[Declude.Virus] Unknown virus warnings
Hi all, Today I can see a large number of non delivery reports comming back to our server containing the original virus warning (recip.eml) This is the begin of our recip.eml file: === SKIPIFSENDER [Forged] SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS MyDoom SKIPIFVIRUSNAMEHAS Netsky SKIPIFVIRUSNAMEHAS Bagle SKIPIFVIRUSNAMEHAS Unknown Virus ONLYSENDIFREMOTESENDER To: %ALLRECIPS% From: [EMAIL PROTECTED] ... === All returning NDR's are warnings about a Unknown Virus so I can't understand why they are send out because the according SKIPIFVIRUSNAMEHAS line is there as we haven't changed any content of this file in the last 3 weeks. NDR'S are comming back from all around the world. Any ideas? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Hi Markus, I have no idea, but our server is registering a peak of incoming messages, with above-normal banned cpl extension attachments in virus folder. --- Franco Celli [EMAIL PROTECTED] - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 10:32 AM Subject: [Declude.Virus] Unknown virus warnings Hi all, Today I can see a large number of non delivery reports comming back to our server containing the original virus warning (recip.eml) This is the begin of our recip.eml file: === SKIPIFSENDER [Forged] SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS MyDoom SKIPIFVIRUSNAMEHAS Netsky SKIPIFVIRUSNAMEHAS Bagle SKIPIFVIRUSNAMEHAS Unknown Virus ONLYSENDIFREMOTESENDER To: %ALLRECIPS% From: [EMAIL PROTECTED] ... === All returning NDR's are warnings about a Unknown Virus so I can't understand why they are send out because the according SKIPIFVIRUSNAMEHAS line is there as we haven't changed any content of this file in the last 3 weeks. NDR'S are comming back from all around the world. Any ideas? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] strange sending problem to the same domain
Hi John, this is the actual forwarding of one eMail of my customer. I guess I have to make a reverse DNS entry, don't you think ? Uwe Received: from lasthope [217.235.73.14] by irgendwas.de with ESMTP (SMTPD32-6.06) id AF231070262; Fri, 29 Oct 2004 11:36:35 +0200 From: info_irgendwas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: WG: Spezialanfrage Date: Fri, 29 Oct 2004 11:36:33 +0200 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C4BDAB.8FEFC810 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-RBL-Warning: MAILFROM: Domain irgendwas.de has no MX or A records [0001]. X-Declude-Sender: [EMAIL PROTECTED] [217.235.73.14] X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm X-Spam-Tests-Failed: CMDSPACE, MAILFROM, WEIGHT10, WEIGHT20 [20] X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm X-Note: This E-mail was sent from pD9EB490E.dip0.t-ipconnect.de ([217.235.73.14]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 373489920 Status: U JTL 1. Is the sender authenticating during the SMTP send to the server? JTL 2. Log lines for the messages sent please. JTL 3. Is the sender using Outlook 2003? JTL 4. Headers of the message that came through after changing from DELETE at 20 JTL to WARN. JTL John Tolmachoff JTL Engineer/Consultant/Owner JTL eServices For You -Original Message- From: [EMAIL PROTECTED] JTL [mailto:[EMAIL PROTECTED] On Behalf Of Declude Sent: Thursday, October 28, 2004 8:20 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] strange sending problem to the same domain Hi list, a customer of us complained today that he could't send any eMail from [EMAIL PROTECTED] to [EMAIL PROTECTED] But he receives eMails to both of the above postboxes from externally. Today I bypassed Declude. (I deleted eMails over weight 20 I guess, now I only do a WARN) Since then it is working fine for him again. I tested his domain remotely with no problems. Although he takes Outlook. It seems as if Outlook as a Mailer-SW is causing problems here. Any ideas ? Uwe --- [This E-mail was scanned for viruses by Declude Virus JTL (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. JTL --- JTL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JTL --- JTL This E-mail came from the Declude.Virus mailing list. To JTL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTL type unsubscribe Declude.Virus.The archives can be found JTL at http://www.mail-archive.com. -- Best regards, Decludemailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Franco Celli wrote: Hi Markus, I have no idea, but our server is registering a peak of incoming messages, with above-normal banned cpl extension attachments in virus folder. According to F-secure it's the new Bagle virus: New Bagle variant, Bagle.AT, has been spotted in several locations. It sends emails with a smiley :) as the message body. Attachment filename starts with Price or Joke and extension is COM, EXE, SCR or CPL. Erminio -- Erminio Ballerini [EMAIL PROTECTED] http://www.scp.nl Social and Cultural Planning Office (SCP) Department of Data Services and Information Technology (IA) P.O. Box 16164 2500 BD Den Haag Parnassusplein 5Den Haag --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] HEADS UP there is something strange out
