RE: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
>Strange, I have not had any problems with that interim release. What I have >noticed is that all of the 1.76i* releases have a problem with creating >Eicar files in the directory that you run declude -diag in, except the IMail >directory. For example, if I run three times at the root "C" prompt: If you don't have a gateway and don't use ipbypass in Declude JunkMail you probably wouldn't have the problem. I don't have that problem with the Eicar files when I run declude -diag in any directory. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
>You are correct -- there is a new interim release v1.76i4 at the same URL >that fixes this. Thanks Scott, now it's working. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
>>The same thing is happening here. >>I have the folder HOLD2 full of messages, most of them are actually infected >>with Swen.A virus, few are legitimate (sent after the IP was blocked by >>hijack). >We've made a change to the code for interim release v1.76i3 (at >http://www.declude.com/release/176i/declude.exe ) that should take care of >this issue. Scott, That interim version is seriously broken, none of the Declude JunkMail tests are executed, all messages have 0 as weight, no logs are generated... I have to go back to 1.76i2. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is Declude Hijack run before Declude Virus
It shows that I'm running 1.76i1 but still I've found today messages on hold with suspicious double extension attachments like .xls.pif. Also pif is in my list of banned extensions. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, September 23, 2003 9:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Is Declude Hijack run before Declude Virus >Is there anyway to invert the order, make Declude Virus to run before >Hijack? I would like that to happen because of the banned extensions >too. If you are running the latest version (1.75 or later; you can type "\Imail\Declude -diag" from a command prompt to see which version you are running), Declude Virus will run before Declude Hijack. -Scott --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is Declude Hijack run before Declude Virus
John, I'm still using the default Hijack hold levels, they seem OK for our case. Since I started using it (5 days ago) I've seen 3-5 hold cases, usually from users sending chain letters, missioner's pray letters, e-mails to group of friends, relatives, etc. I'm whitelisting those that have a real need to send larger volumes of e-mails. If you have any tips to improve this please let me know. In any case I strongly think that Declude Virus should handle the message before Hijack to avoid holding any messages with viruses or banned extensions. Don't you agree? Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, September 23, 2003 9:14 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Is Declude Hijack run before Declude Virus First, I hope you are dealing with what ever situation that put the messages into the hold folders in the first place. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Is Declude Hijack run before Declude Virus
I've seen several messages in Hijack's hold directories that seem to be infected messages, some have attached files with double extensions like xls.pif. I'm worried because sometimes I've to move back to the queue some false positives and as I've seen that once I do it Declude won't see those messages anymore, I could end releasing some messages with viruses. Is there anyway to invert the order, make Declude Virus to run before Hijack? I would like that to happen because of the banned extensions too. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.F
Hello Andy, >I used McAfee and it started blocking it since 8:31 EDT (I pull in their >daily updates hourly). How do you pull the updates hourly? I use the Instant Updater but it looks that it does the updates just once per day. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Vulnerabilities explained
Hello Markus, Thank you for your contribution. I'm releasing the hold messages using a program alias in IMail, so the recipients could just send an email to the alias address to unblock the email. Following is the little cmd script, as you can see it uses some of the GNU tools for Win32 that you could find at http://unxutils.sourceforge.net/ I found it very useful in cases that the end user has access to email but no the web. I know that it should have been better to write it in VB script, Perl or other language, but I don't have skills in those and besides it's working quite well as a batch file. :-) As you have discovered when multiple recipients are in place, if one of then sends the request, the message is released for all of them. In my opinion I consider it as a minor glitch. >From now on all my vulnerabilities hold notifications will have both options, send an email to our program alias and the link to your asp code. Where are you from? I'm in Bolivia - South America. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net <<< unblock_email.cmd >>> @echo off setlocal rem Paths set holdpath=d:\imail\spool\virus set spoolpath=d:\imail\spool set imailpath=c:\imail rem The following lines get the sender's address to send the confirmation rem if the message has several from: it uses the one that is at the top (headers) grep -i "from:" %1|gawk "{for (i=2;i" -f 1 >%1.1 for /f %%i in (%1.1) do set sender=%%i rem The following lines get the message's subject that is where the sender should send the spool name grep -i "subject:" %1|gawk "{print NR,$0}"|grep "1 "|cut -d ":" -f 2->%1.1 for /f "delims=" %%i in (%1.1) do set subject=%%i rem The following lines get just the spool name without the leading D, needed to process the D* and the Q* files rem it also gets rid of any * or ? that a malicious user could have included (Does your ASP code has provision for that?) grep -i ".smd" %1.1|cut -d "D" -f 2-|grep -v "*"|grep -v "?">%1 for /f %%i in (%1) do set message=%%i rem Deletes the file passed by IMail and the work file del %1 del %1.1 rem If the Subject doesn't have a valid spool name or if any of the files doesn't exist go to the error label if "%message%"=="" goto error if not exist %holdpath%\D%message% goto error if not exist %holdpath%\Q%message% goto error rem Move the files back to the queue move /Y %holdpath%\D%message% %spoolpath% move /Y %holdpath%\Q%message% %spoolpath% rem Send success confirmation. In unblock_email_success.txt write an small text confirming the unblock. %imailpath%\imail1 -f %imailpath%\unblock_email_success.txt -s "E-mail unblocked:%subject%" -t "%sender%" -u [EMAIL PROTECTED] goto end :error rem Send failure message. In unblock_email_error.txt write a text explaining what mistakes the user could have done %imailpath%\imail1 -f %imailpath%\unblock_email_error.txt -s "Error while unblocking E-mail:%subject%" -t "%sender%" -u [EMAIL PROTECTED] :end endlocal <<< End >>> -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, March 05, 2003 1:03 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Vulnerabilities explained BTW: I've attached to this mail a short ASP-Script that requeues a spoolfile from the virus folder. Simply set a link in your vulnerability.eml file to http://www.yourdomain.com/requeue.asp?id=%QUEUENAME% The recipient of the vuln.warning can simply click on this link to requeue the hold message. Note: the anonymous user of this web (IIS) must have read/write access to declude virus and Imail spoolfolder. Markus --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
MISSING_REVERSE_DNS:Re: Re[2]: [Declude.Virus] not storing viruses
I would like to have that option too. Adolfo Justiniano e-mail: [EMAIL PROTECTED] http://www.scbbs.net - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "R. Scott Perry" <[EMAIL PROTECTED]> Sent: Saturday, October 06, 2001 11:24 AM Subject: Re[2]: [Declude.Virus] not storing viruses > Saturday, October 06, 2001, 8:10:04 AM, you wrote: > > > There is no way to have Declude automatically delete them. That's mainly a > > safety feature, in case of problems with the virus scanner (if it starts > > reporting that all files have viruses, for example). > > Would you consider adding a "switch" for the config file to do this in > the next version if others here thing there is a need? > > David > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .