date:20040406

Re: [Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion

2004-04-06 Thread R. Scott Perry


How does BANEZIPEXTS work if 2 or more files are included in the encrypted
ZIP and at least one of them is not in the BANEXT list.
With the original interim release that added the BANEZIPEXTS option, it 
would only look at the first file.  That was due to the speed needed to add 
the feature (Declude Virus already had access to the information needed to 
check the first file, but not subsequent files).

With the latest beta, though, this was expanded so that if you use 
BANEZIPEXTS ON and any file in the encrypted .ZIP file has a banned file 
extension, the E-mail should be blocked.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion

2004-04-06 Thread Panda Consulting S.A. Luis Alberto Arango

Scott:
My first suggestion thinking of those new Declude users that are not yet in
the list and will become new declude customers as well as old ones, I
suggest to add an explanation in the demo config file and the Manual about
how BANEZIPEXTS and BANZIPEXTS works. Explaining that the setting should be
ON and the effect it causes. The release notes are clear about the banning
feature but not that clear about using the ON switch. I believe that now the
only way to find that out is through the file archives. I would be very
useful then to add it to the config file and the Manual.

Now my question:
I tested the BANEXIPEXTS ON encrypting 1 file. A .COM extension file that I
ban via Banext. Declude stopped right away.

Then I tested the same option encrypting 2 files: A .com extension and .log
one. I don't ban .log. My objective was to see if the zip was going to be
banned by Declude since it had a .COM extension.

Declude didn't stop it. 

I tried it with 3 files. .COM and 2 txt files (txt is not banned in my
configuration), and Declude didn't stop it.

As far as I understand then, the BANEXIPEXTS considers that only one file is
in the encrypted zip and that is the one it checks, or perhaps if there is
more than one file and one of them is not in the Banext then it doesn't stop
it.

Let me know your thoughts. I am afraid that new viruses come in a way that 2
files come within an encrypted zip, one being a .COM, PIF, or any dangerous
extension and the other one a simple txt file, so at the end Declude let it
pass.

How does BANEZIPEXTS work if 2 or more files are included in the encrypted
ZIP and at least one of them is not in the BANEXT list.

-Luis Arango



__
[Email scanned for viruses by Panda Consulting -www.pandacons.com-]
[Email escaneado contra virus por Panda Consulting -www.pandacons.com-]

[AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS entry. 
All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS 
entry will cause your mail to be treated as spam on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

2004-04-06 Thread Dan Geiser

Hi, Scott,
Sorry about that.  I included the wrong message.  I had 2 issues confused
with each other.  Here is the one I was referring to where Declude blocks
the message...

---
-Original Message- 
From: Postmaster
Sent: Fri 4/2/2004 1:29 AM
To: [EMAIL PROTECTED]
Cc:
Subject: WARNING: YOU WERE SENT A VIRUS


The virus scanner software at Nexus Technology Group on NexusTechGroup.com
has reported someone sent you an E-mail from [EMAIL PROTECTED],
containing the [Outlook 'Blank Folding' Vulnerability] virus in the [No
attachment] attachment.  The subject of the E-mail was "Backup Exec Alert:
Job Failed (Server: "BHFSERVER") (Job: "Backup 0001") ".

The E-mail containing the virus has been deleted to prevent any damage.

Headers Follow:
Received: from bhfserver [68.74.44.200] by NexusTechGroup.com
  (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500
From: <[EMAIL PROTECTED]>
To:  < [EMAIL PROTECTED]>
Date: Fri, 02 Apr 2004 01:29:56 -0400
Subject: Backup Exec Alert: Job Failed (Server: "BHFSERVER") (Job: "Backup
0001")

X-Mailer: VERITAS SMTP Mail Component
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: [EMAIL PROTECTED]

---

Any ideas?

Thanks, Again,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 05, 2004 6:54 PM
Subject: Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in
Backup Exec 9.1 Notifications


>
> >We have a customer who is running Veritas Backup Exec.  When their backup
> >runs a notification is triggered by Backup Exec and we bounce that
> >notification through our IMail server and then on to the appropriate
> >parties.  This notification system has been running fine for months now
> >using our IMail server as a relay.
> >
> >In the past week or so IMail has had trouble routing these messages.
Here
> >is an example message...
> >
> >-
> >From: "Postmaster"
> ><[EMAIL PROTECTED]>
> >
> >undeliverable to [EMAIL PROTECTED]
>
> This one indicates that IMail can't deliver the E-mail to
> [EMAIL PROTECTED]  However:
>
> >Original message follows.
> >
> >Subject: Backup Exec Alert: Job Success
> ...
>
> There is no indication that Declude blocked this E-mail.
>
> >For those of you with a trained eye...
> >
> >1)  Why does Declude flag the original notification message as having the
> >blank folding vulnerability?  I'm OK with that I'm just curious to know
why.
>
> I don't see any indication that it did.
>
> >2)  Secondly and actually more importantly.  Why is my IMail system
unable
> >to deliver the notification to
> >[EMAIL PROTECTED]  There appears to be a space
> >right before [EMAIL PROTECTED] in the to line of
the
> >original notification.  I believe that space is being added by Backup
> >Exec.  Would that cause the message to be undeliverable?
>
> That would likely cause the message to be undeliverable.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

2004-04-06 Thread R. Scott Perry

Sorry about that.  I included the wrong message.  I had 2 issues confused
with each other.  Here is the one I was referring to where Declude blocks
the message...

Headers Follow:
Received: from bhfserver [68.74.44.200] by NexusTechGroup.com
  (SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004 01:29:56 -0500
From: <[EMAIL PROTECTED]>
To:  < [EMAIL PROTECTED]>
Date: Fri, 02 Apr 2004 01:29:56 -0400
Subject: Backup Exec Alert: Job Failed (Server: "BHFSERVER") (Job: "Backup
0001")
X-Mailer: VERITAS SMTP Mail Component
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: [EMAIL PROTECTED]
The problem here is the blank line after the "Subject:" header.  That line 
presumably originally contained a single space or tab character, which 
introduces the "Blank Folding" vulnerability (which violates RFC2822).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion

[Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion

Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

Re: [Declude.Virus] Sort of OT: Blank Folding Vulnerability in Backup Exec 9.1 Notifications

4 matches

Site Navigation

Mail list logo

Footer information