Re: [Declude.Virus] Do you use the Declude email notification templates?
Hi, After my upgrade to IMail 11.x on a new server the IMail1.exe file is no longer present. As fas as I know that is what Declude uses to send the e-mails, and if so then that is the reason I no longer get them eventhough I have my old templates still present. My templates are only to inform me as the postmaster of the receiving domain when something happens that could very well be a false positive. That is usualy the case with filtering on vulnerabilities. For those I have templates to inform me. All other attempts to inform someone will either warn a falsified sender address or a recipient who cannot do something about it as then mail is held on the server in a directory where only the postmaster has access. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: IMail Admin To: Declude.Virus@declude.com Sent: Friday, May 20, 2011 7:15 PM Subject: [Declude.Virus] Do you use the Declude email notification templates? I’ve just always left these templates in place (the .eml files) that cause various notifications to be sent out. However, in recent years I’ve received complaints that these notifications are unnecessary or a nuisance. I was curious if anyone else bothered with these, or if you deleted them all, or if you kept just some? Any recommendations? Thanks, Ben --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
Hi Andy, What tool are you using to specify x days old when deleting? Or are you allready using Powershell? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Friday, March 19, 2010 3:15 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Per user setting
Hi, Let me add myself to the wishlist requesters. As postmaster/helpdesk I sometimes want to send out mail to Declude about a virus detection, or I want to send an exe file to someone, or Currently I get bitten by my own mailserver refusing to send it because of my antivirus rules. :-( The only option I have is to mangle the attachment name in such a way Declude wil leave it alone, hoping the receiver is smart enough to do what I want them to do but never to do it when somone else asks them to do something like that. ;-) Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Monday, December 21, 2009 8:21 PM Subject: RE: [Declude.Virus] Per user setting Hi John, There is no per user settings for virus other than on or off or allow vulnerabilities. We can look at adding the new functionality to our development wish list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of John T Sent: Monday, December 21, 2009 11:22 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Per user setting Any ideas? John T eServices For You -Original Message- From: John T johnl...@eservicesforyou.com Sent 12/11/2009 11:59:05 AM To: declude.virus declude.virus@declude.com Subject: [Declude.Virus] Per user setting Is there a way possible to allow on a per user basis outgoing banned extensions WITHOUT disabling outgoing virus scanning? If not, could this be something that could be added? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] exclude a certain address from a vulnerability test
Hi, Using Declude 4.4.16 I want to exclude one e-mail address from the Outlook 'MIME segment in MIME Postamble' Vulnerability test. Is that possible or do I have to disable it then for all addresses? I seems one of our contacts is using a version of Groupwise that produces mail with this vulnerability. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re: [Declude.Virus] Declude/Alligate Gateway
Hi David, I've got one other future development issue that needs to addressed. In the next few years we wil start to see the first IPv6 only mailservers or at least IPv6 only clients sending to mailservers. If we want to keep using dns based tests to identify spam sending machines then those need to be able to handle IPv6 addresses. Declude will be one of the programs that needs to have a look at which parts of the program will be affected by this. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: [EMAIL PROTECTED] ; declude.virus@declude.com Sent: Wednesday, December 03, 2008 10:42 PM Subject: [Declude.Virus] Declude/Alligate Gateway We recognize that Declude needs to move beyond IMail and Smartermail, to this end we are working with Brian Milburn to bundle Declude with Alligate to offer a Declude Gateway solution. For now, we are naming the product Declude Interceptor so we can take full advantage of any previous marketing in this area. I believe this partnership is a step in the right direction not only for Declude as a company, but ultimately to the benefit of Declude customers. Also a special thanks to Nick Hayer for encouraging this relationship and for creating the link between the Alligate and Declude. If you have any questions feel free to email me directly. Regards, David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] PS. If anyone has the comment it's about time please give me some grace while flaming me. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude/Alligate Gateway
Hi David, I've got one other future development issue that needs to addressed. In the next few years we wil start to see the first IPv6 only mailservers or at least IPv6 only clients sending to mailservers. If we want to keep using dns based tests to identify spam sending machines then those need to be able to handle IPv6 addresses. Declude will be one of the programs that needs to have a look at which parts of the program will be affected by this. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: [EMAIL PROTECTED] ; declude.virus@declude.com Sent: Wednesday, December 03, 2008 10:42 PM Subject: [Declude.Virus] Declude/Alligate Gateway We recognize that Declude needs to move beyond IMail and Smartermail, to this end we are working with Brian Milburn to bundle Declude with Alligate to offer a Declude Gateway solution. For now, we are naming the product Declude Interceptor so we can take full advantage of any previous marketing in this area. I believe this partnership is a step in the right direction not only for Declude as a company, but ultimately to the benefit of Declude customers. Also a special thanks to Nick Hayer for encouraging this relationship and for creating the link between the Alligate and Declude. If you have any questions feel free to email me directly. Regards, David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] PS. If anyone has the comment it's about time please give me some grace while flaming me. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] EZIPs
Hi, If you allready have a list of executables extentions you block then you can also use the option to block just files with those extentions within ZIPs using BANZIPEXTS ON But... if there is a new virus in an extention you do not block *and* it is sent via an encrypted ZIP/RAR. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Kevin Rogers To: Declude.Virus@declude.com Sent: Tuesday, July 08, 2008 11:26 PM Subject: [Declude.Virus] EZIPs Some of my clients need to be able to receive password-protected ZIP files and I'm wondering if people on this list ban the EZIP extension outright, or if they allow it but ban all the other extensions that could be harmful from within a EZIP file. Declude's virus.cfg file states that # The BANEXT EZIP line blocks all encrypted .ZIP and .RAR files, which is necessary # to be fully protected against viruses (since it is impossible to detect a well- # constructed virus within an encrypted .ZIP or .RAR file) Is this true? Do you need to ban it outright? or are the other bans adequate? Thanks. Kevin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Hi Andrew, Hey hold it, that's something new. I was not aware there was a difference in putting a mail back in the spool or the proc folder. As it has been put to me using the Old Declude: I had to put the D and Q file back in spool and Imail would process it once again and Declude would ignore it because it had seen the message before. That would prevent it from getting caught again. I assumed there would be no difference from putting it back in proc as that is just the next step in the chain. If I read your reply correct what you say is: If I put in spool IMail will handle it without passing it to Declude, if I put in proc then Declude will handle it once again. About fixing the problem, sometimes I don't want to do that as there is nothing to fix. The sender may be listed in several anti spam databases and there is nothing I want to fix but the message needs to be delivered anyway. So if it gets caught again because the sender ip is still listed... that is not what I want, I need to have it delivered to the users mailbox. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Colbeck, Andrew To: declude.virus@declude.com Sent: Monday, June 23, 2008 6:56 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG For what it's worth, I never move messages from HOLD to SPOOL. When I do move false positives out, I fix the problem in my configuration, so that the same circumstance doesn't happen again, and then I move the files from the HOLD to the PROC folder. By re-scanning them, they get virus scanned and I am sure that I have saved time by getting spam scanned as well; it would cost me more time to repeat the procedure next time than it takes me to override my text filters and re-queue the messages now. Very few messages get pulled out of the HOLD folder, so not scanning those messages for viruses saves me a lot of processing power. Andrew. -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 23, 2008 9:00 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Correct if you send held email directly to the spool there is a potential for a virus to bypass if running AVAFTERJM this is why it is important to correct the issue that caused the false positive then reprocess via Declude. OR alternately ensure you virus scan your HOLD folders. If you are asking to only to apply AVAFTERJM only to Deleted emails this would reduce it's effectiveness as not every Declude customer uses Delete. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 11:30 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this: We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Monday, June 23, 2008 4:28 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can't do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 4:20 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Kevin Bilbee To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:25 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 13, 2008 6:10 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 I think VIRUSCODE 1 need to be added too? http://www.f-prot.com/support/windows/fpwin_faq/310.html Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, I do not know the exact reason. I have try to reduce scanlevel, heulevel, archive to 0 or 1, still very slow, I guess it is now scanning memory by default? Another question is , for REPORT=report.txt do we need ? REPORT=report.txt from instruction here, looks like need http://www.f-prot.com/support/windows/fpwin_faq/445.html but most users online post seems is not necessary. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 04, 2008 2:34 AM Subject: Re: [Declude.Virus] F-PROT 6 Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Hi David, Could you explain this: We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Monday, June 23, 2008 4:28 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can't do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 4:20 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Kevin Bilbee To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:25 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 13, 2008 6:10 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday
[Declude.Virus] ClamAV
Hi, Been using the old F-prot v3 as a second scanner but I disabled it today. As the new F-prot 6 scanner is not allowed with Declude, well sort of but I don't want to pay that mucht ;-) I wanted to use ClamAV asn an extra scanner. In the past it was a bit dificult I seem to remember but Is it realy as easy as 1-2-3 today? Go to http://w32.clamav.net/ and download - The Windows msi file - The initial virus sigantures - Pthreads (I seem to need it). Install the msi Copy the initial signature files to C:\Program Files\clamAV\data or something like it. But then Make sure the sig files are updated... but how? Let Declude (according to http://www.declude.com/searchresults.asp?Cat=124) call ClamAV using: SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt Which would probably translate to SCANFILE C:\Program Files\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt or would SCANFILE C:\IMail\Declude\Scanners\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt be a better solution. There is also a clamscam.txt file in the C:\IMail\declude\scanners\ClamAV directory that seems to suggest something else. So where is a HOWTO to get it up and running with Declude? I'm sure I'm not the first to look at the combination, so how dit YOU do it. :-) Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ZEROHOUR caught a virus
Hi, Wel it is happening al lot more now and C:\Tempgrep -i zerohour vir0506.log 05/06/2008 00:57:58.462 q90f204c285d1.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 00:57:58.462 q90f204c285d1.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 00:58:23.994 q910c05dc85ee.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 00:58:23.994 q910c05dc85ee.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 11:20:00.552 q22b604dcdf98.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 11:20:00.552 q22b604dcdf98.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 11:40:16.701 q27610537e398.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 11:40:16.701 q27610537e398.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 19:52:39.166 q9ad505b654de.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 19:52:39.166 q9ad505b654de.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 20:06:40.255 q9e0c04c25a91.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 20:06:40.255 q9e0c04c25a91.smd File(s) are INFECTED [ZEROHOUR Unknown] But: 05/06/2008 00:57:58.744 q90f204c285d1.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=document.zip [50] I 05/06/2008 00:58:24.213 q910c05dc85ee.smd Scanner 1: Virus=: HTML/IFrame Attachment=[HTML segment] [50] I 05/06/2008 11:20:00.755 q22b604dcdf98.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=data.zip [50] I 05/06/2008 11:40:16.904 q27610537e398.smd Scanner 1: Virus=: HTML/IFrame Attachment=[HTML segment] [50] I 05/06/2008 19:52:39.416 q9ad505b654de.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=message.zip [50] I 05/06/2008 20:06:40.474 q9e0c04c25a91.smd Scanner 1: Virus=: HTML/IFrame Attachment=[HTML segment] [50] I In each instance ZEROHOUR reported a virus but did not know what it was, one of my other scanners DID know what it was and reported it so. I sure hope Declude will change this behaviour and report the known virus name when one of the scanners DOES report a name. I'm right now using Declude 4.3.64, I'll start using 4.4.0 later this week. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Monday, May 05, 2008 9:53 PM Subject: RE: [Declude.Virus] ZEROHOUR caught a virus It could be ZEROHOUR as it identifies viruses based on attributes other than virus signatures thereby providing zerohour protection, in many cases the virus has no name as it has not been identified yet. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, May 05, 2008 2:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR caught a virus If I remember correctly, it is not the ZEROHOUR spam test catching a virus. It is the internal AVG virus scanner saying it has caught an unknown virus, or what it thinks is a virus. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Sunday, May 04, 2008 11:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] ZEROHOUR caught a virus Hi, Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught. --quote--- Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip from [Forged] to: [EMAIL PROTECTED] Date: 04 May 2008 12:36:21 Subject:Returned mail: see transcript for details Spool File: D7b90047bbde0.smd Remote IP: 77.42.92.137 --quote--- From the virlog: --quote--- C:\TempGREP -i BDE0 vir0504.log 05/04/2008 12:36:21.061 q7b90047bbde0.smd Vulnerability flags = 0 05/04/2008 12:36:21.076 q7b90047bbde0.smd MIME file: readme.zip [base64; Length=29054 Checksum=3149200] 05/04/2008 12:36:21.139 q7b90047bbde0.smd ZEROHOUR Reports VIRUS: Unknown 05/04/2008 12:36:21.139 q7b90047bbde0.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Virus scanner 1 reports exit code of 3 05/04/2008 12:36:21.342 q7b90047bbde0.smd Forging virus found: Likely forged sender was [EMAIL PROTECTED] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=readme.zip [50] I 05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanned: CONTAINS A VIRUS [MIME: 2 29533] 05/04/2008 12:36:21.342 q7b90047bbde0.smd From: [Forged] To: [EMAIL PROTECTED] [incoming from 77.42.92.137] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Subject: Returned mail: see transcript for details --quote--- I seems one of my other scanners
[Declude.Virus] ZEROHOUR caught a virus
Hi, Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught. --quote--- Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip from [Forged] to: [EMAIL PROTECTED] Date: 04 May 2008 12:36:21 Subject:Returned mail: see transcript for details Spool File: D7b90047bbde0.smd Remote IP: 77.42.92.137 --quote--- From the virlog: --quote--- C:\TempGREP -i BDE0 vir0504.log 05/04/2008 12:36:21.061 q7b90047bbde0.smd Vulnerability flags = 0 05/04/2008 12:36:21.076 q7b90047bbde0.smd MIME file: readme.zip [base64; Length=29054 Checksum=3149200] 05/04/2008 12:36:21.139 q7b90047bbde0.smd ZEROHOUR Reports VIRUS: Unknown 05/04/2008 12:36:21.139 q7b90047bbde0.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Virus scanner 1 reports exit code of 3 05/04/2008 12:36:21.342 q7b90047bbde0.smd Forging virus found: Likely forged sender was [EMAIL PROTECTED] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=readme.zip [50] I 05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanned: CONTAINS A VIRUS [MIME: 2 29533] 05/04/2008 12:36:21.342 q7b90047bbde0.smd From: [Forged] To: [EMAIL PROTECTED] [incoming from 77.42.92.137] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Subject: Returned mail: see transcript for details --quote--- I seems one of my other scanners thinks it's a virus as well, and... it reports a name. 1) I've seen a ZEROHOUR virus just once before, is this a new feature? 2) Does ZEROHOUR ever know the name of the virus? 3) Could we have a new feature where Declude uses the real name of a virus when multiple scanners report a virus and some don't know the name? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] extracting base64 encoded files
Hi, I had some valentine mail come through which was caught as suspicious. However, in the end it was reported ans Unknow virus in Unknow File. I now want to have a better look at the enclose base64 encoded card.zip. But... what tool to use to extract that zip file without sending it to my mail program. I used to be able to extract uuencoded stukk with my zip archive tool but... What to use for base64 encoded stuff? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New clamav packages fix several vulnerabilities
