Re: [Declude.Virus] Goodbye
Best wishes in all of your endeavors, Alex! Darin. - Original Message - From: Hirthe, Alexander To: 'declude.virus@declude.com' Sent: Tuesday, June 23, 2009 5:08 AM Subject: [Declude.Virus] Goodbye Goodbye to all of you, I'm leaving the company and I don't think I'll get in touch with declude again. Thanks for all the help in the past years! Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Dr. Peter Baumeister Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Virus inoperable for 13% of th year?
My payment history is more like Andy's. We paid $264-$295 annually for our service agreements (JunkMail/Virus) from 2002 to 2006. We never had HiJack. Darin. - Original Message - From: David Barker To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 1:50 PM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Here is the full breakdown. The "Good ol' " Days EVA - Service Agreement $195.00 JunkMail - Service Agreement $195.00 HiJack - Service Agreement $75.00 Total: $465 Today EVA - Service Agreement JunkMail - Service Agreement HiJack - Service Agreement AVG virus scanner Commtouch ZEROHOUR Antivirus + Spam definitions Total: $395 So you have a whole lot more for less money, and yes you are complaining. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 1:12 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal I think taking a software company to task on their lack of control DOES benefit all users technically! I didn't introduce pricing and staffing into this discussion - YOU did! Now you take me to task for responding to your pricing/staffing issues that YOU raised? >> Let's not forget you are paying less for the product maintenance today than >> you were 5 years ago << 1/6/2002: $295 1/14/2003: $295 1/23/2004: $295 (after having upgrading to "Pro" in March 2003) 1/5/2005: $264 12/30/2005: $264 8/18/2006: $309 1/19/2007: $309 3/13/2008: $395 6/2009: $395 Would you like to revise your statement? I'm not paying less, I'm paying 50% more. No complaints - just insisting on the truth. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Breathing and counting to 10 . ;) >> Whoever wrote this API implementation simply was too lazy to properly handle >> and report on the condition that absolutely was going to occur with 100% >> certainty on 4/10. That's a programming 101 and this flaw must be fixed, not >> "discussed". It's when an Anti-Virus product doesn't report that it has >> decided to stop detecting viruses. In coding Utopia yes that is true. I was unaware of this situation till now. I would fire the person who implemented this but we had already let them go over 2 years ago. I get what you are saying, I just don't think you understand when I say "I have heard you Andy, you can stop posting to the lists about this" >> Nice try, but to me, money is secondary to function. Nice dodge! >>I rather would pay appropriate maintenance for a product that is enhanced >>with features (as it was in the first few years when I had purchased it) than >>to pay a lesser annual maintenance for a dormant product! Ah the good old days of Scott Perry. Let's not forget you are paying less for the product maintenance today than you were 5 years ago. Dormant ? or not the fixes and features you want? >>However, I'm NOT willing to pay a company just so that they can pursue OTHER >>technical, legal and marketing ventures INSTEAD of enhancing the product. The >>problem with Declude is that they lost focus - this instance makes this >>painfully obvious! What are you talking about ? >>Let's get real. I remember looking at your web site a while ago and seeing a >>huge roster of "management". I also remember web site project and other >>products being launched and initating legal actions. Here's what you >>need >>Start laying off managers and other supervisory staff, cut the retainers for >>your attorneys, etc. and don't stop until you have enough money to finally >>pay ONE full time developer that actually works on continually >>enhancing >>the product we are all paying for and gets as much done as the original >>author of the product did for YEARS. Once caught up with 3 years of backlog, >>then sell me the upgrade!) >>You don't need "additional" personnel - you to need replace >>overhead-personnel with production personnel. Wrong. Declude is a separate company from DNSStuff. Our (Declude) revenues are solely committed to maintaining and growing this company. >>I suspect the problem is not "lack" of funds but "diversion" of it. Oh wait. that's a good one. I think the best way to answer this just is to say your suspicion is incorrect. Finaly the purpose for these lists is mostly for te
Re: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Wow, what a way to respond to a long-time, loyal paying customer! Instead of apologizing for the serious problem and relaying what steps are being taken to avoid it happening again (a simple reminder in the calendar system of your choice would suffice), it's being thrown back in the customer's face. Regarding the question of increasing prices for service agreements, that has no bearing on a current customer who has already paid the fees. Such customers should expect the service they paid for to be rendered. Failure to do so is a breach of agreement on Declude's part. While we are all human and problems can occur, this is a serious failure, and the tone of the response being putative instead of apologetic makes customers less forgiving, not more. To be frank, many customers are asking what they are paying for, when fix and feature requests take months to be released, or not at all. I understand the situation may be frustrating, but it's often best to step back for a moment, vent elsewhere if needed, then respond professionally to customers. Clear, open, and honest communication also helps. Please don't take this email as incendiary. It is meant to be constructive. Darin. - Original Message - From: David Barker To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 11:07 AM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having this renewed took longer than usual. b. I am not sure if you are being facetious, but if it makes you feel better, sure you can schedule a reminder for me, please email me at least 3 month prior of the new expiration date 2010-12-31 c. Yes AVG was not working as it should have been since 2009-04-10 I agree with you - this is totally unacceptable, intolerable, painful and should not be brushed aside lightly. You are correct in your observations, we should increase our prices dramatically so we can hire more developers to ensure unfortunate incidents like this don't happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name="Declude", Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didn't obtain a new annual AVG license and had to wait a few days for this "transaction" to complete? That means the product was unusable for 13% of the year? This can't just be brushed aside quietly. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Ahh... so the solution is to use Declude Junkmail instead of IMail's poor anti-spam. Then you could use the AVAFTERJM to work effectively with AV scanning. Darin. - Original Message - From: "Brian Lin" <[EMAIL PROTECTED]> To: Sent: Saturday, June 14, 2008 9:37 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I have bought declude anti-virus, not declude anti-spam. - Original Message ----- From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Saturday, June 14, 2008 12:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > The reason for it not working is that the scanner doesn't recognize the > incorrect parameters, and aborts. > > We're not seeing the CPU spikes you are, however that may be a difference > with running AV over all messages vs. only on messages that spam > filtering. > > I'm curious... you say you don't have Declude, but you're subscribed to > the > Declude email discussion list, and you previously stated you had an > "antique > version declude and > imail"??? > > Darin. > > > - Original Message - > From: "Brian Lin" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 13, 2008 10:38 AM > Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > > > I do not have declude anti-spam, imail already has > anti-spam function. > > Anyway, previous in F-prot 3.0 do not have such issue, > and now clamav also work