RE: [Declude.Virus] Scott, what do you use to generate this report

2004-04-13 Thread Bill 

The very last line shows the total message count including messages that
did not fail any tests.  My program, as it is now, does not look at any
of the declude actions, just the tests failed.  I primarily use it is to
determine if any of the tests that I am using have quit working or how
effective a new test or filter file is.

Why don't you send me a .txt file of what you think that the output
should be and I will consider it.

Thanks,
Bill



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
> Sent: Tuesday, April 13, 2004 3:46 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Scott, what do you use to 
> generate this report
> 
> 
> Bill, would you consider adding the "OK" count so that we 
> could also see the counts and percentages of what was 
> delivered successfully, as well.
> 
> Thanks again,
> 
> Bill
> - Original Message - 
> From: "Bill" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 13, 2004 12:33 PM
> Subject: RE: [Declude.Virus] Scott, what do you use to 
> generate this report
> 
> 
> > Hi,
> >
> > I have a utility to do a quick analysis of my decMMDD.log file to 
> > discover test effectiveness.  If anyone would like to use 
> it, I have 
> > it available for free from my website:  
> http://www.wamusa.com/wamtools
> >
> > The program is designed for LOGLEVEL MID but it may work for other 
> > levels.  My system analyzed this 120Mb decMMDD.log in less than one 
> > minute.  This is a sample output:
> >
> >
> >Message   Recipient
> > Test Name Fail Count % Fail Count %
> >
> >  WEIGHT10 116362   96 169684   96
> >  SNIFFER2 114790   94 167322   95
> >  WEIGHT15 112700   93 165299   94
> >  WEIGHT20 108443   89 159758   91
> > WEIGHTDEL 108443   89 159758   91
> >   SPAMCOP   84740   70 129602   73
> >   SBL   52552   43   53879   30
> >  AHBL   48506   40   57094   32
> >   CBL   46445   38   89827   51
> >  DSBL   39527   32   77743   44
> >SORBS-DUHL   29673   24   58427   33
> >REVDNS   28996   23   41544   23
> >BADHEADERS   27493   22   34922   19
> >SORBS-SPAM   25119   20   27995   15
> >  NOPOSTMASTER   22488   18   46530   26
> >   NOABUSE   21746   17   42732   24
> >   SPAMHEADERS   19613   16   20587   11
> >  SPAM-DOMAINS   15263   12   33776   19
> >   ROUTING   120419   25060   14
> >   FOREIGN   100988   163309
> > GIBBERISH9072799325
> >   DSN84847   137557
> >SORBS-HTTP65845   124597
> >   SORBS-SOCKS65085   126977
> >   SPFFAIL4954465273
> >BLITZEDALL3350259913
> >BASE642252129561
> >  MAILFROM1684128411
> >  COMMENTS1328120561
> >  MYFILTERFAIL1159017230
> >  WAMO 5850 6090
> >  MYFILTERPASS 512012390
> >SORBS-MISC 5040 9230
> >SORBS-SMTP 445011320
> >   OBFUSCATION 3600 4570
> >  ORDB 3160 6540
> > SORBS-WEB 3160 5140
> >  SORBS-ZOMBIE 2800 2800
> >   SPFPASS 2080 2340
> >  BONDEDSENDER  620  620
> >   @LINKED  100  140
> >HABEAS   40   40
> >  WAMCHECK   10   20
> >
> > Message Count 120934 175163
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
> > > Fuhrmeister
> > > Sent: Monday, April 12, 2004 5:11 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [Declude.Virus] Scott, what do you use to generate
> > > this report
> > >
> > >
> > > Thanks Scott,
> > >
> > > While I have your attention, what do you use to generate 
> this report 
> > > from your log files?
> > >
> > > > Each month, we go through our spamtraps (E-mail 
> addresses designed 
> > > > to collect spam), to find out which spam tests  were most 
> > > > effective at catching spam. 
> > > >
> > > >
> > > > WEIGHT1099.48%
> > > > WEIGHT2095.45%
> > > > NOLEGITCONTENT  95.43%
> > > > SNIFFER 94.06%
> > > > SPAMCHK 93.20%
> > > > IPNOTINMX   90.76%
> > > > SPAMCOP 79.83%
> > >

RE: [Declude.Virus] getting this in my logfile

2004-04-13 Thread R. Scott Perry 

If you are using Fprot and have configured it exactly as you recommend on
the WEBSITE will an Excel file with a dangerous Macro be detected?
It will not.  But this recent development shows that the latest version of 
F-Prot may return an exit code of 8, whether or not you have requested it 
to.  If that is the case, you can decide whether or not to block them by 
using VIRUSCODE 8 (block them) or OKCODE 8 (do not block them).