My F-prot/Mcafee scanners are detecting a hug enumbers of Unknown Viruses this morning. Looking at the original message headers there are always HELO strings like Beatrix.net Arianna.net Margareth1.org Margareth1.com This moment I've received a warning from my own server that I has send a virus to another local recipient. Looking to thy smtp-logfile the sending IP was not mine. Even if all eml-file (recip, sender_local, sender_remote) contains a line SKIPIFVIRUSNAMEHAS Unknown Virus This warnings are still send out I've tried also to add FORGINGVIRUS Unknown Virus But the warnings are still send out. Thes same thing is happening also on another Imail/declude server. What the hell is going on here? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Here is one of the messages causing such Unknown virus warnings == Received: from CAD22.com [217.199.28.13] by mail.zcom.it (SMTPD32-8.13) id A261113D008C; Fri, 29 Oct 2004 11:50:25 +0200 Date: Fri, 29 Oct 2004 11:53:40 +0100 To: Watschinger [EMAIL PROTECTED] From: R.p.rustikal [EMAIL PROTECTED] Subject: Re: Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=gstnxjmuytvkywgecqkl X-Declude-Sender: [EMAIL PROTECTED] [217.199.28.13] X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: Sent from [EMAIL PROTECTED] - ([217.199.28.13]) incoming. X-Note: Sent to [EMAIL PROTECTED] X-Declude-Virus: Detected . --gstnxjmuytvkywgecqkl Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit htmlbody :)) br /body/html --gstnxjmuytvkywgecqkl Content-Type: application/octet-stream; name=Price.exe Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Price.exe == Seems to be a new Bagle variant but this is all very strange. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Franco Celli Sent: Friday, October 29, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Unknown virus warnings Hi Markus, I have no idea, but our server is registering a peak of incoming messages, with above-normal banned cpl extension attachments in virus folder. --- Franco Celli [EMAIL PROTECTED] - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 10:32 AM Subject: [Declude.Virus] Unknown virus warnings Hi all, Today I can see a large number of non delivery reports comming back to our server containing the original virus warning (recip.eml) This is the begin of our recip.eml file: === SKIPIFSENDER [Forged] SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS MyDoom SKIPIFVIRUSNAMEHAS Netsky SKIPIFVIRUSNAMEHAS Bagle SKIPIFVIRUSNAMEHAS Unknown Virus ONLYSENDIFREMOTESENDER To: %ALLRECIPS% From: [EMAIL PROTECTED] ... === All returning NDR's are warnings about a Unknown Virus so I can't understand why they are send out because the according SKIPIFVIRUSNAMEHAS line is there as we haven't changed any content of this file in the last 3 weeks. NDR'S are comming back from all around the world. Any ideas? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
It seems that Declude is handling this Unknown Virus not with this string even if showed in the %VIRUSNAME% variable. In the Mailheader for other known viruses I can see X-Declude-Virus: Detected W32/[EMAIL PROTECTED] For this new virus comming in with price/joke.com/exe/cpl/scr attachments the same line is showed up as X-Declude-Virus: Detected . In the message header. So should we use SKIPIFVIRUSNAMEHAS And FORGINGVIRUS ? In the meantime I've renamed recip , sender_local and sender_remot.eml to .offline extensions to prevent wrong warnings. I've also added BANNAME price.com BANNAME price.scr BANNAME price.cpl BANNAME price.exe BANNAME joke.com BANNAME joke.scr BANNAME joke.cpl BANNAME joke.exe To the virus.cfg file but I'm not sure if this will prevent scanning and warnings of all this messages. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E. Ballerini Sent: Friday, October 29, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Unknown virus warnings Franco Celli wrote: Hi Markus, I have no idea, but our server is registering a peak of incoming messages, with above-normal banned cpl extension attachments in virus folder. According to F-secure it's the new Bagle virus: New Bagle variant, Bagle.AT, has been spotted in several locations. It sends emails with a smiley :) as the message body. Attachment filename starts with Price or Joke and extension is COM, EXE, SCR or CPL. Erminio -- Erminio Ballerini [EMAIL PROTECTED] http://www.scp.nl Social and Cultural Planning Office (SCP) Department of Data Services and Information Technology (IA) P.O. Box 16164 2500 BD Den Haag Parnassusplein 5Den Haag --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
F-PROT updated (29/10) definitions detects them as Bagle.AP. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
A new update (the second as 29/10) is available for F-PROT. With the first one, some samples remain undetected blocked only by BANEXT. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the Unknown virus string...? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Franco Celli Sent: Friday, October 29, 2004 12:40 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Unknown virus warnings F-PROT updated (29/10) definitions detects them as Bagle.AP. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the Unknown virus string...? The problem is that F-Prot was detecting it as a suspicious file (VIRUSCODE 8), but not reporting the virus name in the report.txt file (since it did not detect a virus, it can't know the name of it). As a result, the name of the virus was left blank, but Declude Virus would show Unknown Virus where ever you wanted to display the virus name (such as in virus notifications). But for the SKIPIFVIRUSNAMEHAS option, it was just seeing a blank string, so it was not seeing Unknown Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HEADS UP there is something strange out