perfectly over the same traffic, > only F-prot 6.0 has this issue, I have tried to reduce > maxonce to just 1, reduce scanlevel=1 /heurlevel=0, > all can not work. > Only when I add in noboot or nomem, the CPU immediate > get releaf, but this is not working, because with noboot or nomen. > the scanner simply not working at all. > > > - Original Message - > From: "Darin Cox" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 13, 2008 9:10 PM > Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > > >> AVAFTERJM has been around a long time. I don't remember what version, >> but >> it was a 1.x version. >> >> Are you familiar with the setting? It tells Declude to run Anti-Virus >> after >> Junkmail. It then only runs AV after checking to see if the message is >> spam. With the spam load these days, I would expect that to be the >> desired >> config, resulting in AV scanning on only about 10% of incoming mail >> instead >> of 100%. However, it is not the default setting, which runs AV first, >> then >> Junkmail. >> >> That could easily account for yours and Kathy's 70-100% CPU. >> >> Darin. >> >> >> - Original Message - >> From: "Brian Lin" <[EMAIL PROTECTED]> >> To: >> Sent: Friday, June 13, 2008 8:55 AM >> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG >> >> >> No, I am still using antique version declude and >> imail. >> >> - Original Message - >> From: "Darin Cox" <[EMAIL PROTECTED]> >> To: >> Sent: Friday, June 13, 2008 8:07 PM >> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG >> >> >>> Interesting that you are also seeing the 70-100% CPU with F-Prot 6, >>> where >>> we >>> are not. >>> >>> Are you running AVAFTERJM? >>> >>> Darin. >>> >>> >>> - Original Message - >>> From: "Brian Lin" <[EMAIL PROTECTED]> >>> To: >>> Sent: Friday, June 13, 2008 5:23 AM >>> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG >>> >>> >>> I just terminate my F-Prot 6, and installed ClamAV SOSDG >>> >>> Before that, my CPU usage is always run to skyhigh, >>> at around 70%-100%, now using ClamAV, reduce >>> to 5%-20%, still catching all the testing virus. >>> >>> F-prot 6 do not provide option like noboot, nomem, >>> I guess these become the default setting, and cause >>> very high CPU and harddisk usage. >>> >>> Alex instruction dated at 6 June 2008 for ClamAV installation >>> is very helpful, thanks! >>> The main tricks in clamav are: >>> 1: need to install the contributors' tools, then get >>> two dedicated tools for declude, can run the >>> clamdscan as service. >>> >>> 2: need to remove --mbox, if this is there, it will >>> not function. >>> >>> Brian >>> >>> - Original Message - >>> From: "Brian Lin" <[EMAIL PR
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
The reason for it not working is that the scanner doesn't recognize the incorrect parameters, and aborts. We're not seeing the CPU spikes you are, however that may be a difference with running AV over all messages vs. only on messages that spam filtering. I'm curious... you say you don't have Declude, but you're subscribed to the Declude email discussion list, and you previously stated you had an "antique version declude and imail"??? Darin. - Original Message - From: "Brian Lin" <[EMAIL PROTECTED]> To: Sent: Friday, June 13, 2008 10:38 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I do not have declude anti-spam, imail already has anti-spam function. Anyway, previous in F-prot 3.0 do not have such issue, and now clamav also work perfectly over the same traffic, only F-prot 6.0 has this issue, I have tried to reduce maxonce to just 1, reduce scanlevel=1 /heurlevel=0, all can not work. Only when I add in noboot or nomem, the CPU immediate get releaf, but this is not working, because with noboot or nomen. the scanner simply not working at all. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Friday, June 13, 2008 9:10 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > AVAFTERJM has been around a long time. I don't remember what version, but > it was a 1.x version. > > Are you familiar with the setting? It tells Declude to run Anti-Virus > after > Junkmail. It then only runs AV after checking to see if the message is > spam. With the spam load these days, I would expect that to be the > desired > config, resulting in AV scanning on only about 10% of incoming mail > instead > of 100%. However, it is not the default setting, which runs AV first, > then > Junkmail. > > That could easily account for yours and Kathy's 70-100% CPU. > > Darin. > > > - Original Message - > From: "Brian Lin" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 13, 2008 8:55 AM > Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > > > No, I am still using antique version declude and > imail. > > - Original Message - > From: "Darin Cox" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 13, 2008 8:07 PM > Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > > >> Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where >> we >> are not. >> >> Are you running AVAFTERJM? >> >> Darin. >> >> >> - Original Message - >> From: "Brian Lin" <[EMAIL PROTECTED]> >> To: >> Sent: Friday, June 13, 2008 5:23 AM >> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG >> >> >> I just terminate my F-Prot 6, and installed ClamAV SOSDG >> >> Before that, my CPU usage is always run to skyhigh, >> at around 70%-100%, now using ClamAV, reduce >> to 5%-20%, still catching all the testing virus. >> >> F-prot 6 do not provide option like noboot, nomem, >> I guess these become the default setting, and cause >> very high CPU and harddisk usage. >> >> Alex instruction dated at 6 June 2008 for ClamAV installation >> is very helpful, thanks! >> The main tricks in clamav are: >> 1: need to install the contributors' tools, then get >> two dedicated tools for declude, can run the >> clamdscan as service. >> >> 2: need to remove --mbox, if this is there, it will >> not function. >> >> Brian >> >> - Original Message - >> From: "Brian Lin" <[EMAIL PROTECTED]> >> To: >> Sent: Friday, June 13, 2008 10:02 AM >> Subject: Re: [Declude.Virus] F-PROT 6 >> >> >>>I think VIRUSCODE 1 need to be added too? >>> http://www.f-prot.com/support/windows/fpwin_faq/310.html >>> >>> Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, >>> I do not know the exact reason. I have try to reduce scanlevel, >>> heulevel, >>> archive to 0 or 1, still very slow, I guess it is now scanning memory by >>> default? >>> >>> Another question is , for REPORT=report.txt >>> do we need < >? REPORT= >>> >>> from instruction here, looks like need < > >>> http://www.f-prot.com/support/windows/fpwin_faq/445.html >>> >>> but most users online post seems < > is not necessary. >>> >>> >>> >>> - Original Message - >>> From: "Darin Cox" <[EMAIL PROTECTED]> >>> To: >>> Sent: Wednesday, June 04, 2008
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: "Brian Lin" <[EMAIL PROTECTED]> To: Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where > we > are not. > > Are you running AVAFTERJM? > > Darin. > > > - Original Message - > From: "Brian Lin" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 13, 2008 5:23 AM > Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG > > > I just terminate my F-Prot 6, and installed ClamAV SOSDG > > Before that, my CPU usage is always run to skyhigh, > at around 70%-100%, now using ClamAV, reduce > to 5%-20%, still catching all the testing virus. > > F-prot 6 do not provide option like noboot, nomem, > I guess these become the default setting, and cause > very high CPU and harddisk usage. > > Alex instruction dated at 6 June 2008 for ClamAV installation > is very helpful, thanks! > The main tricks in clamav are: > 1: need to install the contributors' tools, then get > two dedicated tools for declude, can run the > clamdscan as service. > > 2: need to remove --mbox, if this is there, it will > not function. > > Brian > > - Original Message - > From: "Brian Lin" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 13, 2008 10:02 AM > Subject: Re: [Declude.Virus] F-PROT 6 > > >>I think VIRUSCODE 1 need to be added too? >> http://www.f-prot.com/support/windows/fpwin_faq/310.html >> >> Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, >> I do not know the exact reason. I have try to reduce scanlevel, heulevel, >> archive to 0 or 1, still very slow, I guess it is now scanning memory by >> default? >> >> Another