IE is there a middle ground with FPROT?  I currently have /SERVER in my
commandline and Viruscode 8 in my config (see below) because I did not want
infected Excel files passing.  But I do not want to block every Excel/Word
file just because it has a macro.
You do *not* need to use VIRUSCODE 8 to detect infected Excel/Word 
documents -- they will be caught as viruses.  The VIRUSCODE 8 refers to 
suspicious files (where no virus was detected).

Alternatively if an Excel file that is NOT infected but contains a macro is
enclosed within a ZIP file with these same settings (that I am using) will
it also block it?
It may or may not, depending on whether F-Prot returns an exit code of 8 
(it should not, but it now seems that it may!)

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] getting this in my logfile

2004-04-13 Thread Douglas Cohn 
On this same subject.

If you are using Fprot and have configured it exactly as you recommend on
the WEBSITE will an Excel file with a dangerous Macro be detected?

IE is there a middle ground with FPROT?  I currently have /SERVER in my
commandline and Viruscode 8 in my config (see below) because I did not want
infected Excel files passing.  But I do not want to block every Excel/Word
file just because it has a macro.  

Alternatively if an Excel file that is NOT infected but contains a macro is
enclosed within a ZIP file with these same settings (that I am using) will
it also block it?

TIA

Doug

Snippet of my Virus.cfg--

SCANFILEC:\Program Files\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE /NOBOOT /DUMB /SERVER /REPORT=report.txt

VIRUSCODE   3
VIRUSCODE   6
VIRUSCODE   8
REPORTInfection

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, April 13, 2004 8:00 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] getting this in my logfile



>04/13/2004 11:21:23 Qb1072b82012a066d Could not find parse string
>Infection in report.txt
>04/13/2004 11:21:23 Qb1072b82012a066d Error 8 in virus scanner 1.
>04/13/2004 11:21:23 Qb1072b82012a066d Scanned: Error in virus scanner. 
>[MIME: 2 270831]
>
>the mail with attachment are being hold
>
>Its a mail with an excel document with macro's but no virus
>
>Running the latest f-prot, and a the latest interim relase, anyone 
>having
>any idea why or what happens

It sounds like you set up F-Prot to detect "suspicious files" -- which will 
block most files with macros in them.  You need to switch back to the 
default settings (unless you are OK blocking files with macros in them).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] log entry and banned file extension question

2004-04-13 Thread R. Scott Perry 

Will someone explain what this log entry from my vir log 
means.  Particularly the [MIME: 11 271688] part.

The client is claiming the attachment is a .doc which I do not block.
Most likely, it is using malformed headers (so it appears as both a .doc 
and other file extension), in which case Declude Virus will treat it as an 
.exe file.  If you send me the D*.SMD file (off-list), I can examine it to 
see why it was blocked.

04/13/2004 09:08:56 Q10890f9a01084f3b Scanned: Banned file extension. 
[MIME: 11 271688]
This means that there were 11 MIME segments, with a total of 271,688 bytes.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] log entry and banned file extension question

2004-04-13 Thread Jeffrey Di Gregorio 








Will someone explain what this log entry from my vir log means. 
Particularly the [MIME: 11 271688] part.  

The client is claiming the attachment is a .doc which I do
not block.

 

04/13/2004 09:08:56
Q10890f9a01084f3b Scanned: Banned file extension. [MIME: 11 271688]

04/13/2004 09:08:56
Q10890f9a01084f3b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]

04/13/2004 09:08:56
Q10890f9a01084f3b Subject: Agenda and Reports for Wednesday

 

Thanks for all of your help as always,

 

Jeffrey

 

Jeffrey Di Gregorio    CCNP MCSE

Systems Administrator

Pacific School of Religion

[EMAIL PROTECTED]

510-849-8283

 

Re: [Declude.Virus] Scott, what do you use to generate this report

2004-04-13 Thread Bill Landry 
Bill, would you consider adding the "OK" count so that we could also see the
counts and percentages of what was delivered successfully, as well.