Symantec has 3 new Bagle variants listed at www.sarc.com this morning... Thanks for the Heads Up Don - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 4:30 AM Subject: [Declude.Virus] HEADS UP there is something strange out My F-prot/Mcafee scanners are detecting a hug enumbers of Unknown Viruses this morning. Looking at the original message headers there are always HELO strings like Beatrix.net Arianna.net Margareth1.org Margareth1.com This moment I've received a warning from my own server that I has send a virus to another local recipient. Looking to thy smtp-logfile the sending IP was not mine. Even if all eml-file (recip, sender_local, sender_remote) contains a line SKIPIFVIRUSNAMEHAS Unknown Virus This warnings are still send out I've tried also to add FORGINGVIRUS Unknown Virus But the warnings are still send out. Thes same thing is happening also on another Imail/declude server. What the hell is going on here? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Just a couple of thoughts...Maybe there is a limitation with strings that involve a space? Alternatively, maybe there was no name reported by the scanner, and this was just simply the value that Declude logged. Matt Markus Gufler wrote: Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the "Unknown virus" string...? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Franco Celli Sent: Friday, October 29, 2004 12:40 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Unknown virus warnings F-PROT updated (29/10) definitions detects them as Bagle.AP. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Unknown virus warnings
Just a note, the second update of F-PROT still does not detect all joke.* and price.* sign.def and sign2.def both with 10/29/2004 9.59 timestamp waiting for another update next few hours!? --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] strange sending problem to the same domain
I took note that you are using IMail 6.06. Unless you can whitelist your users by way of their IP addresses you should disable the CMDSPACE test, or at least reduce it's weight. I see this one came from T-Online and probably can't be whitelisted. Microsoft Outlook clients will fail CMDSPACE unless they are whitelisted. With IMail 8.x, you can configure Declude for WHITELIST AUTH which will automatically whitelist clients that authenticate. There are no such options in IMail 6.x. The MAILFROM test suggests, and my own DNS query confirms, that your sender's domain neither has an MX or an A record. Adding one of these will keep that test from failing. Matt Declude wrote: Hi John, this is the actual forwarding of one eMail of my customer. I guess I have to make a reverse DNS entry, don't you think ? Uwe Received: from lasthope [217.235.73.14] by irgendwas.de with ESMTP (SMTPD32-6.06) id AF231070262; Fri, 29 Oct 2004 11:36:35 +0200 From: "info_irgendwas" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: WG: Spezialanfrage Date: Fri, 29 Oct 2004 11:36:33 +0200 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0001_01C4BDAB.8FEFC810" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-RBL-Warning: MAILFROM: Domain irgendwas.de has no MX or A records [0001]. X-Declude-Sender: [EMAIL PROTECTED] [217.235.73.14] X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm X-Spam-Tests-Failed: CMDSPACE, MAILFROM, WEIGHT10, WEIGHT20 [20] X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm X-Note: This E-mail was sent from pD9EB490E.dip0.t-ipconnect.de ([217.235.73.14]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 373489920 Status: U JTL 1. Is the sender authenticating during the SMTP send to the server? JTL 2. Log lines for the messages sent please. JTL 3. Is the sender using Outlook 2003? JTL 4. Headers of the message that came through after changing from DELETE at 20 JTL to WARN. JTL John Tolmachoff JTL Engineer/Consultant/Owner JTL eServices For You -Original Message- From: [EMAIL PROTECTED] JTL [mailto:[EMAIL PROTECTED]] On Behalf Of Declude Sent: Thursday, October 28, 2004 8:20 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] strange sending problem to the same domain Hi list, a customer of us complained today that he could't send any eMail from [EMAIL PROTECTED] to [EMAIL PROTECTED] But he receives eMails to both of the above postboxes from externally. Today I bypassed Declude. (I deleted eMails over weight 20 I guess, now I only do a WARN) Since then it is working fine for him again. I tested his domain remotely with no problems. Although he takes Outlook. It seems as if Outlook as a Mailer-SW is causing problems here. Any ideas ? Uwe --- [This E-mail was scanned for viruses by Declude Virus JTL (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. JTL --- JTL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JTL --- JTL This E-mail came from the Declude.Virus mailing list. To JTL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTL type "unsubscribe Declude.Virus".The archives can be found JTL at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Unknown virus warnings
Thanks for the clarrification. Is there anything we can do against this or would it be possible to have some fix for future releases? Something like SKIPIF... ISBLANK I expect that we will change the code to treat these as forging, so SKIPIFFORGING would catch 'em. We could also add a separate SKIPIF... option just to detect these, just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