question is , for REPORT=report.txt >> do we need < >? REPORT= >> >> from instruction here, looks like need < > >> http://www.f-prot.com/support/windows/fpwin_faq/445.html >> >> but most users online post seems < > is not necessary. >> >> >> >> - Original Message - >> From: "Darin Cox" <[EMAIL PROTECTED]> >> To: >> Sent: Wednesday, June 04, 2008 2:34 AM >> Subject: Re: [Declude.Virus] F-PROT 6 >> >> >>> Assuming the default location for program installation, here you go. >>> >>> SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 >>> /scanlevel=4 /heurlevel=3 /REPORT=report.txt >>> >>> /VERBOSE=0 corresponds to the old /SILENT switch >>> /TYPE is assumed now >>> /ARCHIVE has changed to /ARCHIVE=5 >>> /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct >>> /SCANLEVEL and /HEURLEVEL are new switches. The values above are >>> recommended >>> >>> See the FProt 6 manual for more info on conversion of switches, and >>> desired >>> settings >>> >>> Also, while the old >>> >>> VIRUSCODE 3 >>> VIRUSCODE 6 >>> VIRUSCODE 8 >>> >>> is most likely sufficient, we added >>> >>> VIRUSCODE 3 >>> VIRUSCODE 5 >>> VIRUSCODE 6 >>> VIRUSCODE 7 >>> VIRUSCODE 8 >>> VIRUSCODE 9 >>> VIRUSCODE 10 >>> VIRUSCODE 11 >>> VIRUSCODE 13 >>> VIRUSCODE 14 >>> VIRUSCODE 15 >>> VIRUSCODE 17 >>> VIRUSCODE 18 >>> VIRUSCODE 19 >>> VIRUSCODE 21 >>> VIRUSCODE 22 >>> VIRUSCODE 23 >>> VIRUSCODE 25 >>> VIRUSCODE 26 >>> VIRUSCODE 27 >>> VIRUSCODE 29 >>> VIRUSCODE 30 >>> VIRUSCODE 31 >>> VIRUSCODE 33 >>> VIRUSCODE 34 >>> VIRUSCODE 35 >>> VIRUSCODE 37 >>> VIRUSCODE 38 >>> VIRUSCODE 39 >>> VIRUSCODE 41 >>
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: "Brian Lin" <[EMAIL PROTECTED]> To: Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: "Brian Lin" <[EMAIL PROTECTED]> To: Sent: Friday, June 13, 2008 10:02 AM Subject: Re: [Declude.Virus] F-PROT 6 >I think VIRUSCODE 1 need to be added too? > http://www.f-prot.com/support/windows/fpwin_faq/310.html > > Anyway, using F-Prot 6 seems very slow compare with previous F-Prot 3, > I do not know the exact reason. I have try to reduce scanlevel, heulevel, > archive to 0 or 1, still very slow, I guess it is now scanning memory by > default? > > Another question is , for REPORT=report.txt > do we need < >? REPORT= > > from instruction here, looks like need < > > http://www.f-prot.com/support/windows/fpwin_faq/445.html > > but most users online post seems < > is not necessary. > > > > - Original Message - > From: "Darin Cox" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, June 04, 2008 2:34 AM > Subject: Re: [Declude.Virus] F-PROT 6 > > >> Assuming the default location for program installation, here you go. >> >> SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 >> /scanlevel=4 /heurlevel=3 /REPORT=report.txt >> >> /VERBOSE=0 corresponds to the old /SILENT switch >> /TYPE is assumed now >> /ARCHIVE has changed to /ARCHIVE=5 >> /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct >> /SCANLEVEL and /HEURLEVEL are new switches. The values above are >> recommended >> >> See the FProt 6 manual for more info on conversion of switches, and >> desired >> settings >> >> Also, while the old >> >> VIRUSCODE 3 >> VIRUSCODE 6 >> VIRUSCODE 8 >> >> is most likely sufficient, we added >> >> VIRUSCODE 3 >> VIRUSCODE 5 >> VIRUSCODE 6 >> VIRUSCODE 7 >> VIRUSCODE 8 >> VIRUSCODE 9 >> VIRUSCODE 10 >> VIRUSCODE 11 >> VIRUSCODE 13 >> VIRUSCODE 14 >> VIRUSCODE 15 >> VIRUSCODE 17 >> VIRUSCODE 18 >> VIRUSCODE 19 >> VIRUSCODE 21 >> VIRUSCODE 22 >> VIRUSCODE 23 >> VIRUSCODE 25 >> VIRUSCODE 26 >> VIRUSCODE 27 >> VIRUSCODE 29 >> VIRUSCODE 30 >> VIRUSCODE 31 >> VIRUSCODE 33 >> VIRUSCODE 34 >> VIRUSCODE 35 >> VIRUSCODE 37 >> VIRUSCODE 38 >> VIRUSCODE 39 >> VIRUSCODE 41 >> VIRUSCODE 42 >> VIRUSCODE 43 >> VIRUSCODE 45 >> VIRUSCODE 46 >> VIRUSCODE 47 >> VIRUSCODE 49 >> VIRUSCODE 50 >> VIRUSCODE 51 >> VIRUSCODE 53 >> VIRUSCODE 54 >> VIRUSCODE 55 >> VIRUSCODE 57 >> VIRUSCODE 58 >> VIRUSCODE 59 >> VIRUSCODE 61 >> VIRUSCODE 62 >> VIRUSCODE 63 >> >> for completeness. >> >> Hope this helps, >> >> Darin. >> >> >> - Original Message - >> From: "David Barker" <[EMAIL PROTECTED]> >> To: >> Sent: Tuesday, June 03, 2008 11:46 AM >> Subject: [Declude.Virus] F-PROT 6 >> >> >> Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? >> >> Thanks >> David B >> >> >> >> >> >> >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> >> >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6
If there's a command line scanner, it shouldn't be too difficult, but I don't know offhand if Trend Micro has one. Darin. - Original Message - From: "SJ Stanaitis" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 03, 2008 3:24 PM Subject: RE: [Declude.Virus] F-PROT 6 I had my CheckPoint handling 99.9% of the virus scanning for the mail server which uses Trend Micro, it was very rare that AVG's product caught something that Trend had missed. Not sure if there's a way to tie Trend into Declude though. I've currently got it watching my Exchange box and it again is phenomenal. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, June 03, 2008 2:39 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 Yes. It's expensive, but is still a good and efficient scanner. Kaspersky and AVG combined may be a good way to go for lower cost if you can afford the CPU of two scanners, or perhaps just Kaspersky. Not sure if anyone has good stats on the performance, completeness of rulebases, and time from initial reports to detection of a virus for the various scanners, but from what information I was able to find, Kaspersky looked good and wasn't too expensive, and AVG is inexpensive though may be lacking as a single scanner. Darin. - Original Message - From: "SJ Stanaitis" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 03, 2008 1:09 PM Subject: RE: [Declude.Virus] F-PROT 6 You've got to buy the server product now. I don't think the cheap version works anymore with Declude. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 11:47 AM To: declude.virus@declude.com Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6
Yes. It's expensive, but is still a good and efficient scanner. Kaspersky and AVG combined may be a good way to go for lower cost if you can afford the CPU of two scanners, or perhaps just Kaspersky. Not sure if anyone has good stats on the performance, completeness of rulebases, and time from initial reports to detection of a virus for the various scanners, but from what information I was able to find, Kaspersky looked good and wasn't too expensive, and AVG is inexpensive though may be lacking as a single scanner. Darin. - Original Message - From: "SJ Stanaitis" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 03, 2008 1:09 PM Subject: RE: [Declude.Virus] F-PROT 6 You've got to buy the server product now. I don't think the cheap version works anymore with Declude. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 11:47 AM To: declude.virus@declude.com Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6
Assuming the default location for program installation, here you go. SCANFILE C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe /VERBOSE=0 /ARCHIVE=5 /scanlevel=4 /heurlevel=3 /REPORT=report.txt /VERBOSE=0 corresponds to the old /SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 03, 2008 11:46 AM Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Then you're looking for ONLYSENDIFVIRUSNAMEHAS Take a look at the EVA manual... about 3/4 of the way down in the section labeled Email Notifications. Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 8:02 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] Darin, Thanks for your help. Guess I was hoping there was something along the lines of and INCLUDEIFVIRUSNAMEHAS to only include the message for specific vulnerabilities and to not have to list all of the ones I didn't want to send for. Is there a list of all of the vulnerabilities, or is this specific to which scanner(s) I am using? Thanks Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 6:40 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml file to specify the vulnerability you don't want to notify on. Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:49 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] Thanks. That's great! I've not blocked these before because of a large number of legitimate emails needing to get through that would have been blocked. This lets me block them if I want, but still let the legits get through. I'm a newbie when in comes to Declude configs. I've pretty much left a lot of defaults, but can this (the customized vulnerability.eml) be limited to only be sent for certain vulnerabilities? I don't want this sent for all blocked vulnerabilities and have the users get notifications for things they don't need to. Thanks! Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 5:34 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We use this vulnerability.eml -- Begin vulnerability.eml SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: Suspected malicious email blocked Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please click on the link below to have the message released for delivery. Otherwise, the e-mail will be deleted automatically after seven days. http://www.example.com/requeue.asp?msgid=%QUEUENAME% Please note that the email could contain dangerous content. Use at your own risk. Original message information follows FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% DATE: %DATE% @ %TIME% %HEADERS% -- End vulnerability.eml You'll want to replace the link in the email with one appropriate for you. and the following requeue.asp script. -- Begin REQUEUE.ASP <[EMAIL PROTECTED]> <% // --- // requires IUSR permissions to the following directories // --- var virusdir="c:\\imail\\spool\\virus\\"; var spooldir="c:\\imail\\spool\\"; var file=""+Request.QueryString("msgid"); file=file.substr(1); fso = new ActiveXObject ("Scripting.FileSystemObject"); if (fso.FileExists(virusdir+"D"+file)) { fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file); fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file); Response.Write("Please check your e-mail in a few minutes for the message you requested."); } else { Response.Write("Message does not exist, or has already been released for normal delivery."); } %> -- End REQUEUE.ASP You'll need to change the path to the path for your IMail spool directory. This inserts the message back into the queue for the next queue run. Others have gone a step further to call SMTP32.exe with the queue file name to delivery it immediately. Hope this helps, Darin. - Original Message - From: "Jared Pickerell&qu
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml file to specify the vulnerability you don't want to notify on. Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:49 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] Thanks. That's great! I've not blocked these before because of a large number of legitimate emails needing to get through that would have been blocked. This lets me block them if I want, but still let the legits get through. I'm a newbie when in comes to Declude configs. I've pretty much left a lot of defaults, but can this (the customized vulnerability.eml) be limited to only be sent for certain vulnerabilities? I don't want this sent for all blocked vulnerabilities and have the users get notifications for things they don't need to. Thanks! Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 5:34 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We use this vulnerability.eml -- Begin vulnerability.eml SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: Suspected malicious email blocked Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please click on the link below to have the message released for delivery. Otherwise, the e-mail will be deleted automatically after seven days. http://www.example.com/requeue.asp?msgid=%QUEUENAME% Please note that the email could contain dangerous content. Use at your own risk. Original message information follows FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% DATE: %DATE% @ %TIME% %HEADERS% -- End vulnerability.eml You'll want to replace the link in the email with one appropriate for you. and the following requeue.asp script. -- Begin REQUEUE.ASP <[EMAIL PROTECTED]> <% // --- // requires IUSR permissions to the following directories // --- var virusdir="c:\\imail\\spool\\virus\\"; var spooldir="c:\\imail\\spool\\"; var file=""+Request.QueryString("msgid"); file=file.substr(1); fso = new ActiveXObject ("Scripting.FileSystemObject"); if (fso.FileExists(virusdir+"D"+file)) { fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file); fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file); Response.Write("Please check your e-mail in a few minutes for the message you requested."); } else { Response.Write("Message does not exist, or has already been released for normal delivery."); } %> -- End REQUEUE.ASP You'll need to change the path to the path for your IMail spool directory. This inserts the message back into the queue for the next queue run. Others have gone a step further to call SMTP32.exe with the queue file name to delivery it immediately. Hope this helps, Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:02 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: &q
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml -- Begin vulnerability.eml SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: Suspected malicious email blocked Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please click on the link below to have the message released for delivery. Otherwise, the e-mail will be deleted automatically after seven days. http://www.example.com/requeue.asp?msgid=%QUEUENAME% Please note that the email could contain dangerous content. Use at your own risk. Original message information follows FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% DATE: %DATE% @ %TIME% %HEADERS% -- End vulnerability.eml You'll want to replace the link in the email with one appropriate for you. and the following requeue.asp script. -- Begin REQUEUE.ASP <[EMAIL PROTECTED]> <% // --- // requires IUSR permissions to the following directories // --- var virusdir="c:\\imail\\spool\\virus\\"; var spooldir="c:\\imail\\spool\\"; var file=""+Request.QueryString("msgid"); file=file.substr(1); fso = new ActiveXObject ("Scripting.FileSystemObject"); if (fso.FileExists(virusdir+"D"+file)) { fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file); fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file); Response.Write("Please check your e-mail in a few minutes for the message you requested."); } else { Response.Write("Message does not exist, or has already been released for normal delivery."); } %> -- End REQUEUE.ASP You'll need to change the path to the path for your IMail spool directory. This inserts the message back into the queue for the next queue run. Others have gone a step further to call SMTP32.exe with the queue file name to delivery it immediately. Hope this helps, Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:02 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message > From: Heimir Eidskrem <[EMAIL PROTECTED]> > Sent: Tuesday, July 31, 2007 2:53 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] [Invalid ZIP Vulnerability] > > How do I turn this off. > I am having emails held as virus but they are not. > They do contain pdfs and doc files. > > Could not find it in the manual. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
The point is you may let some not-yet-detected viruses through, but in any case you can do that with a switch in the virus.cfg. Darin. - Original Message - From: Heimir Eidskrem To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 6:23 PM Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] They are neither virus or spam but legit email. Shayne Embry wrote: Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message From: Heimir Eidskrem <[EMAIL PROTECTED]> Sent: Tuesday, July 31, 2007 2:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] [Invalid ZIP Vulnerability] How do I turn this off. I am having emails held as virus but they are not. They do contain pdfs and doc files. Could not find it in the manual. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message > From: Heimir Eidskrem <[EMAIL PROTECTED]> > Sent: Tuesday, July 31, 2007 2:53 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] [Invalid ZIP Vulnerability] > > How do I turn this off. > I am having emails held as virus but they are not. > They do contain pdfs and doc files. > > Could not find it in the manual. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus or Junk?
