[Declude.Virus] I do not think this should of failed.
A soccer club sent an email regarding the location of soccer practice. Declude appeared to catch it because of a yahoo map link to the soccer fields. It would seem to be a common practice for someone to use a map link for directions. Copy of logfile below. How do we prevent this from happening in the future? I do not have any clout with Yahoo so I doubt I could get them to change their nomenclature. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com 07/13/2004 11:22:49 Q1a685ae Scanned: Virus Free [MIME: 1 878] 07/13/2004 11:22:50 Q1a6a5ae MIME file: [text/html][quoted-printable; Length=7413 Checksum=565729] 07/13/2004 11:22:50 Q1a6a5ae MIME file: mp16_a.gif [base64; Length=195 Checksum=19772] 07/13/2004 11:22:50 Q1a6a5ae MIME file: mp16_b.gif [base64; Length=146 Checksum=17348] 07/13/2004 11:22:50 Q1a6a5ae MIME file: mp22_r.gif [base64; Length=442 Checksum=36673] 07/13/2004 11:22:50 Q1a6a5ae MIME file: mp22_l.gif [base64; Length=408 Checksum=31308] 07/13/2004 11:22:50 Q1a6a5ae Outlook 'Long Filename' Vulnerability 07/13/2004 11:22:50 Q1a6a5ae MIME file: overviewmap_OVMAPDATA=Ypg91eR32XWTWSco9NwX6snk0KVRpsRh.tpax9mLk [base64; Length=21737 Checksum=2421076] 07/13/2004 11:22:50 Q1a6a5ae MIME file: overviewmap_OVMAPData=Ypg91eR32XWTWSco9NwX6snk0KVRpsRh.tpax9mLk [base64; Length=9059 Checksum=925358] 07/13/2004 11:22:51 Q1a6a5ae File(s) are INFECTED [[Outlook 'Long Filename' Vulnerability]: 0] 07/13/2004 11:22:51 Q1a6a5ae Scanned: CONTAINS A VIRUS [MIME: 8 42955] 07/13/2004 11:22:51 Q1a6a5ae From: [Email Protected] To: [Email Protected] [incoming from 208.158.64.2] 07/13/2004 11:22:51 Q1a6a5ae Subject: FW: Training Week of July 12th 07/13/2004 11:22:52 Q1a6b5ae Warning: EOF in middle of MIME segment [] [--= Multipart Boundary 93821.2] 07/13/2004 11:22:52 Q1a6b5ae WARNING: EOF in multipart processing. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I do not think this should of failed.
A soccer club sent an email regarding the location of soccer practice. Declude appeared to catch it because of a yahoo map link to the soccer fields. It would seem to be a common practice for someone to use a map link for directions. Copy of logfile below. How do we prevent this from happening in the future? I do not have any clout with Yahoo so I doubt I could get them to change their nomenclature. Unfortunately, filenames longer than 256 characters are very unsafe. If Yahoo chooses to use filenames greater than 256 characters, they need to understand that their E-mails are going to be blocked. It sounds like Yahoo just changed their file naming system. Note that it is fine for them to have a *link* that is longer than 256 characters, it is only the filename that has the problem. In this case, the filename was overviewmap_OVMAPDATA=Ypg91eR32XWTWSco9NwX6snk0KVRpsRh.tpax9mLk followed by at least 158 more characters. In general, if the average person isn't going to be able to type a filename without making a typo after a few tries, it shouldn't be used as a filename. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] PIF Not Blocked With Whitelist
I just had a user on my system send me a PIF file even though I have BANEXT PIF in my config? He authenticated on whitelist and the file went right through. This has got to be a bug, right? -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I do not think this should of failed.
We have the same problem. DO NOT USE the email map link on the page Copy and paste the link/url into an email or email link directly from the browser to the user. The url contains all the info for creating the map. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 4:13 PM Subject: Re: [Declude.Virus] I do not think this should of failed. A soccer club sent an email regarding the location of soccer practice. Declude appeared to catch it because of a yahoo map link to the soccer fields. It would seem to be a common practice for someone to use a map link for directions. Copy of logfile below. How do we prevent this from happening in the future? I do not have any clout with Yahoo so I doubt I could get them to change their nomenclature. Unfortunately, filenames longer than 256 characters are very unsafe. If Yahoo chooses to use filenames greater than 256 characters, they need to understand that their E-mails are going to be blocked. It sounds like Yahoo just changed their file naming system. Note that it is fine for them to have a *link* that is longer than 256 characters, it is only the filename that has the problem. In this case, the filename was overviewmap_OVMAPDATA=Ypg91eR32XWTWSco9NwX6snk0KVRpsRh.tpax9mLk followed by at least 158 more characters. In general, if the average person isn't going to be able to type a filename without making a typo after a few tries, it shouldn't be used as a filename. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. *Scanned for viruses by Declude Virus* *Scanned for viruses by Declude Virus* --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PIF Not Blocked With Whitelist
I just had a user on my system send me a PIF file even though I have BANEXT PIF in my config? He authenticated on whitelist and the file went right through. This has got to be a bug, right? What does your Declude Virus log file say? How was the message sent (real E-mail, or via web messaging)? Note that Declude JunkMail code isn't called if Declude Virus blocks an E-mail, so a Declude JunkMail whitelist won't whitelist the E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] PIF Not Blocked With Whitelist
Reply to: R. Scott Perry Re: [Declude.Virus] PIF Not Blocked With Whitelist on Wednesday 5:45:50 PM Was sent with web messaging and was infected with Netsky. Doesn't show up on the virus log. Here is header: Received: from rleeheath.com [24.154.165.94] by rleeheath.com with ESMTP (SMTPD32-8.12) id ABF0187B02F8; Wed, 14 Jul 2004 15:47:44 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Your software Date: Wed, 14 Jul 2004 16:36:58 -0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0010_6C6D.49DD X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] X-RBL-Warning: TESTS-FAILED:(weight 0) Whitelisted X-RBL-Warning: RDNS-ROUTE: 24.154.165.94 - acs-24-154-165-94.zoominternet.net - UNITED STATES-destination X-RBL-Warning: REAL-MAILFROM: [EMAIL PROTECTED] X-RBL-Warning: REAL-MAILTO: (1) [EMAIL PROTECTED] X-ActivatorMail: Spam-Weight: 0 - D9bef187b02f87748.SMD arrival: 15:47:51 -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - I just had a user on my system send me a PIF file even though I have BANEXT PIF in my config? He authenticated on whitelist and the file went right through. This has got to be a bug, right? RSP What does your Declude Virus log file say? How was the message sent (real RSP E-mail, or via web messaging)? Note that Declude JunkMail code isn't RSP called if Declude Virus blocks an E-mail, so a Declude JunkMail whitelist RSP won't whitelist the E-mail. RSP -Scott RSP --- RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers RSP since 2000. RSP Declude Virus: Ultra reliable virus detection and the leader in mailserver RSP vulnerability detection. RSP Find out what you've been missing: Ask for a free 30-day evaluation. RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.Virus mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.Virus.The archives can be found RSP at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] PIF Not Blocked With Whitelist
Was sent with web messaging and was infected with Netsky. Doesn't show up on the virus log. Are you positive there are no Declude Virus log file entries for it (searching for 9bef187b02f87748, not including the D or Q at the beginning of the spool file name)? If there are Declude JunkMail headers, Declude definitely processed the E-mail -- but there should also definitely be at least one Declude Virus log file entry for it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