I expect that we will change the code to treat these as forging, so SKIPIFFORGING would catch 'em. We could also add a separate SKIPIF... option just to detect these, just to be safe. I believe it would be usefull for all users of F-Prot with returncode 8 enabled to avoid future uneccessary warnings send out if f-prot is fast catching but not exact naming new virus variants. Now after renaming all .offline files back to .eml there are again some NDR's. As Franco allready reported it seems that F-Prot up to now is not catching 100% of Bagle.AP. So I've not removed the BANNAME's from my config file and keept .offline the bannotify.eml file. Comparing scan results in the vir logfile I can see that F-Prot up to now is catching only around 50% of what is catching Mcafee regarding Bagle.AP (or in Mcafee terms Bagle.bb) I'm not sure if Mcafee is catching all Bagle.bb's Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Markus, a third update now seems to detect ALL bagle variants. --- Franco Celli [EMAIL PROTECTED] - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 2:34 PM Subject: RE: [Declude.Virus] Unknown virus warnings Now after renaming all .offline files back to .eml there are again some NDR's. As Franco allready reported it seems that F-Prot up to now is not catching 100% of Bagle.AP. So I've not removed the BANNAME's from my config file and keept .offline the bannotify.eml file. --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
Hi, I expect that we will change the code to treat these as forging, so SKIPIFFORGING would catch 'em. We could also add a separate SKIPIF... option just to detect these, just to be safe. I believe it would be usefull for all users of F-Prot with returncode 8 enabled to avoid future uneccessary warnings send out if f-prot is fast catching but not exact naming new virus variants. I have not activated returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Feature request
Different actions for different attached file extensions So I can delete PIF, SCR, CPL without review. (I have to review EXEs) Or is this possible now ? Cris --- [This E-mail scanned for viruses courtesy of Netslyder, Inc.(http://www.netslyder.net)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request
Different actions for different attached file extensions So I can delete PIF, SCR, CPL without review. (I have to review EXEs) Or is this possible now ? There isn't any way to do that now, but that is something that we will look into. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
I have not activated returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? Bonno, I don't know how much false positives it would produce but I haven't never heard some customer complaining about it. Until this morning there was not more then 2 or 3 Unknown Virus warnings per day with 13000 processed messages/day. But in this case - if I have understand it right - it was very usefull to have viruscode 8 enabled. I've seen the first Unknown virus message this morning at 09:30 AM. F-prot has had updates ready 3 hours later. In the meantime there was an average of 10 Bagle.AP infected messages per minute - catched only with viruscode 8. Until I've discovered what's going on here (the unknown virus story) and adapted the virus.cfg file with appropriate BANNAME's there was a large number of messages that would be delivered without this setting. Imagine that the breakout happened at 09:30 GMT+1 So I was already at work. People in american timezones was at work when AV-companies has had updates but Mailservers are delivering messages also overnight... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
I have been using Viruscode 8 for more than 6 months and have not received even 1 false positive, But my users are not a very large group and they most likely do not send a lot of attachments via email. I have taught them how to transfer files actually via ftp. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, October 29, 2004 11:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Unknown virus warnings I have not activated returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? Bonno, I don't know how much false positives it would produce but I haven't never heard some customer complaining about it. Until this morning there was not more then 2 or 3 Unknown Virus warnings per day with 13000 processed messages/day. But in this case - if I have understand it right - it was very usefull to have viruscode 8 enabled. I've seen the first Unknown virus message this morning at 09:30 AM. F-prot has had updates ready 3 hours later. In the meantime there was an average of 10 Bagle.AP infected messages per minute - catched only with viruscode 8. Until I've discovered what's going on here (the unknown virus story) and adapted the virus.cfg file with appropriate BANNAME's there was a large number of messages that would be delivered without this setting. Imagine that the breakout happened at 09:30 GMT+1 So I was already at work. People in american timezones was at work when AV-companies has had updates but Mailservers are delivering messages also overnight... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Possibly a new variant of JS/ virus in [HTML segment]