Yep... spammers are now using PDFs for their payload. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 26, 2007 10:48 AM Subject: [Declude.Virus] Virus or Junk? Hey Everyone - Last night I received a "junk" mail with no body and a small PDF attachment. This morning I received two more from different people, and differently named small PDF attachments. Anyone else seeing this, know what it is, and doing anything special yet to combat it? I would certainly hate to ban PDF files... Thanks, Todd --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities
Well... because I didn't know it existed . Thanks, John. Darin. - Original Message - From: John T (lists) To: declude.virus@declude.com Sent: Friday, May 25, 2007 12:32 PM Subject: RE: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities Why not use vulnerability.eml? SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: We blocked a suspected malicious email sent to you! Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please reply to this notification, and we will review and requeue the message for delivery. (Note, there may be a delay until the message is delivered to you.) Otherwise, the e-mail will be deleted automatically after 5 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, May 25, 2007 6:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities It would be wonderful to be able to send out notifications on vulnerabilities like the current notifications on virus found/banned files. We still have to process the virus queue due to legit email that may be held due to vulnerabilities that we do not want to turn off in the config. For legit email in virus/banned file scanning notifications are sent and the requeue message link we include in our notifications allows the users to receive the message without us touching it. But since this notification does not get sent for vulnerabilities, we still have to manually review this queue. Being able to send out notifications on vulnerabilities would keep us from having to touch the virus hold queue at all, saving us time very day. Thoughts? Darin. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Feature request - Notification emails generated on vulnerabilities
It would be wonderful to be able to send out notifications on vulnerabilities like the current notifications on virus found/banned files. We still have to process the virus queue due to legit email that may be held due to vulnerabilities that we do not want to turn off in the config. For legit email in virus/banned file scanning notifications are sent and the requeue message link we include in our notifications allows the users to receive the message without us touching it. But since this notification does not get sent for vulnerabilities, we still have to manually review this queue. Being able to send out notifications on vulnerabilities would keep us from having to touch the virus hold queue at all, saving us time very day. Thoughts? Darin. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee
Slightly OT, but can anyone recommend a good source for the command line version of McAfee? Darin. - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 11:09 AM Subject: RE: [Declude.Virus] Clam AV vs. AVG vs. McAfee That's my experience too. I update McAfee hourly - which helps with new outbreaks. It's the last scanner in sequence and always manages to catch viruses that the internal didn't. (Of course, I don't know if there are virus that the internal caught that McAfee might have missed.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, March 06, 2007 10:45 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee Wolf, I use McAfee, CLAM, Internal AVG, and at one time (before licensing changes) F-Prot all at the same time. If you have extra CPU there is no reason not to use multiple scanners. One thing though when I switched to processing AV last I seen a dramatic drop in viruses due to them being caught as spam. 50-60K a month down to less than 2K. FWIW - I have McAfee as my last scanner and every now and than I see it grab a few viruses that the others miss. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Wolf Tombe To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 10:16 AM Subject: [Declude.Virus] Clam AV vs. AVG vs. McAfee The discussion on the current version of Clam AV and Clam being able to detect some image spam got me thinking. Prior to Declude version 4.0, I always used McAfee AV to scan all incoming messages. When I upgraded to Declude 4 I decided to try it's built in AV which seems to work fine. I'm curious though as to the opinions of others on this list as to the merits of using Clam or other anti-virus scanners either in place of the Declude built in AV or in addition to it. Any opinions people would like to share will be appreciated. Thanks! Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] pay-pal phishing
Isn't that basically what the spamdomains test does? Specifies what domains a mail server can be in that sends for a particular domain... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, February 15, 2007 7:22 PM Subject: RE: [Declude.Virus] pay-pal phishing One way you could do this is to use the following lines in a filter #PAYPAL REVDNS END ENDSWITH .paypal.com MAILFROM 20 ENDSWITH @paypal.com Also as far as I know the genuine paypal IP's are listed with BONDEDSENDER David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Thursday, February 15, 2007 5:17 PM To: Declude-List Subject: [Declude.Virus] pay-pal phishing Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] pay-pal phishing
Message Sniffer does a pretty good job. You can also use the spamdomains and SPF tests, though their SPF policy is only soft fail at the moment, which Declude does not check. Darin. - Original Message - From: "Bob McGregor" <[EMAIL PROTECTED]> To: "Declude-List" Sent: Thursday, February 15, 2007 5:16 PM Subject: [Declude.Virus] pay-pal phishing Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Evidently they are also interfering with the list. My other post at 74 count just now showed up over an hour later. Darin. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Thursday, January 04, 2007 5:42 PM Subject: Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Ok, this makes it over a hundred received this afternoon. Declude, would you kindly remove him from the list so we don't all get inundated with more autoreplies? Also, this is a gentle reminder to be a good list netizen and don't use autoresponders for addresses that you use to subscribe to lists. If you need to use autoresponders, just set up a separate email address for list subscriptions and don't use one there. All the best, Darin. - Original Message - From: "roconnor" <[EMAIL PROTECTED]> To: Sent: Thursday, January 04, 2007 4:24 PM Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
75 over 45 minutes. Dumb... Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Thursday, January 04, 2007 4:12 PM Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I think I received 36 of them. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Craig Edmonds > Sent: Thursday, January 04, 2007 12:55 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] I'm currently on a business trip > down south and will be returning January 5th, 2007. If t > Importance: High > > > Is it me or did everyone get this autoresponder about 300 times? > > Kindest Regards > Craig Edmonds > 123 Marbella Internet > W: www.123marbella.com > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of roconnor > Sent: Thursday, January 04, 2007 9:45 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] I'm currently on a business trip > down south and will be returning January 5th, 2007. If t > > I'm currently on a business trip down south and will be > returning January 5th, 2007. If this is an emergency please > call our office at 360.527.9111 > > Thanks, > Rick > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Ok, this makes it over a hundred received this afternoon. Declude, would you kindly remove him from the list so we don't all get inundated with more autoreplies? Also, this is a gentle reminder to be a good list netizen and don't use autoresponders for addresses that you use to subscribe to lists. If you need to use autoresponders, just set up a separate email address for list subscriptions and don't use one there. All the best, Darin. - Original Message - From: "roconnor" <[EMAIL PROTECTED]> To: Sent: Thursday, January 04, 2007 4:24 PM Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I posted virustotal results a half hour ago... did you see them? Darin. - Original Message - From: "Grant Griffith" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 2:17 PM Subject: RE: [Declude.Virus] New Virus? It does have a .zip file that contains a .exe file inside it. The message says it contains a .pdf file, but it is really an .exe file. I am running it thru virustotal.com now. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, October 10, 2006 1:32 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Grant Griffith > Sent: Tuesday, October 10, 2006 10:21 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus? > > Hey All > > Has anyone seen the email saying that you purchased a Sony > VAIO for $2,500? > We received a bunch of these this morning in our mailboxes > and am trying to figure out how they made it thru the > scanners. What is the place to send them to see if it is > begin caught? > > Thanks, > Grant Griffith > Web Application Developer > Enhanced Telecommunications > http://www.etczone.com > 812-932-1000 > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