Hi, For those of us who use ClamAV Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Moritz Muehlenhoff To: [EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 6:38 PM Subject: [SECURITY] [DSA 1435-1] New clamav packages fix several vulnerabilities -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1435-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff December 19, 2007 http://www.debian.org/security/faq - Package: clamav Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-6335 CVE-2007-6336 Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-6335 It was discovered that an integer overflow in the decompression code for MEW archives may lead to the execution of arbitrary code. CVE-2007-6336 It was discovered that on off-by-one in the MS-ZIP decompression code may lead to the execution of arbitrary code. For the stable distribution (etch), these problems have been fixed in version 0.90.1-3etch8. The old stable distribution (sarge) is not affected by these problems. However, since the clamav version from Sarge cannot process all current Clam malware signatures any longer, support for the ClamAV in Sarge is now discontinued. We recommend to upgrade the the stable distribution or run a backport of the stable version. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your clamav packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1.orig.tar.gz Size/MD5 checksum: 11643310 cd11c05b5476262eaea4fa3bd7dc25bf http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8.dsc Size/MD5 checksum: 886 749c91e6c5ba5fc237e8a2176fdadb95 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8.diff.gz Size/MD5 checksum: 207113 333bd216cf5347d99f59258a3c3a66ed Architecture independent packages: http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1-3etch8_all.deb Size/MD5 checksum: 1005018 117b5356ff6f6b661c1e40fc9d801684 http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1-3etch8_all.deb Size/MD5 checksum: 201722 aa2b7f1a58ca407b390449ca46f4ab27 http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1-3etch8_all.deb Size/MD5 checksum: 157958 49b16840258b5ceedfe0b71b96dbcedb alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 66 694b0ad3130abf2e2db1e63760362836 http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 406370 83cc1d74a4c6f0972d13d06f3a797fb2 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 511388 07bfeca8da437193d8e37bfa67e1795e http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 9303942 40bc5413ec2757d45afaafeb4dd780ca http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 184780 ce83079b346a0677478fcda3e8eb82c2 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 180400 ac5d647a73691f65ab65c9c7abf30d2a http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch8_alpha.deb Size/MD5 checksum: 863570 9020d874cea3fb66cfcad4f13853c714 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch8_amd64.deb Size/MD5 checksum: 177672 b41de0132a31e306926a539208c9040e http://security.debian.org/pool/updates/main/c/clamav
[Declude.JunkMail] IMmail 2006.23 release notes
Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Tom Lewis To: [EMAIL PROTECTED] Sent: Monday, December 10, 2007 2:28 PM Subject: RE: [IMail Forum] apimmdd.txt files The apimmdd.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis Ipswitch, Inc. Development Manager - Messaging Products 706-312-3573 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, December 10, 2007 7:27 AM To: [EMAIL PROTECTED] Subject: [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] IMmail 2006.23 release notes
Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Tom Lewis To: [EMAIL PROTECTED] Sent: Monday, December 10, 2007 2:28 PM Subject: RE: [IMail Forum] apimmdd.txt files The apimmdd.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis Ipswitch, Inc. Development Manager - Messaging Products 706-312-3573 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, December 10, 2007 7:27 AM To: [EMAIL PROTECTED] Subject: [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] CLSID and source location
Hi, Below an internal mail that was caught. The section header was (server/share substituted): --=_NextPart_000_0001_01C835BD.DC8E3F20 Content-Type: application/octet-stream; name=BacoDiscussionsBlob.asp?ID={A1243322-3030-48BF-BD72-8A248CB26090} Content-Transfer-Encoding: base64 Content-Location: http://server/share/docs/BacoDiscussionsBlob.asp?ID={A1243322-3030-48BF-BD72-8A248CB26090} I'm assuming this Content-Location can be easily spoofed right? Or could I somehow convince Declude to pass these mails when there is a specific Contect-Location Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Postmaster To: [EMAIL PROTECTED] Sent: Monday, December 03, 2007 3:05 PM Subject: Declude Virus caught a virus Declude Virus v4.3.46 caught the CLSID Vulnerability virus in BacoDiscussionsBlob.asp?ID={A1243322-3030-48BF-BD72-8A248CB26090} from [EMAIL PROTECTED] to: [EMAIL PROTECTED] Date: 03 Dec 2007 15:05:04 Subject:offerte Krasnapolsky mrt07 (dekanendag) Spool File: D0d0605929ba9.smd Remote IP: 217.114.99.194 Headers: Received: from hglfin02 [217.114.99.194] by tio.nl with ESMTP (SMTPD-9.21) id AD061154; Mon, 03 Dec 2007 15:04:54 +0100 Message-ID: [EMAIL PROTECTED] From: Lidie Kuipers [EMAIL PROTECTED] To: Geert A. van der Meer [EMAIL PROTECTED] Subject: offerte Krasnapolsky mrt07 (dekanendag) Date: Mon, 3 Dec 2007 15:04:54 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_0001_01C835BD.DC8E3F20 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1914 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] banning EZIP but....
Hi, Just ran into a problem that *I* could resolve but still I had a problem with my backup tool Yosemite Backup and they have a tool on their site that they want you to run. It collects all kind of relevant data to help pinpointing the problem. The output in the latest version is an encrypted ZIP file which gets blocked when I try to send it via email. :-( Of course I could just change the Declude config for a few seconds but that's just me. What I would like Declude to do is: - Block all inbound EZIP files - Block oubound EZIP files UNLESS the user authenticates via SMTP AUTH. Currently this is not possible I think, would be a nice option though. How do others currently circumvent this problem? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] False Positive ClamAV
Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus?
Hi, Yes, mee to, see my other mail in this forum. I've tried to send a false positive report to ClamAV but I'm not sure it got there. :-( Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Todd Richards To: declude.virus@declude.com Sent: Monday, May 21, 2007 3:44 PM Subject: [Declude.Virus] Virus? Hi Everyone - Yesterday, I started receiving bounces from one of our main ListServes from about 5 recipients. From the 5 bounces, there were 3 variations with all of them referencing the fact that the email contained... Email.Phishing.RB-882. I'm running IMail 8.22 (with all hot fixes), the latest version of Declude with AVG and Clam. I've tried to Google this message but come up empty. Anyone else see this or have any thoughts? Thanks! Todd --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] virus via e-mail getting rare
Hi, Is virus via e-mail a dying breed? There are days where I barely get any virusses via e-mail. Most of what get's caught is malfomed mail, 99% spam. I just did a test to see if my virusscanners are still working correctly, eicar is still being caught by both F-prot and Sophos so all seems to be woking. Both scanners are also correctly updating their database. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG Vulnerability
Hi, And...? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Tuesday, November 21, 2006 10:24 PM Subject: RE: [Declude.Virus] AVG Vulnerability We have a request in with Grisoft remember there is a time zone difference as they are in CZ David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, November 21, 2006 4:01 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG Vulnerability Any updates on this yet? Should we be turning off AVG scanning? Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, November 21, 2006 9:24 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG Vulnerability Darrell, We are currently looking into this new report and are contacting AVG we will post here as soon as we have an answer. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, November 21, 2006 8:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] AVG Vulnerability David / Declude, Is the integrated AVG scanner vulnerable? How do we deterimine what version of AVG is embedded inside of Declude? Darrell MODERATE: Grisoft AVG Anti-Virus Multiple Vulnerabilities Affected: AVG Anti-Virus versions prior to 7.1.407 Description: AVG Anti-Virus, a popular anti-virus system, contains multiple vulnerabilities. By sending a specially-crafted file through the system, an attacker could exploit these vulnerabilities to execute arbitrary code with the privileges of the anti-virus process. No technical details for these vulnerabilities are currently available. Status: Grisoft confirmed, updates available. Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. References: Grisoft Release Notes http://www.grisoft.com/doc/36365/lng/us/tpl/tpl01 SecurityFocus BID http://www.securityfocus.com/bid/21029 Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How to delete quarantined messages ?