Thanks again,

Bill
- Original Message - 
From: "Bill" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, April 13, 2004 12:33 PM
Subject: RE: [Declude.Virus] Scott, what do you use to generate this report


> Hi,
>
> I have a utility to do a quick analysis of my decMMDD.log file to
> discover test effectiveness.  If anyone would like to use it, I have it
> available for free from my website:  http://www.wamusa.com/wamtools
>
> The program is designed for LOGLEVEL MID but it may work for other
> levels.  My system analyzed this 120Mb decMMDD.log in less than one
> minute.  This is a sample output:
>
>
>Message   Recipient
> Test Name Fail Count % Fail Count %
>
>  WEIGHT10 116362   96 169684   96
>  SNIFFER2 114790   94 167322   95
>  WEIGHT15 112700   93 165299   94
>  WEIGHT20 108443   89 159758   91
> WEIGHTDEL 108443   89 159758   91
>   SPAMCOP   84740   70 129602   73
>   SBL   52552   43   53879   30
>  AHBL   48506   40   57094   32
>   CBL   46445   38   89827   51
>  DSBL   39527   32   77743   44
>SORBS-DUHL   29673   24   58427   33
>REVDNS   28996   23   41544   23
>BADHEADERS   27493   22   34922   19
>SORBS-SPAM   25119   20   27995   15
>  NOPOSTMASTER   22488   18   46530   26
>   NOABUSE   21746   17   42732   24
>   SPAMHEADERS   19613   16   20587   11
>  SPAM-DOMAINS   15263   12   33776   19
>   ROUTING   120419   25060   14
>   FOREIGN   100988   163309
> GIBBERISH9072799325
>   DSN84847   137557
>SORBS-HTTP65845   124597
>   SORBS-SOCKS65085   126977
>   SPFFAIL4954465273
>BLITZEDALL3350259913
>BASE642252129561
>  MAILFROM1684128411
>  COMMENTS1328120561
>  MYFILTERFAIL1159017230
>  WAMO 5850 6090
>  MYFILTERPASS 512012390
>SORBS-MISC 5040 9230
>SORBS-SMTP 445011320
>   OBFUSCATION 3600 4570
>  ORDB 3160 6540
> SORBS-WEB 3160 5140
>  SORBS-ZOMBIE 2800 2800
>   SPFPASS 2080 2340
>  BONDEDSENDER  620  620
>   @LINKED  100  140
>HABEAS   40   40
>  WAMCHECK   10   20
>
> Message Count 120934 175163
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister
> > Sent: Monday, April 12, 2004 5:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.Virus] Scott, what do you use to generate
> > this report
> >
> >
> > Thanks Scott,
> >
> > While I have your attention, what do you use to generate this
> > report from your log files?
> >
> > > Each month, we go through our spamtraps (E-mail addresses
> > > designed to collect spam), to find out which spam tests
> > >  were most effective at catching spam. 
> > >
> > >
> > > WEIGHT1099.48%
> > > WEIGHT2095.45%
> > > NOLEGITCONTENT  95.43%
> > > SNIFFER 94.06%
> > > SPAMCHK 93.20%
> > > IPNOTINMX   90.76%
> > > SPAMCOP 79.83%
> > > CMDSPACE77.37%
> >
> > 
> >
> > [EMAIL PROTECTED]
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus"

Re: [Declude.Virus] Scott, what do you use to generate this report

2004-04-13 Thread Bill Landry 
Very nice!  Thanks for sharing this, Bill!

Bill
- Original Message - 
From: "Bill" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, April 13, 2004 12:33 PM
Subject: RE: [Declude.Virus] Scott, what do you use to generate this report