We've seen them as well today. It's either a new virus or a variant. Here are the results from virustotal AntiVir 7.2.0.25 10.10.2006 HEUR/Crypted Authentium 4.93.8 10.10.2006 W32/[EMAIL PROTECTED] Avast 4.7.892.0 10.10.2006 no virus found AVG 386 10.10.2006 no virus found BitDefender 7.2 10.10.2006 no virus found CAT-QuickHeal 8.00 10.10.2006 (Suspicious) - DNAScan ClamAV devel-20060426 10.10.2006 Trojan.Haxdoor-131 eTrust-InoculateIT 23.73.18 10.10.2006 no virus found eTrust-Vet 30.3.3125 10.10.2006 no virus found DrWeb 4.33 10.10.2006 BackDoor.Haxdoor.359 Ewido 4.0 10.10.2006 no virus found Fortinet 2.82.0.0 10.10.2006 suspicious F-Prot 3.16f 10.10.2006 security risk named W32/[EMAIL PROTECTED] F-Prot4 4.2.1.29 10.10.2006 W32/[EMAIL PROTECTED] Ikarus 0.2.65.0 10.10.2006 Trojan-Downloader.Win32.Small.gen Kaspersky 4.0.2.24 10.10.2006 Backdoor.Win32.Haxdoor.lf McAfee 4870 10.10.2006 BackDoor-BAC Microsoft 1.1603 10.10.2006 no virus found NOD32v2 1.1796 10.10.2006 a variant of Win32/Haxdoor Norman 5.80.02 10.10.2006 Suspicious_F.gen Panda 9.0.0.4 10.10.2006 Suspicious file Sophos 4.10.0 10.05.2006 no virus found TheHacker 6.0.1.094 10.08.2006 no virus found UNA 1.83 10.10.2006 Backdoor.Haxdoor.B43A VBA32 3.11.1 10.10.2006 no virus found VirusBuster 4.3.7:9 10.10.2006 no virus found Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 1:31 PM Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Grant Griffith > Sent: Tuesday, October 10, 2006 10:21 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus? > > Hey All > > Has anyone seen the email saying that you purchased a Sony > VAIO for $2,500? > We received a bunch of these this morning in our mailboxes > and am trying to figure out how they made it thru the > scanners. What is the place to send them to see if it is > begin caught? > > Thanks, > Grant Griffith > Web Application Developer > Enhanced Telecommunications > http://www.etczone.com > 812-932-1000 > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Updates from Declude
Well, I know I'm biased, but I liked the original suggestion of Declude Mail Security Suite. Security in the sense of not letting things in, like spam, phishing attacks, spyware, virii, etc... and with HiJack, then not letting users abuse the service as well. >From that perspective Security works well, I think. Having the word Mail closer to Security helped to classify the kind of security features provided, though I can see why it was decided to switch it around slightly to include the designation of the mail server product. Darin. - Original Message - From: Robert E. Spivack To: Declude.Virus@declude.com Sent: Friday, March 03, 2006 2:41 AM Subject: RE: [Declude.Virus] Updates from Declude Hmmm its your product but Security Suite sounds more like malware, spyware, and firewall functions. The first think I of is Norton or Symantec security software, not anti-virus/spam blocking services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, March 02, 2006 2:04 PMTo: Declude.JunkMail@declude.com; Declude.Virus@declude.comSubject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
Re: [Declude.Virus] Changes @ Declude
Hmmm... Barry, that is exactly what I was asking before when I asked "So what will happen to customers on SAs at that time [when v3 is discontinued] ?" and you told me "You are asking a question that I don't have an answer to at this moment. When the time arrives we will make a business decision that will be in the best interests of both our customers and ourselves. This is not a decision that will be made lightly or in the near future." We will not just announce one week that the next week we will be discontinuing support for V3. We will ensure that all customers have an upgrade path of one form or another. No customer needs to be concerned at this time that we are going to abandon them, that is not the way we do business." This answer to Kevin is what I was hoping for, and obviously needed to know before I would budget any additional funds for Declude maintenance. Darin. - Original Message - From: "Barry Simpson" <[EMAIL PROTECTED]> To: Sent: Sunday, February 12, 2006 3:26 PM Subject: RE: [Declude.Virus] Changes @ Declude All existing customers who choose to move to Version 4 will continue to pay Service Agreements. If they opt not to pay for the Service Agreement the software will continue to operate. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Sunday, February 12, 2006 3:01 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude I noticed looking at my account the my version 4 license states "Declude Imail Perpetual License" Since v4 is the Subscription modle. If we are customers running on the Maintenance modle and we decide to not renew maintenance and have upgraded to version 4 will version 4 ever stop functioning for us? Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Barry Simpson > Sent: Sunday, February 12, 2006 7:22 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Changes @ Declude > > > Darin, > > You are asking a question that I don't have an answer to at > this moment. When the time arrives we will make a business > decision that will be in the best interests of both our > customers and ourselves. This is not a decision that will be > made lightly or in the near future. > > We will not just announce one week that the next week we will > be discontinuing support for V3. We will ensure that all > customers have an upgrade path of one form or another. > > No customer needs to be concerned at this time that we are > going to abandon them, that is not the way we do business. > > Barry > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Sunday, February 12, 2006 10:04 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Changes @ Declude > > So what will happen to customers on SAs at that time? See > why we're asking the questions? > > Darin. > > > - Original Message - > From: "Barry Simpson" <[EMAIL PROTECTED]> > To: > Sent: Sunday, February 12, 2006 9:58 AM > Subject: RE: [Declude.Virus] Changes @ Declude > > > Don, > > You are correct, it would be better to have only one product > and that is why we are making the offer to customers to move > to the highest level of the software at special pricing. > > We also recognize that some customers don't want to do that > so for the foreseeable future we are maintaining the two code bases. > > We are not going to force customers to move. At some point in > the future V3 will go onto maintenance but that date has not > yet been decided. > > Barry > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown > Sent: Sunday, February 12, 2006 9:47 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Changes @ Declude > > Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee > <[EMAIL PROTECTED]> wrote: > KB> [Snip] > KB> > KB> On the buying issue what do you get, the two products > will be kept > KB> in > parity feature wise. > KB> > KB> Kevin Bilbee > KB> > KB> [Snip] > > If that is truly the case, then it makes sense to have only > one version, 4.0. Then, the only difference will be that > some customers are on an annual maint agreement and others > pay an annual subscription. > > > > Don Brown - Dallas, Texas USA Internet Concepts, Inc. > [EMAIL PROTECTED] http://www.inetconcepts.net > (972) 788-2364Fax: (972) 788-5049 > > > --- > [This E-mail was scanned for viruses by Decl
Re: [Declude.Virus] Changes @ Declude
So what will happen to customers on SAs at that time? See why we're asking the questions? Darin. - Original Message - From: "Barry Simpson" <[EMAIL PROTECTED]> To: Sent: Sunday, February 12, 2006 9:58 AM Subject: RE: [Declude.Virus] Changes @ Declude Don, You are correct, it would be better to have only one product and that is why we are making the offer to customers to move to the highest level of the software at special pricing. We also recognize that some customers don't want to do that so for the foreseeable future we are maintaining the two code bases. We are not going to force customers to move. At some point in the future V3 will go onto maintenance but that date has not yet been decided. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Sunday, February 12, 2006 9:47 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Changes @ Declude Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee <[EMAIL PROTECTED]> wrote: KB> [Snip] KB> KB> On the buying issue what do you get, the two products will be kept in parity feature wise. KB> KB> Kevin Bilbee KB> KB> [Snip] If that is truly the case, then it makes sense to have only one version, 4.0. Then, the only difference will be that some customers are on an annual maint agreement and others pay an annual subscription. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Changes @ Declude
I didn't receive it either. I checked the logs and nothing came in from Declude. Darin. - Original Message - From: Scott Fisher To: Declude.Virus@declude.com Sent: Friday, February 10, 2006 2:24 PM Subject: Re: [Declude.Virus] Changes @ Declude -Barry, I did not receive the email sent to every customer (and I have Declude whitelisted). That irks me even more. Not having received the email, this all comes straight out of left field for me. If I had received the email, perhaps it wouldn't be such an unpleasant shock. It certainly is ruining my day off, I'll tell you that. As for two continuing with two different version levels, I'll tell you my comfort level for running the lower version definitely isn't high. Today you are committed to the version 3 customers, but just with the version numbers, I'm feeling I have a lesser product. Declude version 3 is a dead end on the Declude product tree. It is just a matter of when. Will all future enhancements be going into version 3? What are the planned enhancements? Tell us how Declude is planning to improve the product. - Original Message - From: [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, February 10, 2006 12:47 PM Subject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