Hi, Sorry to burst your bubble. Declude will process ANY file with the .eml extention. I have had several different replies to diffent situations that way. I had a emrecip1, 2, 3, etc. Declude comes with several preconfigured eml files which each process what they are created for, but all of them (with a few exeptions) get called in a situation. Groetjes, Bonno Bloksma - Original Message - From: GlobalWeb.net Webmaster [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, April 19, 2006 7:15 PM Subject: RE: [Declude.Virus] How to delete quarantined messages ? This setup works for me as ultimately the file name is different - Declude doesn't know to look for a different file nameit's still looking for recip.eml where applicable and can't find it. Sincerely, Randy Armbrecht Global Web Solutions, Inc. 804-346-5300 x112 877-800-GLOBAL (4562) x112 http://globalweb.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Wednesday, April 19, 2006 10:57 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] How to delete quarantined messages ? That won't work, I believe that anything with an eml extension gets processed. Change the .eml to .hold instead. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GlobalWeb.net Webmaster Sent: Wednesday, 19 April 2006 9:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] How to delete quarantined messages ? If you are looking to not have the message sent at all, find the .eml file in your declude folder and simply rename it - for example: from recip.eml to recip-hold.eml Sincerely, Randy Armbrecht Global Web Solutions, Inc. 804-346-5300 x112 877-800-GLOBAL (4562) x112 http://globalweb.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Uwe Degenhardt Sent: Wednesday, April 19, 2006 4:44 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] How to delete quarantined messages ? Hi list, here is my question again. ;-) Does s.o. know how to delete the following message most likely produced by: virus.cfg ? The Declude Virus v3.1.0 software on xxx has reported that you were sent an E-mail from [EMAIL PROTECTED], containing the [Outlook 'Blank Folding' Vulnerability] virus in the [No attachment] attachment. The subject of the E-mail was cheap oem soft shipping //orldwide. The E-mail containing the virus has been quarantined to prevent further damage. Thanks ! Uwe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude and IMail 2006
Hi Joe, Does Declude (Virus and JM Pro) 1.82 work with Imail 2006?? Call me chicken... lol... but I really don't have the guts to do both upgrades at the same time... :) There are entirely t many instances of sober and mytob hitting us daily. I too am still running an old combination IMail 8.21 and Declude 2.0.6 For me the upgrade to IMail 2006 is the perfect time switch to Declude 3.x as well. That combination is supposed to work. If you run into any problems running IMail 2006 and an older Delude version the first thing they will tell you to do is to run the latest 3.0.x version as that is the only correct working combination. And if there are any problems running THAT combination the guys/gals at Declude are determined to fix it. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] blocking exe in zips
Hi, I must be missing something. I thought I had blocked exe's in zip's but some new virusses came through using the exe in zip trick. here is my virus.cfg, what am I missing? ## Declude Virus configuration file## This file was distributed with v2.0# CODE #= LOGS ==# "" in the LOGFILE option, if present, automatically gets replaced with the month/date.# Log Level options: WARN / LOW / MID / HIGH / DEBUG / ERROR LOGFILE Spool\vir.log## BB 23-3-2004## Changed to high to see more infoLOGLEVEL HIGH ## SCANFILE is the location of the command-line virus scanner. Note that it # must include the full path. VIRUSCODE is the code that scanner returns if# it finds a virus.# #SCANFILE C:\Scanner\Scan.exe /ALL /NOBEEP /NOMEM#VIRUSCODE13 ## BB 19-nov-04## Added viruscode 8 to the f-prot config. This should catch "new" viri based on heuristic scanningSCANFILE1C:\Progra~1\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE18REPORT1Infection SCANFILE2C:\Progra~1\Sophos\Sophos~1\sav32cli.exe -nc -nb -p=report.txt -mac -archiveVIRUSCODE23VIRUSCODE26REPORT2 Virus # VIRDIR is the directory to move E-mails with viruses; by default,# it is set to 'spool\virus' (\IMail\spool\virus). VIRDIRspool\virus # The MAXATONCE option limits the number of AV processes. For example,# MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing# purposes). A value of 0 (or commenting it out) allows unlimited processes# to run at the same time. MAXATONCE 0 ## The following options allow you to limit scanning to only incoming or outgoing# E-mail.# INCOMINGONOUTGOINGON ## The ONACCESS option should be set to OFF unless you have an on-access virus scanner# that will be deleting attachments with viruses. It is recommended NOT to have an# on-access scanner interfering, and to leave this at OFF.# ONACCESSOFF ## The SCANNERTIMEOUT option lets you choose the number of seconds that Declude will# wait for the virus scanner to finish. The minimum value is 10 seconds. Most# scanners will not need to take that long. This option is mainly to prevent# defective scanners (that never finish) from interfering with your outgoing E-mail.# Raising this will NOT help if your virus scanner always times out.# ## BB 26-4-2005# Changed from 60 to 90 because of slow disksystemSCANNERTIMEOUT90 ## The SKIPEXT option will let you skip scanning of certain file extensions. For# example, a GIF file can't contain a virus, so there is no need to scan it.# SKIPEXTGIFSKIPEXTTXTSKIPEXTJPGSKIPEXTMPGSKIPEXTPNG ## The BANEXT option will let you ban file extensions. E-mails containing attachments# with these file extensions will be quarantined, and if you have a BANnotify.EML file,# it will be sent out. This works in the Standard and Pro versions.# BANEXTscrBANEXTpifBANEXTvbsBANEXTvbeBANEXTbatBANEXTcpl# BB 21-10-05# Added EXE files, no longer needs to exclude themBANEXTexe ## The BANEXT EZIP line blocks all encrypted .ZIP and .RAR files, which is necessary# to be fully protected against viruses (since it is impossible to detect a well-# constructed virus within an encrypted .ZIP or .RAR file).# BANEXTEZIP ## BANZIPEXT will block files based on EXT within ZIP files. EXT as declared with BANEXT# BANEZIPEXT will do the same for ecrypted ZIPs.## BB 1-11-05# Added BANxZIPEXT directives, BANEZIPEXT not neccesary as we block ALL EZIP files.BANZIPEXTon#BANEZIPEXTon ## Declude Virus Pro can pre-scan HTML files. If no dangerous code is detected, the # virus scanner will not get called. This can significantly cut down on CPU usage.# PRESCANOFF ## Declude Virus can block treat files using CLSID extensions as viruses. This type of # extension will force a certain type of program to be run, while making the file appear# to be a .TXT or other safe file. There is no known legitimate reason to send this# type of file through E-mail. BANPARTIAL ON bans the Partial Vulnerability.# BANCLSIDONBANPARTIALON ## The FOOTER lines will add a footer to the bottom of E-mails that are scanned. This may# not be visible if you send HTML or attachments with the E-mail.# FOOTER---FOOTER[E-mail scanned at tio.nl for viruses by Declude Virus] ## The DELETEVIRUSES option, when set to ON, will delete viruses, rather than quarantine them.# It is recommended to leave this at OFF.# DELETEVIRUSESOFF ## The DELIVERERRORS option, when set to ON, will treat errors from the virus scanner as if no# virus was found. When set to ON, this could cause viruses to get through in rare situations,# but will also prevent legitimate mail from being quarantined due to an error in the scanner.# It is recommend to leave this at ON.# DELIVERERRORSON ## The BANCRVIRUSES option will automatically treat E-mail with malformed headers that could# contain a
Re: [Declude.Virus] Viruses appearing to be getting through...
Hi, Oops, correct that. F-prot is catching it as Sober.O, Sophos is still not catching it. :-( Sure glad I'm using two scanners. ;-) Oh, well. This was the hard way to find out that if one changes the password for the administrator account some services need to know that as wel. :-( Sure glad I'm using two scanners. ;-) Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses appearing to be getting through...
Hi, As of now I'm still getting hit by a virus with attachments like our _ secret . zip which Sophos catches as Sober.O. Ff-prot is still nopt catching them and there is as of yet no update. Just did a manual update and no new version. I'm at: SIGN.DEF 2-may-2005, 13:32 CET SIGN2.DEF 2-may-2005, 16:46 CET Using f-prot 3.16b Groetjes, Bonno Bloksma - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 8:37 PM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Fw: [Declude.Virus] Viruses appearing to be getting through...