> Hi,
>
> I have a utility to do a quick analysis of my decMMDD.log file to
> discover test effectiveness.  If anyone would like to use it, I have it
> available for free from my website:  http://www.wamusa.com/wamtools
>
> The program is designed for LOGLEVEL MID but it may work for other
> levels.  My system analyzed this 120Mb decMMDD.log in less than one
> minute.  This is a sample output:
>
>
>Message   Recipient
> Test Name Fail Count % Fail Count %
>
>  WEIGHT10 116362   96 169684   96
>  SNIFFER2 114790   94 167322   95
>  WEIGHT15 112700   93 165299   94
>  WEIGHT20 108443   89 159758   91
> WEIGHTDEL 108443   89 159758   91
>   SPAMCOP   84740   70 129602   73
>   SBL   52552   43   53879   30
>  AHBL   48506   40   57094   32
>   CBL   46445   38   89827   51
>  DSBL   39527   32   77743   44
>SORBS-DUHL   29673   24   58427   33
>REVDNS   28996   23   41544   23
>BADHEADERS   27493   22   34922   19
>SORBS-SPAM   25119   20   27995   15
>  NOPOSTMASTER   22488   18   46530   26
>   NOABUSE   21746   17   42732   24
>   SPAMHEADERS   19613   16   20587   11
>  SPAM-DOMAINS   15263   12   33776   19
>   ROUTING   120419   25060   14
>   FOREIGN   100988   163309
> GIBBERISH9072799325
>   DSN84847   137557
>SORBS-HTTP65845   124597
>   SORBS-SOCKS65085   126977
>   SPFFAIL4954465273
>BLITZEDALL3350259913
>BASE642252129561
>  MAILFROM1684128411
>  COMMENTS1328120561
>  MYFILTERFAIL1159017230
>  WAMO 5850 6090
>  MYFILTERPASS 512012390
>SORBS-MISC 5040 9230
>SORBS-SMTP 445011320
>   OBFUSCATION 3600 4570
>  ORDB 3160 6540
> SORBS-WEB 3160 5140
>  SORBS-ZOMBIE 2800 2800
>   SPFPASS 2080 2340
>  BONDEDSENDER  620  620
>   @LINKED  100  140
>HABEAS   40   40
>  WAMCHECK   10   20
>
> Message Count 120934 175163
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister
> > Sent: Monday, April 12, 2004 5:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.Virus] Scott, what do you use to generate
> > this report
> >
> >
> > Thanks Scott,
> >
> > While I have your attention, what do you use to generate this
> > report from your log files?
> >
> > > Each month, we go through our spamtraps (E-mail addresses
> > > designed to collect spam), to find out which spam tests
> > >  were most effective at catching spam. 
> > >
> > >
> > > WEIGHT1099.48%
> > > WEIGHT2095.45%
> > > NOLEGITCONTENT  95.43%
> > > SNIFFER 94.06%
> > > SPAMCHK 93.20%
> > > IPNOTINMX   90.76%
> > > SPAMCOP 79.83%
> > > CMDSPACE77.37%
> >
> > 
> >
> > [EMAIL PROTECTED]
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Scott, what do you use to generate this report

2004-04-13 Thread Bill 
Hi,

I have a utility to do a quick analysis of my decMMDD.log file to
discover test effectiveness.  If anyone would like to use it, I have it
available for free from my website:  http://www.wamusa.com/wamtools   

The program is designed for LOGLEVEL MID but it may work for other
levels.  My system analyzed this 120Mb decMMDD.log in less than one
minute.  This is a sample output:


  Message Recipient
Test Name   Fail Count %Fail Count %

 WEIGHT10116362   96 169684   96
 SNIFFER2114790   94 167322   95
 WEIGHT15112700   93 165299   94
 WEIGHT20108443   89 159758   91
WEIGHTDEL108443   89 159758   91
  SPAMCOP 84740   70 129602   73
  SBL 52552   43  53879   30
 AHBL 48506   40  57094   32
  CBL 46445   38  89827   51
 DSBL 39527   32  77743   44
   SORBS-DUHL 29673   24  58427   33
   REVDNS 28996   23  41544   23
   BADHEADERS 27493   22  34922   19
   SORBS-SPAM 25119   20  27995   15
 NOPOSTMASTER 22488   18  46530   26
  NOABUSE 21746   17  42732   24
  SPAMHEADERS 19613   16  20587   11
 SPAM-DOMAINS 15263   12  33776   19
  ROUTING 120419  25060   14
  FOREIGN 100988  163309
GIBBERISH  90727   99325
  DSN  84847  137557
   SORBS-HTTP  65845  124597
  SORBS-SOCKS  65085  126977
  SPFFAIL  49544   65273
   BLITZEDALL  33502   59913
   BASE64  22521   29561
 MAILFROM  16841   28411
 COMMENTS  13281   20561
 MYFILTERFAIL  11590   17230
 WAMO   58506090
 MYFILTERPASS   5120   12390
   SORBS-MISC   50409230
   SORBS-SMTP   4450   11320
  OBFUSCATION   36004570
 ORDB   31606540
SORBS-WEB   31605140
 SORBS-ZOMBIE   28002800
  SPFPASS   20802340
 BONDEDSENDER620 620
  @LINKED100 140
   HABEAS 40  40
 WAMCHECK 10  20