By running AVAFTERJM, you can use spam filtering to eliminate banned files that you would otherwise have to review in the virus hold queue. The drawback is that marginal emails are not identified as banned files, but on our system at least, running AVAFTERJM means less to review. Darin. - Original Message - From: "Don Brown" <[EMAIL PROTECTED]> To: Sent: Friday, January 27, 2006 9:45 AM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew <[EMAIL PROTECTED]> wrote: CA>[SNIP] CA> Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM CA> to cut down on the work, and this definitely leaves a gap in my CA> statistics. Similarly, it follows that I wouldn't want to scan my whole CA> SPAM folder. Even reading the directory of the filenames is a disk CA> workout. [SNIP] How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Interesting, Andrew. We've run AVAFTERJM for the same reasons, and have been considering doing something to remove the viruses from the spam hold queue as well. Speaking of which, I'd like to re-request a feature from Declude to be able to selectively notify on detected vulnerabilities. We have notification on banned files, but I don't believe vulnerabilities notify. Adding that would make virus detection system manual maintenance almost non-existent. Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Thursday, January 26, 2006 3:33 AM Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > Do you mean this script on my disk who creates one hour each > day with 100% CPU usage? Markus, I found that a pretty fun bit of sarcasm. But I have a dry sense of humour. It sounds like you're not using AVAFTERJM so that you catch viruses as viruses and spam as spam. In this scenario I'm pretty confident that you could automate grepping your virMMDD.log file hourly, look for a pre-set list of virus names, cut up the Q* column to derive the filename, and delete the Q*.SMD and D*.SMD file, for example, this line: 01/24/2006 18:54:38 QE867AAFA0144EA71 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Is quite easy to parse. Let me share something similar I've done. I've remarked on it vaguely before... I wanted to nail down some of my statistics, and as that evolved, I wanted to know how much of the inbound mail that is blocked as spam was actually viral. It turned out that I block a lot of viruses as spam because they have the same IP source characteristics, malformed headers, fake source domains and so forth as zombie spam (no surprise, they're much the same machines). Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM to cut down on the work, and this definitely leaves a gap in my statistics. Similarly, it follows that I wouldn't want to scan my whole SPAM folder. Even reading the directory of the filenames is a disk workout. During our slow period (nightly) I do a scheduled run of a .cmd script that uses the GNU utilities to check my Declude logs for the held spam for that day only, I weed out ones that triggered SNIFFERMALWARE or my own Declude filter tests for viruses, then from that subset I have a list of Q* names. >From that Q* column, I can form the filename. I then grep each one of those files for strings that would indicate that there is a possibly viral attachment (it's not perfect), and then on the remainder of the filenames, I invoke my F-Prot scanner and check the result code for each file. This isn't ideal, but I found that invoking it every time with specific filenames was far, far faster than scanning a folder. Windows certainly caches the fpcmd and pattern files, so that definitely helps. How much am I saving? Well, I am scanning all the files in some fashion, but I'm doing grep for some spam and grep plus antivirus for the minority of it, and I'm doing it outside of our busy hours. It takes *two hours*, and produces results like this in a day: Viruses caught by Declude Virus after using AVAFTERJM: 1 Messages caught by filters or Sniffer: 349 Messages scanned "after hours": 25,000 Viruses found "after hours": 378 So, I time-shifted away from normal hours the CPU and disk hit of doing the scanning, and I still get my virus statistics without causing a performance problem at night. The resulting logs are easily grepped for virus names and counts if I want. I use another set of scripts to compile the stats at the end of the month, with little to no maintenance. It's awful code, but if a non-programmer like me can do this, your virMMDD.log can be used to delete the messages for viruses you don't want to keep on disk. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > Sent: Wednesday, January 25, 2006 10:13 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > > > > > As a work around until and if Declude adds the requested > feature, you > > could write a script to search the files on a timed based > for a phrase > > (virus > > name) and have it delete them. > > Do you mean this script on my disk who creates one hour each > day with 100% CPU usage? > > Markus > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viru
[Declude.Virus] [EMAIL PROTECTED] customer
Please turn off your postmaster notifications for detected virii, or utilize the ability to avoid sending notifications for forging viruses. Thanks, Darin.
Re: [Declude.Virus] Another Sober out. (=> idea)
Yeah, maintaining BANNAMEs is not a good long-term solution. I've tripled my list in the last week with the new variants. Since filenames are becoming more dynamic, and we will most likely start seeing significant overlap with legitimate filenames soon, I would amend this by having the DNS-based lookup use parameters that describe the file instead, like maybe filesize and CRC. I don't know if Declude is interested in this, but if not it shouldn't be too hard to whip up an external test that determined these and looked up against either a specialized DNS lookup, or a downloadable list. Seems like AV companies need to start using more advanced pattern matching to catch these variants, rather than relying on specific signatures. Darin. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Friday, November 25, 2005 3:20 AM Subject: RE: [Declude.Virus] Another Sober out. (=> idea) Thank you John but, > BANNAME mailtext.zip ...is this really the only name used by this variant? I'm feeling a little bit bad, while adding and adding BANNAMEs to the virus.cfg file. First as sayd yesterday I feel there are many many BANNAME entries that are not more accurate or spreading in the wild and so unneccessary load in my and our config files. Second it's always the "two steps behind" if we have to adapt our config files manualy after someone else has discovered a new variant. Wouldn't be possible to write a junkmail external test, or maybe also an "AV-Engine" that does nothing else then looking at a central database for filenames that are suspsicious. I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a DNS-server containing TLD-zones like .zip .exe .com Then some of us can act as operators and add additional zones like "mailtext" Looking at the case two days ago that I reported with the new bagle variant it would also be possible to add something like 1.exe.ester.zip 12.exe.ester.zip 1.exe.emanuel.zip ... Are maybe also with wildcards like *.exe.mailtext.zip By having bitmasked result codes it would maybe also possible to entries like *.exe*.zip with a "suspicious" result code and other more concrete definitions with an "accurate" result code. so admins can use it at they want. Our administrative work should decrease while new banname definitions will be available as soon the first of the operators will detect and add it to the database. +as having one (or more replicated) central points we should be able to notice a relativ high increase of request for exe in zips and so know that something seems going on. What do you think? My opinion is that last week av-companies showed that they are not able to provide accurate detection-quality. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] how is Declude 3.x?
Totally agree with you there, Sandy. We're trying to decide whether to renew the service agreement. We paid for a year and haven't upgraded at all due to the stability problems and bugs with 2.x and 3.x, though we are considering upgrading to IMail 2006 and 3.0 soon. Things seem to have settled down a bit. What are you running? 2.06 with IMail 8.15? We're still running IMail 8.05 and 1.82 currently. Darin. - Original Message - From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: Sent: Thursday, November 24, 2005 3:23 PM Subject: Re: [Declude.Virus] how is Declude 3.x? > 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANNAMEs in log file
