.  I'm thinking that maybe the combination of the
'MIME
Header' vulnerability along with the virus being detected might have
caused the
SKIPIFFORGING to be bypassed:
  
  03/07/2004 17:37:53 Qa43c661500982fd2 MIME file:
[text/html][quoted-printable;
Length=228 Checksum=17379]
  03/07/2004 17:37:53 Qa43c661500982fd2 Outlook 'MIME Header'
Vulnerability: type=audio/x-wav, name=enqofe.exe.
  03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: enqofe.exe
[base64;
Length=106496 Checksum=9384207]
  03/07/2004 17:37:53 Qa43c661500982fd2 Banning file with EXE
extension
[audio/x-wav].
  03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 1:
Virus=W32/[EMAIL PROTECTED]
Attachment=enqofe.exe [1] O
  03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 2:
Virus=I-Worm/Swen.A
Attachment=enqofe.exe [1] O
  03/07/2004 17:37:53 Qa43c661500982fd2 File(s) are INFECTED
[W32/[EMAIL PROTECTED]: 6]
  03/07/2004 17:37:53 Qa43c661500982fd2 Deleting file with virus
  03/07/2004 17:37:53 Qa43c661500982fd2 Deleting E-mail with virus!
  03/07/2004 17:37:53 Qa43c661500982fd2 Scanned: CONTAINS A VIRUS
[Prescan
OK][MIME: 2 106748]
  03/07/2004 17:37:53 Qa43c661500982fd2 From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED]
[outgoing from
148.233.93.6]
  03/07/2004 17:37:53 Qa43c661500982fd2 Subject: Abort Notice
  
Thanks,
  
Matt
  
  
  -- 
  =
  MailPure custom filters for Declude JunkMail Pro.
  http://www.mailpure.com/software/
  =
  
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.Virus] BANEXT question

[John Tolmachoff \(Lists\)]

Tis what I get for trying to think at such an hour. :S

Rereading your posts, yes, I meant BANEZIP ON does not exist.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: Monday, March 08, 2004 6:44 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] BANEXT question
> 
> 
> >No such thing as BANEXT EZIP??
> 
> I believe he meant "There is no such thing as BANEZIP ON" (because there
> isn't one of those).  But Don re-posted the summary that I had sent out
> last week, which has all the details in it.
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] BANEXT question

[R. Scott Perry]

No such thing as BANEXT EZIP??
I believe he meant "There is no such thing as BANEZIP ON" (because there 
isn't one of those).  But Don re-posted the summary that I had sent out 
last week, which has all the details in it.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] BANEXT question

[[EMAIL PROTECTED]]

No such thing as BANEXT EZIP??
 Taken from one of Scott's posts:

Gary

From: R. Scott Perry
Subject: RE: [Declude.Virus] Scan Password Protected Zip's
Date: Tue, 02 Mar 2004 12:44:39 -0800




Do you think moving to 1.78i7 will help with this issue?

  I would recommend doing that, and using the BANEZIPEXTS ON option
instead of the old BANEXT EZIP option. The new one should work much better.

  -Scott


- Original Message - 
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 08, 2004 2:22 AM
Subject: RE: [Declude.Virus] BANEXT question


As Don said, there is no such thing as BANEXT EZIP.

Try reading the archives again.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Sunday, March 07, 2004 5:23 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] BANEXT question
>
> I'm currently using: BANEXT  EZIP, becuase BANEZIP ON does not work for
> me.
> I'm running the latest intrum version of Declude w/ F-Prot. I have a
> Standard Declude license. Does BANEZIP ON only work for the Pro version of
> Declude? If yes, I guess I should just continue to use BANEXT EZIP ?
>
> (Such a wonderful product!)
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

[AUTOMATED NOTE: Your mail server [206.69.160.61] is missing a reverse DNS entry. All 
Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry 
will cause your mail to be treated as spam on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Swen not tagged as forging?

[John Tolmachoff \(Lists\)]

SWEN is not known to be forging. Every one
that I have seen came from the sender that was indeed infected.

 



John Tolmachoff

Engineer/Consultant/Owner

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Sunday, March 07, 2004 6:27 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Swen not
tagged as forging?