Hi, Oops, correct that. F-prot is catching it as Sober.O, Sophos is still not catching it. :-( Sure glad I'm using two scanners. ;-) As of now I'm still getting hit by a virus with attachments like our _ secret . zip which Sophos catches as Sober.O. Ff-prot is still nopt catching them and there is as of yet no update. Just did a manual update and no new version. I'm at: SIGN.DEF 2-may-2005, 13:32 CET SIGN2.DEF 2-may-2005, 16:46 CET Using f-prot 3.16b Groetjes, Bonno Bloksma - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 8:37 PM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Not detecting viruses
Hi Jim, Here are the relevant lines for the config file: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /NOFLOPPY /DUMB /REPORT=report.txt Remove the /NOFLOPPY when using fpcmd.exe Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] vulnerabilities and spam
Hi, [...] However, what anoys me most is the fact most vulnerabilities are spam. And I would like to report a vulnerability to the sender, but not when it's spam. Most NDRs I get are from a reported vulnerability to a forged sender. Or even worse (for the other guy/gal) I'm sending te message to a joejob address. Right now I don't see a way to do this, to just send out vulnerability reports to the sender when it's not spam. Does anybody know of a way? I'm using Virus Pro and JM standard. I believe if you add AVAFTERJM, it will accomplish this. This tells Junkmail to run first, then if it's not spam, run the AV. Sorry forgot, don't want to use that option because of the danger it implies when returning a mesage to the queue. One caveat is that if you move a message from spam quarantine, it will not be scanned for virii. Right. ;-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] vulnerabilities and spam
Hi, I'm almost at the point where I simply won't send out any e-mail to the sender or recipient when a "virus" is detected. Just about all of them are forged anyway. However, what anoys me most is the fact most "vulnerabilities" are spam. And I would like to report a vulnerability to the sender, but not when it's spam. Most NDRs I get are from a reported vulnerability to a forged sender. Or even worse (for the other guy/gal) I'm sending te message to a joejob address. Right now I don't see a way to do this, to just send out vulnerability reports to the sender when it's not spam. Does anybody know of a way? I'm using Virus Pro and JM standard. Groetjes, Bonno Bloksma
Re: [Declude.Virus] Unknown virus warnings
Hi, I expect that we will change the code to treat these as forging, so SKIPIFFORGING would catch 'em. We could also add a separate SKIPIF... option just to detect these, just to be safe. I believe it would be usefull for all users of F-Prot with returncode 8 enabled to avoid future uneccessary warnings send out if f-prot is fast catching but not exact naming new virus variants. I have not activated returncode 8 for F-prot in Declude yet because I wasn't sure if we would get to many false positives. Has anyone, or maybe f-prot themselves, any info on that? Does returncode 8 generate false positives and if so, how many? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Spool Dir
Hi Kevin, Do you happen to have the batch? I've been writing some xcopy lines, but have had problems finding a simple date-specific delete statement. Here is what I use. It's a modified version of what someone else posted. As you can see I love to use contant definitions, that way any change in one of those parameters needs only to be changed at the top. It also results in shorter commandline later in the bachtfile. It simply deletes the oldest directory with virus files, renames the directory names for the VirusDayX directories until the all are one day later and the creates a new one for today and moves all files into that directory. The DTLOG program is something I whipped up in good old Pascal 6 for Dos when there was no way to get a date and time into a batchfile commandline. As of Windows 2000 there is now a way to get the date and time in a parameter and use it. However, as I keep forgetting what those lines are and I have my DTLOG program... ;-) Here's what my LOGFILE output looks like: [] 2004/10/14 00:01:00 : Rotating virus directories 2004/10/14 00:01:02 : Rotating VirusDay directories OK 1024 File(s) 21.405.619 bytes 2004/10/15 00:01:00 : Rotating virus directories 2004/10/15 00:01:01 : Rotating VirusDay directories OK 772 File(s) 16.306.664 bytes Each virus mail has two files Q...SMD and D...SMD. If you want more then 5 days history, simply extend the numer of lines from one Set RotDay... to the next. And, of course, change the lines for Days5. @Echo Off rem BB 10-mei-2004 rem E-mails met virussen niet automatisch verwijderen maar een X aantal rem dagen bewaren. We doen dit door een aantal directories te gebruiken rem en deze steeds verder op te schuiven door de naam te veranderen. De rem oudste directory gooien we weg. SET LOGFILE=C:\Beheer\Virrot.log SET DTLOG=C:\Beheer\DTLog.exe %DTLOG% %LOGFILE% Rotating virus directories C: cd \IMail\Spool\Virus RD /S /Q VirusDay5 IF ErrorLevel 1 Goto ErrDel5 Set RotDay=4 Ren VirusDay4 VirusDay5 IF ErrorLevel 1 Goto ErrRot Set RotDay=3 Ren VirusDay3 VirusDay4 IF ErrorLevel 1 Goto ErrRot Set RotDay=2 Ren VirusDay2 VirusDay3 IF ErrorLevel 1 Goto ErrRot Set RotDay=1 Ren VirusDay1 VirusDay2 IF ErrorLevel 1 Goto ErrRot MD VirusDay1 Move *.SMD VirusDay1 IF ErrorLevel 1 Goto ErrMov1s IF Exist *.GSC Move *.GSC VirusDay1 IF ErrorLevel 1 Goto ErrMov1g %DTLOG% %LOGFILE% Rotating VirusDay directories OK Dir VirusDay1 Temp1 Find File(s) Temp1 %LOGFILE% Del Temp1 Goto Einde :ErrDel5 %DTLOG% %LOGFILE% Error deleting VirusDay5 directory and/or files Goto einde :ErrRot %DTLOG% %LOGFILE% Error Renaming VirusDay%RotDay% directory Goto einde :ErrMov1s %DTLOG% %LOGFILE% Error moving SMD files to VirusDay1 directory Dir . /a %LogFile% Goto Einde :ErrMov1g %DTLOG% %LOGFILE% Error moving GSC files to VirusDay1 directory Dir . /a %LogFile% Goto Einde :Einde SET LOGFILE= SET DTLOG= Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 14, 2004 7:38 PM Subject: Re: [Declude.Virus] Spool Dir Do you happen to have the batch? I've been writing some xcopy lines, but have had problems finding a simple date-specific delete statement. Thanks Douglas Cohn wrote: I personally do not like installing anything on my Imail servers. That said I use a sinple dos batch file to delete everything that is X days old. I run it as a scheduled task daily. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Wednesday, October 13, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Spool Dir I was wondering what everyone does with the Imail\spool\virus directory. Do you delete all the files regularly? I've got 7000 files in there since I installed Declude (2 weeks ago). --- [This E-mail was scanned for viruses.] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Update Problems
Hi, I am running F-Prot 3.15a (this was also happening with 3.15). When I installed I also installed the Scheduler and Updater. Now the Scheduler is running as a service and has been told to update the definitions every 4 hours. This works a lot of the time but sporadically the Updater ends up with an error message on the screen that I was not able to reach the Internet and it is waiting for a click. At this point no more Updates are run until you click (not good). [] I haven't seen that problem in my server. Occasionally I see it in my personal pc that runs f-prot, but when I double check I just realize that I actually don't have an internet connection. Perhaps it is a problem with your network card that is sporadically down, or your internet is not being very stable lately. Nope, I have *seen* this problem happen on my mailserver, while I was doing some maintenance unrelated to this problem. The server is 100% of the time connected to the internet and was sending/receiving mail at the time. However, right after the click I restarted the update manually and noticed it got an update. So MAYBE there is a problem with the update routine when the servers are in the process of being updated themselves and don't accept connections, or something like it. Hmmm I think I'll CC this to [EMAIL PROTECTED] Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] mabuto virus
Hi, I have a bounced mail from my postmaster account trying to warn someone about the W32/[EMAIL PROTECTED] virus they sent. 1) Is this a verry new virus? Neither f-prot, Sophos nor Symantec even heard of it but the f-prot partner site http://www.authentium.com/has heard of it, but that's all the information I can find on that site, they have heard of it and are catching it. 2) Is this a forging virus we need to add to the list? If so, does Declude allready have it in his forging virus list? Groetjes, Bonno Bloksma
Re: [Declude.Virus] wave of unknown viruses?
Hi Markus, How does f-prot report this, is it using heuristic scanning to detect unknown viruses? Is there a commandline option I need for this? Overhere the only reported virusses are both cuaght by Sophos and F-Prot with identical names. (Mainly Netsky.B, D, Pand Z.). Is quiet on the virus front overhere (NL). Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Wednesday, July 28, 2004 12:10 PM Subject: [Declude.Virus] wave of unknown viruses? I'm not sure but in the last few minutes I can see in increased number of "unknown virus" reports from my F-Prot 3.14e scan engine. Anyone else can see this too? Markus
Re: [Declude.Virus] New Virus?