In addition to what others have been reporting here, I am also seeing F-Prot reporting these today: Declude Antivirus v1.81 caught the Possibly a new variant of JS/ virus in [HTML segment] They are coming in with subjects like: Subject:DM Direct Newsletter: October 29, 2004 Subject:Weekly Challenge: Comp Time Subject:Amazing deals on Jewelry, Diamonds and more - Bid Now However, ClamAV, McAfee, and TrendMicro are not tagging any of these messages. Anyone else seeing any of these today? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possibly a new variant of JS/ virus in [HTML segment]
Yep...we started seeing these this morning. Darin. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 12:04 PM Subject: [Declude.Virus] Possibly a new variant of JS/ virus in [HTML segment] In addition to what others have been reporting here, I am also seeing F-Prot reporting these today: Declude Antivirus v1.81 caught the Possibly a new variant of JS/ virus in [HTML segment] They are coming in with subjects like: Subject:DM Direct Newsletter: October 29, 2004 Subject:Weekly Challenge: Comp Time Subject:Amazing deals on Jewelry, Diamonds and more - Bid Now However, ClamAV, McAfee, and TrendMicro are not tagging any of these messages. Anyone else seeing any of these today? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] MAILBOX spam
When using the MAILBOX action for test failures, we have noticed that forward or alias addresses do not get sent to the spam folder but actually get delevered to the main inbox. Do we have something configured wrong or is there way to fix this or are we stuck with it? Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unknown virus warnings
I have not activated returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? I have had virus code 8 enabled for quite a while, I dont recall any false positives and I didnt have a problem with the latest bagle garbage. Better safe than sorry if you ask me. Rick Davidson National Systems Manager North American Title Group --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MAILBOX spam
When using the MAILBOX action for test failures, we have noticed that forward or alias addresses do not get sent to the spam folder but actually get delevered to the main inbox. Do we have something configured wrong or is there way to fix this or are we stuck with it? That's just how IMail works. If an E-mail is sent to a user account, the action is taken for that user account. If the E-mail is received by the account (meaning that the HOLD, DELETE, ROUTETO, etc. actions aren't used), then the E-mail will be forwarded as-is. IMail will not re-scan the E-mail if the forwarded account is on the IMail server. For an alias, though, the E-mail address that it points to will use the MAILBOX action (unless the E-mail address isn't on the IMail server, since the MAILBOX action is IMail-specific). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude for Exchange?
I seem to recall someone on this list mentioning something about a upcoming declude version for Exchange? Any truth to this rumor? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [Declude.Virus] Declude for Exchange?
It's Friday afternoon and I've cleared out my 1000 messages from the Imail Forum, so I can't resist... Isn't Declude for Exchange part of the soon-to-be-announced Declude Collaboration Suite (DCS)? ;) or is it :( ? - Original Message - From: Jim Matuska To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:30 PM Subject: [Declude.Virus] Declude for Exchange? I seem to recall someone on this list mentioning something about a upcoming declude version for Exchange? Any truth to this rumor? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [Declude.Virus] Declude for Exchange?
I like the ring of Declude Collaboration Suite. Sounds like a winner to me. - Original Message - From: Scott Fisher To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 1:57 PM Subject: Re: [Declude.Virus] Declude for Exchange? It's Friday afternoon and I've cleared out my 1000 messages from the Imail Forum, so I can't resist... Isn't Declude for Exchange part of the soon-to-be-announced Declude Collaboration Suite (DCS)? ;) or is it :( ? - Original Message - From: Jim Matuska To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:30 PM Subject: [Declude.Virus] Declude for Exchange? I seem to recall someone on this list mentioning something about a upcoming declude version for Exchange? Any truth to this rumor? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [Declude.Virus] Declude for Exchange?
Yeah, yeah. Bundle it with Sniffer and quintuple the cost. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: Friday, October 29, 2004 5:06 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] Declude for Exchange? I like the ring of Declude Collaboration Suite. Sounds like a winner to me. - Original Message - From: Scott Fisher To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 1:57 PM Subject: Re: [Declude.Virus] Declude for Exchange? It's Friday afternoon and I've cleared out my 1000 messages from the Imail Forum, so I can't resist... Isn't Declude for Exchange part of the soon-to-be-announced Declude Collaboration Suite (DCS)? ;) or is it :( ? - Original Message - From: Jim Matuska To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:30 PM Subject: [Declude.Virus] Declude for Exchange? I seem to recall someone on this list mentioning something about a upcoming declude version for Exchange? Any truth to this rumor? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]