RE: [Declude.Virus] BSOD and IMail-Server reboot
I was simply replying to a gentlemen's post John. Read the thread. HE asked if I found out whether Declude was the CAUSE of the problem or I switched to another AV product. Did you (or someone else) find a solution in the meantime, or did you just switch to another AV ? I said it was NOT Declude. Hence my post. He specifically mentioned Peter Verzoni. I worked on that specific system. Again my reply. There was no need for further banter. He wanted to know if it was resolved. I agree Imail does not cooperate well with Intel NICs at extreme traffic. Your answer was GET A SERVER NIC. That is not the solution. The solution is Imail should fix their bug or use a NON intel NIC. Better yet you must use 3Com Nics to be sure since that seems to be all Imail tests. A NIC that we have found is prone to many other issues and is no longer the market leader. Back in 98-99 when Imail started it was and we all used them. No longer true today as Dell, HP and most white box servers use Intel NICs. But all that is irrelevant. The only issue I complained about was you were rude. Don't accept it, fine. But enjoy the world you create with responses like that. You must live with it, we must only read your posts. Deny Deny Deny .. Be like Bush... To everyone else Again I apologize and promise I stop here no matter what the response (snappy or otherwise G)... Except Declude related... Regards Doug Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, June 12, 2004 6:05 PM To: [EMAIL PROTECTED] Subject: FW: [Declude.Virus] BSOD and IMail-Server reboot Just realized this was originally posted on the Declude virus list, even though it has nothing to do with Declude Virus, and the person should have posted on the Imail list, since it is an Imail issue and a search of the Imail list archives shows this has been discussed many times. The imail forum has not one post regarding an INTEL SERVER Board and on board NICs. I recall some conversations about desktop boards but none regarding SERVER BOARDs. I do not remember whether the board was a Server board or workstation board being part of the discussion on past problems. It was the Intel OB NIC that was discussed, and a search of the Imail archives shows 269 hits for Intel OB NIC. Furthermore what logic would you as a Networking Professional give to an SMTP server running on the same platform and pushing sustained traffic of three times that of the IMAIL server yet never causing any issues and certainly not creating a BSOD. This is something I am very interested in hearing. I am not an Ipswitch technician, so I have no idea of why this occurs, I just know from many others posting such that it does! I have been building systems and maintaining data centers now for 16 years. Goody for you. Now back to the issue at hand. I have brought this exact issue to Intel's and Microsoft's attention and neither see any reason for the NIC to be the root cause of the issue. Microsoft has read the BSOD dumps and reports IMAIL as the culprit. Then take the next step and share that information with Ipswitch. From all the posts about Intel OB NICs and Imail over the years, it is my opinion there is a real problem with Imail and Intel OB NICs. To date, most have fixed the problem by using a server grade 3Com NIC and disabling the Intel OB NIC. If you have the time and resources to further pursue this issue with Ipswitch, many Imail admins will thank you. This type of comment from you has little to no value. You act like you are participating in a forum but clearly you are using the forum simply for your own end. Sure it does. Just because you do not like the work around, and would rather spend time on finding the cause of the problem in hopes that Ipswitch will finally fix it, does not mean that my advice has no value. BTW, how does my posting advice on a subject that comes up again and again over time equal my using the forum for my own end? John Tolmachoff Engineer/Consultant/Owner eServices For You - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 3:11 PM Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot There has been much discussion concerning Intel OB NICs and Imail. Search the archives. Bottom line, get a solid Server designated NIC. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Friday, June 11, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot This problem has not gone away. It occurs with very high traffic only and is not related to declude. That is we tested iot without declude and it still Blue Screens when there is extremely
Re[2]: [Declude.Virus] BSOD and IMail-Server reboot
Thanks Doug and John and all the others for your input. As far as I know, we don't have an Intel NIC at all. I think we use a Real-Tek NIC for our IMail-Server. But I will find this out. Uwe DC I was simply replying to a gentlemen's post John. DC Read the thread. DC HE asked if I found out whether Declude was the CAUSE of the problem or I DC switched to another AV product. Did you (or someone else) find a solution in the meantime, or did you just switch to another AV ? DC I said it was NOT Declude. Hence my post. DC He specifically mentioned Peter Verzoni. I worked on that specific system. DC Again my reply. DC There was no need for further banter. He wanted to know if it was resolved. DC I agree Imail does not cooperate well with Intel NICs at extreme traffic. DC Your answer was GET A SERVER NIC. That is not the solution. The solution DC is Imail should fix their bug or use a NON intel NIC. Better yet you must DC use 3Com Nics to be sure since that seems to be all Imail tests. A NIC that DC we have found is prone to many other issues and is no longer the market DC leader. Back in 98-99 when Imail started it was and we all used them. No DC longer true today as Dell, HP and most white box servers use Intel NICs. DC But all that is irrelevant. The only issue I complained about was you were DC rude. Don't accept it, fine. But enjoy the world you create with responses DC like that. You must live with it, we must only read your posts. Deny Deny DC Deny .. Be like Bush... DC To everyone else Again I apologize and promise I stop here no matter what DC the response (snappy or otherwise G)... Except Declude related... DC Regards DC Doug DC Doug DC -Original Message- DC From: [EMAIL PROTECTED] DC [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff DC (Lists) DC Sent: Saturday, June 12, 2004 6:05 PM DC To: [EMAIL PROTECTED] DC Subject: FW: [Declude.Virus] BSOD and IMail-Server reboot DC Just realized this was