Hi, I've allways been a favourite of having the forge list in the virus.cfg file, it will hide a forged sender in the e-mail to the recipient in case that is needed. In the *.eml files one can simply use a SKIPIFSENDER [Forged] line and never update any of those files again. The whole list is in *one* place where it can do the most good, any other place can simply use the info it provides. Scott, maybe updating the default config to reflect this would be a good idea. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 6:27 PM Subject: Re: [Declude.Virus] New Virus? Does anyone have an updated forge list? This question comes up quite often -- you can always find it in the sender.eml file at http://www.declude.com/virus/manual.htm . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] What is Partial Vulnerability on a PDF
Hi, Actually why couldn't Declude run uudecode and reassemble the file before hand, then have it scanned and determine if it is harmful or not?? Because the time between the e-mail with first part might be one second, one day one week, etc. Declude now simply scans one e-mail, and when it's finished... it's finished. If it were to scan something like this it would need to remember stuff between scans. And, when would Declude decide a file sent in parts is complete? And what if a part is missing, when would Declude decide it would never get to see all parts? And what would Declude need to do with all parts before it has seen *all* parts and can finally decide whether they contain a virus or not? Multiple questions/problems which Declude would need to solve but for which is no need to solve them. The reason for sending a large file in parts is virually gone,. I can find only one reason today, either the sender or receiver is on a slow dial-up and want's to send/receive across *dial-up sessions* for whatever reason. If that's the case, maybe they should split up the file beforehand using ZIP/RAR/etc. and sent eacht part seperate. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] update virus manual page
Hi Scott, Could you add the link to the page explaining about the vulnerabilities ( http://www.declude.com/virus/vulnerability.htm) to the virus manual page at the relevant place? I needed that link and was unable to find it on the site via any other link. Searching for vulnerability did notproduce *any* hit. Maybe that should be adressed as well, as it is a big feature of Declude virus. Groetjes, Bonno Bloksma
[Declude.Virus] still unknown virus in unknown file
Hi,I thought with 1.79i6 I would have gotten rid of these unkown virus inunknow file messages.Here is the log snippet from Declude:05/02/2004 19:09:50 Q2b5d083f02240435 MIME file:[message/delivery-status][*DEFAULT*; Length=1879 Checksum=156911]05/02/2004 19:09:50 Q2b5d083f02240435 Warning: EOF in middle of MIME segment[Webmaster_attach.pif] [--cdfffadfecaededa]05/02/2004 19:09:50 Q2b5d083f02240435 Banning file with pif extension[application/octet-stream].05/02/2004 19:09:50 Q2b5d083f02240435 WARNING: EOF in multipart processing.05/02/2004 19:09:50 Q2b5d083f02240435 WARNING: EOF in multipart processing.05/02/2004 19:09:51 Q2b5d083f02240435 Invalid PIF Vulnerability05/02/2004 19:09:51 Q2b5d083f02240435 Found a bogus .pif file05/02/2004 19:09:51 Q2b5d083f02240435Test2.3139c.1.pif.35706.4M.predef.declude.com05/02/2004 19:09:51 Q2b5d083f02240435 File(s) are INFECTED [: 0]05/02/2004 19:09:51 Q2b5d083f02240435 Scanned: CONTAINS A VIRUS [MIME: 439830]05/02/2004 19:09:51 Q2b5d083f02240435 From: To: [EMAIL PROTECTED][incoming from 192.87.5.144]05/02/2004 19:09:51 Q2b5d083f02240435 Subject: Undelivered Mail Returned toSenderGroetjes,Bonno Bloksma Back up my hard drive? How do I put it in reverse?- Original Message - From: "Postmaster" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Sunday, May 02, 2004 7:09 PMSubject: Declude Virus caught a virus Declude Virus v1.79i6 caught the Unknown Virus virus in Unknown File from to: [EMAIL PROTECTED]. Date: 05/02/2004 19:09:51 Subject: Undelivered Mail Returned to Sender Spool File: D2b5d083f02240435.SMD Remote IP: 192.87.5.144 Headers: Received: from relay.surfnet.nl [192.87.5.144] by tio.nl with ESMTP (SMTPD32-8.05) id AB5D83F0224; Sun, 02 May 2004 19:09:49 +0200 Received: by relay.surfnet.nl (Postfix) id 90D683F974; Sun, 2 May 2004 19:08:26 +0200 (MEST) Date: Sun, 2 May 2004 19:08:26 +0200 (MEST) From: [EMAIL PROTECTED] (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="AEEAD3F72A.1083517706/relay.surfnet.nl" Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos]
[Declude.Virus] unknown virus in unknown file
Hi, As Declude *does* know the name of the file it is trying to decode, maybe it could display that name, along with the fact it caught a vulnerability and not an unknow virus? Shouldn't it have reported it found: The EOF in multipart processing vulnerability virus in Webmaster_attach.pif I'm also banning PIF files but vulnerabilities should take precedent over banned extentions in reporting, right? Here the log snippet from the declude log: 04/26/2004 20:44:16 Q588000ad02465470 MIME file: [message/delivery-status][*DEFAULT*; Length=321 Checksum=28335] 04/26/2004 20:44:16 Q588000ad02465470 Warning: EOF in middle of MIME segment [Webmaster_attach.pif] [--dcffafbdbccebfccbeec] 04/26/2004 20:44:16 Q588000ad02465470 Banning file with pif extension [application/octet-stream]. 04/26/2004 20:44:16 Q588000ad02465470 WARNING: EOF in multipart processing. 04/26/2004 20:44:16 Q588000ad02465470 WARNING: EOF in multipart processing. 04/26/2004 20:44:17 Q588000ad02465470 Invalid PIF Vulnerability 04/26/2004 20:44:17 Q588000ad02465470 Found a bogus .pif file 04/26/2004 20:44:17 Q588000ad02465470 File(s) are INFECTED [: 0] 04/26/2004 20:44:17 Q588000ad02465470 Scanned: CONTAINS A VIRUS [MIME: 4 37310] 04/26/2004 20:44:17 Q588000ad02465470 From: To: [EMAIL PROTECTED] [incoming from 192.87.5.144] 04/26/2004 20:44:17 Q588000ad02465470 Subject: Undelivered Mail Returned to Sender Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: Postmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 26, 2004 8:44 PM Subject: Declude Virus caught a virus Declude Virus v1.79i4 caught the Unknown Virus virus in Unknown File from to: [EMAIL PROTECTED] Date: 04/26/2004 20:44:17 Subject:Undelivered Mail Returned to Sender Spool File: D588000ad02465470.SMD Remote IP: 192.87.5.144 Headers: Received: from relay.surfnet.nl [192.87.5.144] by tio.nl with ESMTP (SMTPD32-8.05) id A880AD0246; Mon, 26 Apr 2004 20:44:16 +0200 Received: by relay.surfnet.nl (Postfix) id C0C453F4EE; Mon, 26 Apr 2004 20:43:04 +0200 (MEST) Date: Mon, 26 Apr 2004 20:43:04 +0200 (MEST) From: [EMAIL PROTECTED] (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=81D6A3F2C9.1083004984/relay.surfnet.nl Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Netsky.Q got through..
Hi, If a second scan of the same e-mail/attachment will still not catch the virus I *know* AV companies like f-prot would verry much like to get it from you. I had something like that once a while ago. However, I let Declude delete all mail identified as virus, so I did not have it for them anymore. Met vriendelijke groet, Bonno Bloksma - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 23, 2004 3:54 PM Subject: Re: [Declude.Virus] W32.Netsky.Q got through.. I've noticed that Virusscan does a better job of catching viruses in the .ezip than F-Prot. In my smaller world here, there will be 2-5 times a day .ezip viruses a day that VirusScan catches that F-Prot does not. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/23/04 08:45AM This morning when receiving message from our spam account (I hold everything instead of deleting then review), I received a message and attachment that Norton AV on my local machine caught as a Netsky.Q virus. This would have been delivered to the client had it not failed the spam tests. I'm running Declude v1.79 and F-Prot 3.14e with latest defs. Anyone else seeing Netsky.Q's getting through? Luckily I haven't seen anymore come through, but if you look at the virus logs, it sees it as virus free. UGH! Wish I could have caught it on my Linux VM so I could continue sending the message to the server to see when it finally catches it. Are other copies of Netsky.Q getting caught? Do you have a line BANEXT EZIP in your virus.cfg file? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] virus or vulnerability
Hi, Below a log snippet where there was a vulnerability caught. However, in my e-mail to the postmaster (myself) it is reported as an unkown virus in an unknown file. How come? Is it because I'm also blocking PIF files? I'm (still) using Declude 1.87i28 (will upgrade to the latest 1.79interim later today. IMail 8.05 Windows 2000 server SP4 with latest patches [.] 04/19/2004 08:55:45 Q77f00fb601282210 MIME file: [message/delivery-status][*DEFAULT*; Length=364 Checksum=32100] 04/19/2004 08:55:45 Q77f00fb601282210 Warning: EOF in middle of MIME segment [shock_text.pif] [--fccedeefdaaafeaceeedafcebdd] 04/19/2004 08:55:45 Q77f00fb601282210 Banning file with pif extension [application/octet-stream]. 04/19/2004 08:55:45 Q77f00fb601282210 WARNING: EOF in multipart processing. 04/19/2004 08:55:45 Q77f00fb601282210 WARNING: EOF in multipart processing. [] 04/19/2004 08:55:47 Q77f00fb601282210 Invalid PIF Vulnerability 04/19/2004 08:55:47 Q77f00fb601282210 Found a bogus .pif file 04/19/2004 08:55:47 Q77f00fb601282210 File(s) are INFECTED [: 0] 04/19/2004 08:55:47 Q77f00fb601282210 Scanned: CONTAINS A VIRUS [MIME: 4 36544] 04/19/2004 08:55:47 Q77f00fb601282210 From: To: [EMAIL PROTECTED] [incoming from 131.174.93.39] 04/19/2004 08:55:47 Q77f00fb601282210 Subject: Undelivered Mail Returned to Sender Groetjes, Bonno Bloksma - Original Message - From: Postmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 8:55 AM Subject: Declude Virus caught a virus Declude Virus v1.78i28 caught the Unknown Virus virus in Unknown File from to: [EMAIL PROTECTED] Date: 04/19/2004 08:55:47 Subject:Undelivered Mail Returned to Sender Spool File: D77f00991013e2200.SMD Remote IP: 131.174.93.39 Headers: Received: from jurollo.uci.kun.nl [131.174.93.39] by tio.nl with ESMTP (SMTPD32-8.05) id A7F0991013E; Mon, 19 Apr 2004 08:55:44 +0200 Received: by jurollo.uci.kun.nl (Postfix) id CCBD029C03E; Mon, 19 Apr 2004 08:54:45 +0200 (CEST) Date: Mon, 19 Apr 2004 08:54:45 +0200 (CEST) From: [EMAIL PROTECTED] (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=C6AE029C043.1082357685/jurollo.uci.kun.nl Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] multiple scanners, which name
Hi, As there is still the problem of Sophos reporting the virus name and filename on one line I would like to get the virusname from the f-prot scanner if there is one. This name should go into the e-mails to the various recipients, when needed. I know there was a way to either get the name from the first or the second scanner. What was it? Declude Virus will handle this automatically. If you are using both F-Prot (which reports the virus name) and Sophos (which does not report the virus name), and both catch a virus, Declude Virus will automatically use the virus name that F-Prot reports. I was thinking (but did not write it correctly): As there is still the problem of Sophos reporting the virus name and filename on one line I would like to get the virusname from the f-prot scanner *when* there is one. If f-prot does not report a virus but Sophos does, I'll accept the Sophos name. Currently I'm getting the Sophos virus name in my e-mails which includes the filename. I know I've played arround with which scanner is first as Declude would use either the first or last name. But somehow I never got the result I wanted. I think I remember reading about a fix in one of the last releases for this but I can't seem to find the e-mail in which you wrote about it. Should I place f-prot or Sophos as the first scanner when I want the f-prot virus name? [] p.p.s. Any update on 1.79 scanning mail from the webinterface as well? I'm still on 1.78i28 because of that. The latest interim release should scan web messaging E-mail again. I'll update to the latest interim on monday then. I won't introduce a change like that minutes before I'm leaving for the weekend. It's past 5 pm here. ;-) Have a nice weekend. Groetjes, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] sending a virus to support
Hi, How does one send a virus to a antivirus company when Declude catches all virusses? Is there a way to tell declude *not* to scan a certain mail? If not, how dou you guys/galls solve this? If not, Scott how about a feature request, maybe when I add a line like DECLUDE NOSCAN password at the top of the mail? Groetjes, Bonno Bloksma
[Declude.Virus] links on declude site
Hi Scott, I had a link in my messages about blocking vulnerabilities. [.] If you need more info about thesevulnerabilities take a look at the the decludesite http://www.declude.com/virus/vulnerability.htm This link no longer seems to work. It's all messages now on your site. Will general stuff like this be available on a static link we canrefer peopleto? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse?