Message Count120934  175163

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister
> Sent: Monday, April 12, 2004 5:11 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] Scott, what do you use to generate 
> this report
> 
> 
> Thanks Scott,
> 
> While I have your attention, what do you use to generate this 
> report from your log files?
> 
> > Each month, we go through our spamtraps (E-mail addresses
> > designed to collect spam), to find out which spam tests
> >  were most effective at catching spam. 
> >
> >
> > WEIGHT1099.48%
> > WEIGHT2095.45%
> > NOLEGITCONTENT  95.43%
> > SNIFFER 94.06%
> > SPAMCHK 93.20%
> > IPNOTINMX   90.76%
> > SPAMCOP 79.83%
> > CMDSPACE77.37%
> 
>  
> 
> [EMAIL PROTECTED]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] links on declude site

2004-04-13 Thread R. Scott Perry 

I had a link in my messages about blocking vulnerabilities.
[.]
If you need more info about these
vulnerabilities take a look at the the declude
site 
http://www.declude.com/virus/vulnerability.htm
I'll pass this on to the person who is working on the web site -- I expect 
that the old URL will work again later today.
It is working now.  :)

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Mime headers question

2004-04-13 Thread R. Scott Perry 

I have a customer who is trying to send out Midi files as an attachment and
his email is getting held because of the mime headers vulnerability.  He is
using Entourage as his mail client.  Is it something about the way he is
attaching the Midi file that is causing the issue? Or is it just because it
is a midi file.
The problem is most likely that the version of Entourage the customer is 
running is not RFC-compliant.  If you send me the full headers of the 
E-mail that was caught, I can let you know exactly what the problem is.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Mime headers question

2004-04-13 Thread Chuck Schick 
I have a customer who is trying to send out Midi files as an attachment and
his email is getting held because of the mime headers vulnerability.  He is
using Entourage as his mail client.  Is it something about the way he is
attaching the Midi file that is causing the issue? Or is it just because it
is a midi file.

Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] getting this in my logfile

2004-04-13 Thread ISPhuset Nordic AS 
well done that now

the rest of teh file is like this

# VIRDIR is the directory to move E-mails with viruses; by default,
# it is set to 'virus' (\IMail\spool\virus).

VIRDIR  E:\virus

# The MAXATONCE option limits the number of AV processes.  For example,
# MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing
# purposes).  A value of 0 (or commenting it out) allows unlimited processes
# to run at the same time.
#MAXATONCE 1

## The following options allow you to limit scanning to only incoming or outgoing
# E-mail, with v1.13 and higher.  If they are commented out ("#" in front of them),
# Declude will scan all E-mail.

#INCOMING   ON
#OUTGOING   ON

BANEXT COM
BANEXT PIF
BANEXT EXE
BANEXT SCR
BANEXT EZIP

BANNAME message.zip
BANNAME photos.zip

BANCRVIRUSES OFF

AUTOFORGE OFF 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: 13. april 2004 14:34
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] getting this in my logfile
> 
> 
> >SCANFILEC:\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM 
> /ARCHIVE /NOBOOT 
> >/DUMB /REPORT=report.txt
> 
> This is indeed the standard F-Prot configuration.  I can't 
> explain why it 
> is returning the exit code of 8, unless F-Prot switched to 
> have that on by 
> default (which could be the case).
> 
> Since you have no "VIRUSCODE 8" line (it is commented out), 
> Declude Virus 
> will not block the E-mail (unless you use "DELIVERERRORS OFF" in your 
> virus.cfg file).
> 
> In this case, I would recommend adding a line "OKCODE 8" to the 
> \IMail\Declude\virus.cfg file, which will let Declude Virus 
> know that if 
> F-Prot returns an exit code of 8, Declude Virus should not 
> block the E-mail.
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail 
> mailservers 
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader 
> in mailserver 
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] getting this in my logfile

2004-04-13 Thread R. Scott Perry 

SCANFILEC:\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT 
/DUMB /REPORT=report.txt
This is indeed the standard F-Prot configuration.  I can't explain why it 
is returning the exit code of 8, unless F-Prot switched to have that on by 
default (which could be the case).

Since you have no "VIRUSCODE 8" line (it is commented out), Declude Virus 
will not block the E-mail (unless you use "DELIVERERRORS OFF" in your 
virus.cfg file).