 

I just had a client ask me to turn off all virus
notifications, and the message that they sent back was for Swen.A.



   Date: 03/07/2004 17:37:53   Subject: Abort Notice   Host: cybermatsa.com.mx [148.233.93.6]   Attachment: enqofe.exe   Virus: W32/[EMAIL PROTECTED]

Is it possible that this isn't in the forging
database, or could this have been a failed lookup, or is it possible that this
is a bug in the version of Declude Virus that I am running.  I'm on
1.78i14 currently.  I'm thinking that maybe the combination of the 'MIME
Header' vulnerability along with the virus being detected might have caused the
SKIPIFFORGING to be bypassed:

03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: [text/html][quoted-printable;
Length=228 Checksum=17379]
03/07/2004 17:37:53 Qa43c661500982fd2 Outlook 'MIME Header'
Vulnerability: type=audio/x-wav, name=enqofe.exe.
03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: enqofe.exe [base64;
Length=106496 Checksum=9384207]
03/07/2004 17:37:53 Qa43c661500982fd2 Banning file with EXE extension
[audio/x-wav].
03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 1: Virus=W32/[EMAIL PROTECTED]
Attachment=enqofe.exe [1] O
03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 2: Virus=I-Worm/Swen.A
Attachment=enqofe.exe [1] O
03/07/2004 17:37:53 Qa43c661500982fd2 File(s) are INFECTED
[W32/[EMAIL PROTECTED]: 6]
03/07/2004 17:37:53 Qa43c661500982fd2 Deleting file with virus
03/07/2004 17:37:53 Qa43c661500982fd2 Deleting E-mail with virus!
03/07/2004 17:37:53 Qa43c661500982fd2 Scanned: CONTAINS A VIRUS [Prescan
OK][MIME: 2 106748]
03/07/2004 17:37:53 Qa43c661500982fd2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
148.233.93.6]
03/07/2004 17:37:53 Qa43c661500982fd2 Subject: Abort Notice

Thanks,

Matt



-- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=

RE: [Declude.Virus] BANEXT question

[John Tolmachoff \(Lists\)]

As Don said, there is no such thing as BANEXT EZIP.

Try reading the archives again.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Sunday, March 07, 2004 5:23 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] BANEXT question
> 
> I'm currently using: BANEXT  EZIP, becuase BANEZIP ON does not work for
> me.
> I'm running the latest intrum version of Declude w/ F-Prot. I have a
> Standard Declude license. Does BANEZIP ON only work for the Pro version of
> Declude? If yes, I guess I should just continue to use BANEXT EZIP ?
> 
> (Such a wonderful product!)
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.

[John Tolmachoff \(Lists\)]

BANEXT  EZIP
BANEZIPEXT  ON

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Bennie
> Sent: Sunday, March 07, 2004 4:03 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software
> opening zipped files.
> 
> how would you ban encrypted zips...
> 
> signed
> Confused (aka Bennie)
> 
> 
> - Original Message -
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, March 04, 2004 6:22 PM
> Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software
> opening zipped files.
> 
> 
> >
> > >that is going to be a chalenge for scott to incorporate in declude :)
> >
> > It's unlikely that we will do this.  It makes for a great marketing
> > gimmick, but won't work in the long term.  All it will take is for a
> virus
> > to say "The password is  1 2 3 4 5" or "The password is 12344 plus 1",
> and
> > those AV programs will quickly leave the spotlight.
> >
> > >We are an isp, and for us blocking zips is out of the question.
> >
> > Remember that all AV programs can catch viruses in standard .ZIP
> > files.  It's only the encrypted .ZIP files that pose a problem, and it
> is
> > recommended that people block all encrypted .ZIP files (but allow
> standard
> > .ZIP files through).  That way, extremely few people are inconvenienced,
> > but it would be very hard for a virus to get through.
> >
> > -Scott
> > ---
> > Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> > since 2000.
> > Declude Virus: Catches known viruses and is the leader in mailserver
> > vulnerability detection.
> > Find out what you've been missing: Ask for a free 30-day evaluation.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.