[Declude.Virus] Fw: Sweep VIRUS ALERT from dommie.hengelo.tio.nl
Hi Scott, If I understand the IMail directory structure correctly the spool\web directory is only used for mail attachments sent via the webinterface. If that is indeed the case then here a logfile from Sophos to show you why it is important to scan webmail for virusses. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 4:20 AM Subject: Sweep VIRUS ALERT from dommie.hengelo.tio.nl Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\Info(1).zip User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~2.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~3.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INFORM~4.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INE785~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INE385~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INEB85~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\Info.zip User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL Virus: Sophos Anti-Virus report: Virus: 'W32/Bagle-Zip' detected in C:\IMail\spool\web\INEF75~1.ZIP User: NT AUTHORITY\SYSTEM At 04:20 on Tuesday, April 06, 2004 User: Administrators Node: MAIL --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] dropping virus report e-mails
Hi, I also asked this question in the IMail forum but. could I maybe do something with the BANNAME keyword without sending the standard reply which I do want to send for regular files I ban on extention? As far as I know I have little flexibility (yet) in the the name of the *.eml file which needs to be BANnotify.eml While we are on the subject, can I easily delete e-mails with a 0 byte zip file, as they are just broken virusses anyway? Like I wrote below, I have IMail (8.05), Declude (1.78i28) Junkmail standard and virus pro Met vriendelijke groet, Bonno Bloksma - Original Message - From: Bonno Bloksma [EMAIL PROTECTED] To: IMail_Forum [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:34 AM Subject: [IMail Forum] dropping virus report e-mails Hi, Some virusses send to the secondary MX, that's the MX from my uplink. He also does virusscanning but reports those virusses to the end recipient. My users are going crazy with those hundreds of emails and I simply want to drop them. As my uplink has some/several customers who want to receive those e-mails and he cannot differentiate between customers I have to drop them myself. Is there a way to have a domain wide rule in IMail to simply delete all mails that have an attachment called: Virtu-Attachment-Warning.txt ? That is the only constant in all those virus report e-mails. I'm also using Declude Junkmail standard and virus pro, if any of those products can do what I want then that's ok too. Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] testing encrypted zips
Hi, Was wondering if there is anyway to test and make sure Declude is catching this? There is now a test file at the Test Virus Sender at http://www.declude.com/tools that will test this vulnerability. -Scott Just realised I need the latest interim to check for the EZIP but Could you add few more options to the test virus files? As someone pointed out we would probably not block normal files within a ZIP but block exe/etc files within a normal zip and all zips with encrypted files. I could not find this option in the test virus menu yet. Of course it's quite easy to create those files myself but this would probably be another hint about the quality of Declude. Groetjes, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] reporting
Hi, Am I doing something wrong? I have both F-Prot and Sophos to scan the mail for virusses. I know Declude has trouble distilling the name of the virus from the Sophos report file as is does not end the virus name with new line. However, I've been trying playing with the order in which Declude calls both scanners. I'm running Declude c1.75 as reported by the -diag switch. I'm either getting: --- Declude Virus v1.75 caught the : EICAR_Test_File virus in Sophos SWEEP for NT from [EMAIL PROTECTED] to: [EMAIL PROTECTED] Date: 12/22/2003 13:52:09 Subject:Test eicar.com file [eicarzip] Spool File: De8f70022020af014.SMD Remote IP: 216.58.174.203 [.] --- or --- Declude Virus v1.75 caught the 'EICAR-AV-Test' found in file C:\IMail\spool\DE71F0~1.VIR\\1_1.com virus in Sophos SWEEP for NT from [EMAIL PROTECTED] to: [EMAIL PROTECTED] Date: 12/22/2003 13:44:17 Subject:Test eicar.com file [eicarmimeuu] Spool File: De71f001f026abca2.SMD Remote IP: 216.58.174.203 [] --- As I'm seeing the line in Sophos SWEEP for NT I was thinking I did something wrong. However, here are both report files (manually run from the commandline). Where is Declude getting the sting in Sophos NT from? ---f-prot report--- Virus scanning report - 22 December 2003 @ 13:50 F-PROT ANTIVIRUS Program version: 3.14b Engine version: 3.14.7 VIRUS SIGNATURE FILES SIGN.DEF created 20 December 2003 SIGN2.DEF created 20 December 2003 MACRO.DEF created 15 December 2003 Search: eicar.com Action: Report only Files: Dumb scan of all files Switches: /ARCHIVE /REPORT=report.txt /SILENT /NOBOOT /NOMEM Memory was not scanned. Hard disk boot sectors were not scanned. C:\virtest\eicar.com Infection: EICAR_Test_File Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Infected: 1 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 -- ---Sophos report --- Sophos Anti-Virus Version 3.76, December 2003 [Win32/Intel] Includes detection for 86142 viruses, trojans and worms Copyright (c) 1989,2003 Sophos Plc, www.sophos.com System time 13:47:52, System date 22 December 2003 Command line qualifiers are: -nc -mac -archive IDE directory is: C:\Program Files\Sophos SWEEP for NT Using IDE file agobo-aw.ide Using IDE file agobotag.ide Using IDE file agobotas.ide [.] Using IDE file Yaha-y.ide Using IDE file zana-a.ide Quick Scanning Virus 'EICAR-AV-Test' found in file eicar.com 1 file swept in 1 second. 1 virus was discovered. 1 file out of 1 was infected. Please send infected samples to Sophos for analysis. For advice consult www.sophos.com, email [EMAIL PROTECTED] or telephone +44 1235 559933 Ending Sophos Anti-Virus. -- Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] reporting
Hi, As I'm seeing the line in Sophos SWEEP for NT I was thinking I did something wrong. However, here are both report files (manually run from the commandline). Where is Declude getting the sting in Sophos NT from? I'm guessing that it is in your .eml file. :) That's the funny part, I had looked at it but that's not it either. Here's my postmaster.eml file: SKIPIFVIRUSNAMEHAS W32/Sobig-F SKIPIFVIRUSNAMEHAS W32/[EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Declude Virus caught a virus Declude Virus v%VERSION% caught the %VIRUSNAME% virus in %VIRUSFILE% from %MAILFROM% to: %ALLRECIPS%. Date: %DATE% %TIME% Subject:%SUBJECT% Spool File: %QUEUENAME% Remote IP: %REMOTEIP% Headers: %HEADERS% -- And just to make sure I had it all right. I added the words this file to the eml file an sent myself the eicar test once more. The e-mail to the postmaster started like this: -- this file Declude Virus v1.75 caught the : EICAR_Test_File virus in Sophos SWEEP for NT from [EMAIL PROTECTED] to: [EMAIL PROTECTED] Date: 12/22/2003 14:57:23 Subject:Test eicar.com file [eicarzip] Spool File: Df84100200154a8a7.SMD Remote IP: 216.58.174.203 Headers: [...] As you can see Declude is using the right template. I guess it's time for the debug mode? Met vriendelijke groet, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Forging Virus list
Hi, To go OT a bit, what the hell is forging dns? You know what a forging virus is? I know dns And you know what dns is. Now of course you have heard of spammers and probably also of dns blacklists? Well The forging dns is a dns-alike server that keeps a list of virus names which are forging viruses and is maintained by/for Declude. but forging.. Yeah. :) It's not the dns which is being forged which kinda gets you on the wrong track. Probabaly something simple though. :P Yup. ;-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Forging Virus list