In this case, I would recommend adding a line "OKCODE 8" to the 
\IMail\Declude\virus.cfg file, which will let Declude Virus know that if 
F-Prot returns an exit code of 8, Declude Virus should not block the E-mail.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] getting this in my logfile

2004-04-13 Thread ISPhuset Nordic AS 
?

# The "" in the LOGFILE option gets replaced with the month/date

LOGFILE E:\virus\vir.log
LOGLEVELMID
CONSOLE OFF


# SCANFILE is the location of the command-line virus scanner. Note that it 
# must include the full path.  VIRUSCODE is the code that scanner returns if
# it finds a virus.

SCANFILEC:\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB 
/REPORT=report.txt

VIRUSCODE   3
VIRUSCODE   6
#VIRUSCODE  8
REPORTInfection

PRESCAN ON

can't see that 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: 13. april 2004 14:00
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] getting this in my logfile
> 
> 
> >04/13/2004 11:21:23 Qb1072b82012a066d Could not find parse string 
> >Infection in report.txt
> >04/13/2004 11:21:23 Qb1072b82012a066d Error 8 in virus scanner 1.
> >04/13/2004 11:21:23 Qb1072b82012a066d Scanned: Error in 
> virus scanner. 
> >[MIME: 2 270831]
> >
> >the mail with attachment are being hold
> >
> >Its a mail with an excel document with macro's but no virus
> >
> >Running the latest f-prot, and a the latest interim relase, 
> anyone having 
> >any idea why or what happens
> 
> It sounds like you set up F-Prot to detect "suspicious files" 
-- which will 
> block most files with macros in them.  You need to switch back to the 
> default settings (unless you are OK blocking files with 
> macros in them).
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail 
> mailservers 
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader 
> in mailserver 
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] getting this in my logfile

2004-04-13 Thread R. Scott Perry 

04/13/2004 11:21:23 Qb1072b82012a066d Could not find parse string 
Infection in report.txt
04/13/2004 11:21:23 Qb1072b82012a066d Error 8 in virus scanner 1.
04/13/2004 11:21:23 Qb1072b82012a066d Scanned: Error in virus scanner. 
[MIME: 2 270831]

the mail with attachment are being hold

Its a mail with an excel document with macro's but no virus

Running the latest f-prot, and a the latest interim relase, anyone having 
any idea why or what happens
It sounds like you set up F-Prot to detect "suspicious files" -- which will 
block most files with macros in them.  You need to switch back to the 
default settings (unless you are OK blocking files with macros in them).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] getting this in my logfile

2004-04-13 Thread ISPhuset Nordic AS 
04/13/2004 11:21:23 Qb1072b82012a066d Could not find parse string Infection in 
report.txt
04/13/2004 11:21:23 Qb1072b82012a066d Error 8 in virus scanner 1.
04/13/2004 11:21:23 Qb1072b82012a066d Scanned: Error in virus scanner. [MIME: 2 
270831] 

the mail with attachment are being hold 

Its a mail with an excel document with macro's but no virus

Running the latest f-prot, and a the latest interim relase, anyone having any idea why 
or what happens

Benny

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] links on declude site

2004-04-13 Thread R. Scott Perry 

I had a link in my messages about blocking vulnerabilities.
[.]
If you need more info about these
vulnerabilities take a look at the the declude
site 
http://www.declude.com/virus/vulnerability.htm

This link no longer seems to work. It's all messages now on your site. 
Will general stuff like this be available on a static link we can refer 
people to?
I'll pass this on to the person who is working on the web site -- I expect 
that the old URL will work again later today.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BANEZIPEXTS and BANZIPEXTS question and suggestion

2004-04-13 Thread R. Scott Perry 

The new site looks good.
Thank you.  :)

But where can I find the interim releases now?
The new location is http://www.declude.com/version/interim .

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] links on declude site

2004-04-13 Thread Bonno Bloksma 



Hi Scott,
 
I had a link in my messages about blocking 
vulnerabilities.
[.]
If you need more info about thesevulnerabilities take a look at the the 
decludesite http://www.declude.com/virus/vulnerability.htm
 
This link no longer seems to work. It's all 
messages now on your site. Will general stuff like this be available on a static 
link we can refer people to?
Groetjes,
 
Bonno Bloksma Back up my hard drive? How do I put it in 
reverse?