originally posted on the Declude virus list, even DC though it has nothing to do with Declude Virus, and the person should have DC posted on the Imail list, since it is an Imail issue and a search of the DC Imail list archives shows this has been discussed many times. The imail forum has not one post regarding an INTEL SERVER Board and on board NICs. I recall some conversations about desktop boards but none regarding SERVER BOARDs. DC I do not remember whether the board was a Server board or workstation board DC being part of the discussion on past problems. It was the Intel OB NIC that DC was discussed, and a search of the Imail archives shows 269 hits for Intel DC OB NIC. Furthermore what logic would you as a Networking Professional give to an SMTP server running on the same platform and pushing sustained traffic of three times that of the IMAIL server yet never causing any issues and certainly not creating a BSOD. This is something I am very interested in hearing. DC I am not an Ipswitch technician, so I have no idea of why this occurs, I DC just know from many others posting such that it does! I have been building systems and maintaining data centers now for 16 DC years. DC Goody for you. Now back to the issue at hand. I have brought this exact issue to Intel's and Microsoft's attention and neither see any reason for the NIC to be the root cause of the issue. Microsoft has read the BSOD dumps and reports IMAIL as the culprit. DC Then take the next step and share that information with Ipswitch. From all DC the posts about Intel OB NICs and Imail over the years, it is my opinion DC there is a real problem with Imail and Intel OB NICs. To date, most have DC fixed the problem by using a server grade 3Com NIC and disabling the Intel DC OB NIC. If you have the time and resources to further pursue this issue with DC Ipswitch, many Imail admins will thank you. This type of comment from you has little to no value. You act like you DC are participating in a forum but clearly you are using the forum simply for DC your own end. DC Sure it does. Just because you do not like the work around, and would rather DC spend time on finding the cause of the problem in hopes that Ipswitch will DC finally fix it, does not mean that my advice has no value. DC BTW, how does my posting advice on a subject that comes up again and again DC over time equal my using the forum for my own end? DC John Tolmachoff DC Engineer/Consultant/Owner DC eServices For You - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 3:11 PM Subject: RE: [Declude.Virus] BSOD and IMail-Server reboot There has been much discussion concerning Intel OB NICs and Imail. Search the archives. Bottom line, get a solid Server designated NIC. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [Declude.Virus] Getting hammered by W32.Netsky.P@mm!enc
Jeff and Matt, Thanks for the advice, however I'm already blocking certain attachments (via BANEXT). Also, these particular attachments aren't encrypted archives (I'm blocking those too via BANEXT EZIP / BANEZIPEXTS ON). In this case the virus itself appears to be Base64 encrypted. I was kinda hoping this was something that can be addressed in Declude, otherwise my faith in McAfee has been greatly shaken. Symantec has been detecting [EMAIL PROTECTED] since May 5th, and does so once the infected email makes onto the desktop. However the McAfee Command Line Scanner lets it slip right past. Since Symantec obviously catches it, it's too bad they won't allow their Command Line Scanner to work with Declude! Alan Walters Director of I.T. Royce Medical From: Jeff Maze [EMAIL PROTECTED] Beginning using the banned extension option with Declude (see virus.cfg). Then any attachment with a .SCR or whatever is blocked at the server level and the user doesn't see it. From: Matt [EMAIL PROTECTED] It's important to specify in this instance that in order to detect encrypted archives (ZIP's or RAR's) one needs to be using the most recent interim release, 1.79i9 and you can't be running Declude Virus Lite (Scott would also mention having a current support contract). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Getting hammered by W32.Netsky.P@mm!enc
Thanks for the advice, however I'm already blocking certain attachments (via BANEXT). Also, these particular attachments aren't encrypted archives (I'm blocking those too via BANEXT EZIP / BANEZIPEXTS ON). In this case the virus itself appears to be Base64 encrypted. The virus is listed as [EMAIL PROTECTED], where the enc does not mean that it was an encrypted file, but instead means that Symantec thinks that it detected E-mail headers that were generated by the virus (don't ask me why they use enc to mean this, right at the time when viruses started using encrypted files to spread, so people assume that the enc means encrypted). In the cases you included, it appears that the virus is getting sent from Person A to Person B, and bouncing to Person C (the only one that is a customer of yours). The bounce message either doesn't include the virus, or perhaps includes part of it, but not enough to be useable. However, Symantec sees the headers from the original E-mail with the virus, and says that it has detected the virus (even though the virus isn't there). So this is a case where Symantec is detecting corrupt, non-viable variants of viruses, which most virus scanners do not detect (since they are harmless). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Getting hammered by W32.Netsky.P@mm!enc
Hi Scott, Thanks for that clarification. That gives me some slight relief that McAfee isn't completely falling down. However, that brings to mind a different question. If Symantec thinks that it's detecting E-mail headers generated by the virus and triggering on them, then how come when I extract just the attachment from the email and rename it website_2725.uue (so WinZip can understand it), then attempt to open the file with WinZip, Symantec still insists the Netsky virus is hiding inside - even though there are no email headers present? IOW, I'm not totally convinced the virus is non-viable. My non-expert guess would be the virus is hiding inside the Base64 encoded zip archive? In fact, if I go ahead and extract the Unknown.001 file (from website_2725.uue) using WinZip and rename it website_2725.zip, then McAfee finally claims it sees Netsky present too. I've sent the Inbox, the .uue file, and the .zip file to the virus trap for your perusal... Alan Walters Director of I.T. Royce Medical --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