Hi, My list is a bit longer and isn't it Dumaru in stead of Dumar? FORGINGVIRUS Avril FORGINGVIRUS Braid FORGINGVIRUS Bridex FORGINGVIRUS Bugbear FORGINGVIRUS Dumaru FORGINGVIRUS Fizzer FORGINGVIRUS Gibe FORGINGVIRUS Hybris FORGINGVIRUS Klez FORGINGVIRUS Lentin FORGINGVIRUS Magistr FORGINGVIRUS Mimail FORGINGVIRUS Palyh FORGINGVIRUS Sefex FORGINGVIRUS Sober FORGINGVIRUS Sobig FORGINGVIRUS Swen FORGINGVIRUS Yaha Scott, my list also longer then the list in the sender.eml file. You are missing Avril, Gibe, Hybris, Sefex and Swen. Are those not forging virusses? I only add them to my list after receiving delivery errors which state unkown mailbox or something like it. Also you have Dumar in stead of Dumaru. Sophos does not know a Dumar virus but does know of a Dumaru virus. Same for F-prot. Maybe a good idea to have these standard in the virus.cfg file and adapt the *.eml files into using the line SKIPIFSENDER [Forged], that way all maintenance is done at one place, no need to update multiple eml files, no confusing the user with invalid e-mail addresses. Of course you forging dns server is even better but this is a good starting place for those that don't want that for whatever reason. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: Karen D. Oland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 7:46 PM Subject: RE: [Declude.Virus] Current Forging Virus list I've also seen these identified with forged addresses: FORGINGVIRUS Mimail FORGINGVIRUS Dumar FORGINGVIRUS Sober FORGINGVIRUS Holar Is this a good current list? FORGINGVIRUS Braid FORGINGVIRUS Bridex FORGINGVIRUS Bugbear FORGINGVIRUS Hybris FORGINGVIRUS Lentin FORGINGVIRUS Klez FORGINGVIRUS Magistr FORGINGVIRUS Sobig FORGINGVIRUS Vulnerability FORGINGVIRUS Yaha FORGINGVIRUS Fizzer FORGINGVIRUS Palyh --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32/Sober.A@mm looks forging
Hi, It seems the templates at the Declude site are not updatet yet. So euther Scott did not get around to it yet or he has other information. We got a few Sobers as well and they claim to have come from an alias we only use for receiving mail. Met vriendelijke groet, Bonno Bloksma - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 27, 2003 11:12 PM Subject: [Declude.Virus] W32/[EMAIL PROTECTED] looks forging Hi all, Looks like the new W32/[EMAIL PROTECTED] is a forging contemporary. All sender warnings until now returned as NDR (unknown user) from the remote MTA. I consider adding a new line FORGINGVIRUS Sober to your virus.cfg file Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] banext notification
Hi, I'm thinking of leaving the banext in place but want to allert the sender and/or recipient when a mail is being held. I've downloaded the BANnotify.eml file but don't see how Declude decides when to use it. Do I need to put any extra control lines at the beginning? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse?
Re: [Declude.Virus] Updating Virus and Spam Filters
Hi Kevin, We are running Declude 1.58 on IMail 7.13. Actually that version is not verry old but some issues with viri trying to evade virusscanners have been incorporated into Declude to cach those viri. We have been running this setup since July. My mail server has been up and running for about 18 months now. [...] I know that you can have all the software you want but unless We (the end-user) maintain that software it is useless. Actually, I have not done much updating on the mailserver these past 18 months. All you need to do is set it up so the important parts update themself and oce a while have a look at what updates are available and if you need them. I have made it my personal goal to increase the performance of our Declude scanner and do appreciate any assistance you can provide. Get the 1.65 version or go for the latest beta if you need something from that version, both can be downloaded from the manual page which scott allready sent you the link for. Beyond that make sure the virusscanner on the mailserver is set to autoupdate at least once a day, mine it set for every six hours. Imail updates, as all other updates, need only to be installed if they fix something you need to have fixed. Or make it a policy to update every 3 months to the latest version that is free to you at that time. I started at 7.00 and am now at 7.07HF2. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus and vulnerability
Hi, Below a report by Declude about a vulnerability and that is found in an attachment with an .exe name. I'm pretty sure that exe file is a virus but there is no virus name mentioned in the report by Declude. [.] If a vulnerability is detected, Declude Virus will still send the attachment to the virus scanner. If the virus scanner detects a virus, Declude Virus will refer to the virus that was detected rather than the vulnerability. So if Declude Virus reports a vulnerability, it means that no virus was detected by the virus scanner. Well guess what, Scott, THANK YOU, because a few hours later today after the virusscanner was updated it turned out this exe file contained a virus called W32/Lirva.D@mm. Am I glad Declude is catching those MIME errors as well. :-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] lost of spaces before real extention
Hi, At first I was going to write: Just upgraded f-prot from 3.11a to 3.12c and now I noticed that a Lentin.F virus was found in a file attacment with the .txt extention. Then, because I had a look again at this e-mail when it was reformatted with CR's I noticed the .bat about 100 spaces later. Now this is a nice way for a virus to disguise the real extention ;-) but. can Declude do something about this in the reporting of the filename? I was thinking about reducing any whitespace block of over 5 spaces/tabs to just 5 spaces. That way the idea is still visible (lots of whitespace in a filename) but now it is visible, in stead of hidden beyond the end of our screen. Met vriendelijke groet, Bonno Bloksma - Original Message - From: Postmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 09, 2002 11:28 AM Subject: Declude Virus caught a virus Declude Virus v1.53 caught the : W32/Lentin.F@mm virus in Wanadoo instellingen.txt .bat from [EMAIL PROTECTED] to: [EMAIL PROTECTED] Date: 12/09/2002 11:28:59 Subject:Fw: Wanadoo instellingen Spool File: D702f00a2013211b4.SMD Remote IP: 81.68.37.112 Headers: Received: from mail.tio.nl [81.68.37.112] by mailie.tio.nl (SMTPD32-7.07) id A02FA20132; Mon, 09 Dec 2002 11:27:59 +0100 From: buurmana[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Fw: Wanadoo instellingen Date: Mon,09 Dec 2002 11:25:50 PM X-Mailer: Microsoft Outlook Express 5.50.4133.2400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=txmgvld Message-Id: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Opinion on Virus Scanner
Hi, F-Prot seems to be the flavor. Well the only reason *I* switched from Sophos to F-prot was the reporting function. However it seems that Sophos has this reporting now as well so somewhere next year I will probably switch back to Sophos. BTW Scott, did someone figure out the commandline and config file options for Sophos with Declude including the reporting option, and give them to you yet? Do you guys run (under Windows 2000 Server) the DOS version, Windows version or the F-Secure version. Most of us have the Windows version installed as it has the auto update function built in. To scan we simply run the commandline scanner that is still there and get's update along with the Windows f-prot version. The WIndows version is only $40 a year so don't bother with anything cheaper. As a bonus you get 19 extra licenses to put on other machines. ;-) Thanks again! You're welcome. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 10:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Opinion on Virus Scanner F-Prot. Cost is next to nothing and it works great with Declude. I agree. I third that motion. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail scanned for viruses by Declude Virus using f-prot] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.