Not an answer to your question, but I would suggest using BANEXT for com, scr, cpl, and exe files. Darin. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Thursday, November 24, 2005 3:24 AM Subject: [Declude.Virus] BANNAMEs in log file Would it be possible to have one line in the MID-logfile for each banned filename For example if I have BANNAME price.com BANNAME price.scr BANNAME price.exe BANNAME price.cpl BANNAME joke.com BANNAME joke.scr BANNAME joke.exe BANNAME joke.cpl in my virus.cfg file it would be nice to have lines like BANNAME price.exe in the logfiles. So I can A.) easily create reports for currently active banned filenames and so remove inactive names from the config file B.) check if "BANNAME price.exe 120" maybe was a false positive because it has a filesize of 1,2 MB Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
We have enough customers using those that we can't block them. Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Thursday, November 24, 2005 4:51 AM Subject: RE: [Declude.Virus] Blocking PIF Files To add to Darin's list, I also block PPS files. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Wednesday, November 23, 2005 7:00 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Blocking PIF Files > > Here's a list compiled over the years of extensions we ban. The top two you > will want to consider your userbase before banning, the rest should be fine. > Note that we couple this with a banned file notification to the intended > recipient, which includes a link to requeue the file for delivery if it is > legitimate. > > > BANEXT EZIP > BANEXT rar > > BANEXT bas > BANEXT bat > BANEXT ceo > BANEXT chm > BANEXT cmd > BANEXT com > BANEXT cpl > BANEXT exe > BANEXT hta > BANEXT inf > BANEXT ins > BANEXT isp > BANEXT js > BANEXT jse > BANEXT lnk > BANEXT msi > BANEXT msp > BANEXT mst > BANEXT pcd > BANEXT pif > BANEXT reg > BANEXT scr > BANEXT sct > BANEXT shb > BANEXT shs > BANEXT vb > BANEXT vbe > BANEXT vbs > > BANEXT ws > BANEXT wsc > BANEXT wsf > BANEXT wsh > > > Darin. > > > - Original Message - > From: "Dan Geiser" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 23, 2005 9:26 AM > Subject: [Declude.Virus] Blocking PIF Files > > > Hello, All, > I don't know whether this would be more appropriate for the virus list or > the junkmail list so please point me towards junkmail if appropriate. > > What is the proper technique for blocking messages that have an attachment > that ends in a "pif" extension like "your_letter.pif"? > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > Thanks In Advance! > Dan Geiser > [EMAIL PROTECTED] > > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
The second part of that list has been updated BANNAME Alice.zip BANNAME Androw.zip BANNAME Ann.zip BANNAME Christian.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Ellen.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Isabell.zip BANNAME James.zip BANNAME Josias.zip BANNAME Judeth.zip BANNAME Katheryne.zip BANNAME Margerye.zip BANNAME Marie.zip BANNAME Martha.zip BANNAME Marye.zip BANNAME Nathaniel.zip BANNAME Nathanyell.zip Darin. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:56 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan ----- Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > For those of us poor saps who don't have Pro, here's a compiled list from > a > couple of sources of zip filenames to ban. > > Due to the variation in filenames, it would be useful to have BANNAME > allow > some minimal pattern matching. That would have made this list a bit > shorter. > > # Added 11/21/2005 to handle new Sober.X/Z variants > BANNAME downloadm.zip > BANNAME Ebay.zip > BANNAME Ebay-User_RegC.zip > BANNAME Email.zip > BANNAME Email_text.zip > BANNAME injection.zip > BANNAME mail.zip > BANNAME mailtext.zip > BANNAME reg_pass.zip > BANNAME reg_pass-data.zip > > BANNAME Service.zip > BANNAME Webmaster.zip > BANNAME Postman.zip > BANNAME Info.zip > BANNAME Hostmaster.zip > BANNAME Postmaster.zip > BANNAME Admin.zip > > BANNAME Service-TextInfo.zip > BANNAME Webmaster-TextInfo.zip > BANNAME Postman-TextInfo.zip > BANNAME Info-TextInfo.zip > BANNAME Hostmaster-TextInfo.zip > BANNAME Postmaster-TextInfo.zip > BANNAME Admin-TextInfo.zip > > BANNAME Downloads.zip > BANNAME BKA.zip > BANNAME Internet.zip > BANNAME Post.zip > BANNAME Anzeige.zip > BANNAME BKA.Bund.zip > > BANNAME AkteDownloads.zip > BANNAME AkteBKA.zip > BANNAME AkteInternet.zip > BANNAME AktePost.zip > BANNAME AkteAnzeige.zip > BANNAME AkteBKA.Bund.zip > > BANNAME Kandidat.zip > BANNAME WWM.zip > BANNAME Auslosung.zip > BANNAME Casting.zip > BANNAME Gewinn.zip > BANNAME Info.zip > BANNAME RTL-Admin.zip > BANNAME RTL.zip > BANNAME Webmaster.zip > BANNAME RTL-TV.zip > > BANNAME Kandidat_Text.zip > BANNAME WWM_Text.zip > BANNAME Auslosung_Text.zip > BANNAME Casting_Text.zip > BANNAME Gewinn_Text.zip > BANNAME Info_Text.zip > BANNAME RTL-Admin_Text.zip > BANNAME RTL_Text.zip > BANNAME Webmaster_Text.zip > BANNAME RTL-TV_Text.zip > > > > Darin. > > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using "BANZIPEXTS > ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 12:12 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> It is coming in with alot of different zip file names and body names n
Re: [Declude.Virus] OT: Virus Backscatter
Sorry... didn't realize that's what you were asking... Darin. - Original Message - From: "marc catuogno" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 11:27 AM Subject: Re: [Declude.Virus] OT: Virus Backscatter Actually I was talking about the notices from other postmasters - I have almost no bounce messages, I don't notify on banned files and so on for just that very reason. -- Original Message ---------- From: "Darin Cox" <[EMAIL PROTECTED]> Reply-To: Declude.Virus@declude.com Date: Wed, 23 Nov 2005 10:02:38 -0500 >We went with AVAFTERJM ON to minimize this. That way most get held as spam >instead of being detected by Virus as a banned files, and don't generate >banned file notifications. Others may have better ways to handle filtering >these out, but that worked well for us. > >Darin. > > >- Original Message - >From: "Marc Catuogno" <[EMAIL PROTECTED]> >To: >Sent: Wednesday, November 23, 2005 9:12 AM >Subject: [Declude.Virus] OT: Virus Backscatter > > >The latest outbreak has caused me a great deal of backscatter. You sent a >banned file, virus in an attachment sent by you, undeliverables and so. I >am very hesitant to try to create rules in JM to stop all notices like this >because some of them are necessary. I've pretty much told the users to >ignore them unless it looks like something they may have sent, but some >people are getting really flooded. >What is everyone else doing? > >--- >[This E-mail scanned for viruses by Declude Virus] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > For those of us poor saps who don't have Pro, here's a compiled list from > a > couple of sources of zip filenames to ban. > > Due to the variation in filenames, it would be useful to have BANNAME > allow > some minimal pattern matching. That would have made this list a bit > shorter. > > # Added 11/21/2005 to handle new Sober.X/Z variants > BANNAME downloadm.zip > BANNAME Ebay.zip > BANNAME Ebay-User_RegC.zip > BANNAME Email.zip > BANNAME Email_text.zip > BANNAME injection.zip > BANNAME mail.zip > BANNAME mailtext.zip > BANNAME reg_pass.zip > BANNAME reg_pass-data.zip > > BANNAME Service.zip > BANNAME Webmaster.zip > BANNAME Postman.zip > BANNAME Info.zip > BANNAME Hostmaster.zip > BANNAME Postmaster.zip > BANNAME Admin.zip > > BANNAME Service-TextInfo.zip > BANNAME Webmaster-TextInfo.zip > BANNAME Postman-TextInfo.zip > BANNAME Info-TextInfo.zip > BANNAME Hostmaster-TextInfo.zip > BANNAME Postmaster-TextInfo.zip > BANNAME Admin-TextInfo.zip > > BANNAME Downloads.zip > BANNAME BKA.zip > BANNAME Internet.zip > BANNAME Post.zip > BANNAME Anzeige.zip > BANNAME BKA.Bund.zip > > BANNAME AkteDownloads.zip > BANNAME AkteBKA.zip > BANNAME AkteInternet.zip > BANNAME AktePost.zip > BANNAME AkteAnzeige.zip > BANNAME AkteBKA.Bund.zip > > BANNAME Kandidat.zip > BANNAME WWM.zip > BANNAME Auslosung.zip > BANNAME Casting.zip > BANNAME Gewinn.zip > BANNAME Info.zip > BANNAME RTL-Admin.zip > BANNAME RTL.zip > BANNAME Webmaster.zip > BANNAME RTL-TV.zip > > BANNAME Kandidat_Text.zip > BANNAME WWM_Text.zip > BANNAME Auslosung_Text.zip > BANNAME Casting_Text.zip > BANNAME Gewinn_Text.zip > BANNAME Info_Text.zip > BANNAME RTL-Admin_Text.zip > BANNAME RTL_Text.zip > BANNAME Webmaster_Text.zip > BANNAME RTL-TV_Text.zip > > > > Darin. > > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using "BANZIPEXTS > ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 12:12 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> It is coming in with alot of different zip file names and body names now, > I >> blocked all zip files and submitted samples >> >> I am really getting hit hard >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> - Original Message - >> From: "Matt" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, November 21, 2005 2:51 PM >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is >> > st
Re: [Declude.Virus] OT: Virus Backscatter
We went with AVAFTERJM ON to minimize this. That way most get held as spam instead of being detected by Virus as a banned files, and don't generate banned file notifications. Others may have better ways to handle filtering these out, but that worked well for us. Darin. - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:12 AM Subject: [Declude.Virus] OT: Virus Backscatter The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
Here's a list compiled over the years of extensions we ban. The top two you will want to consider your userbase before banning, the rest should be fine. Note that we couple this with a banned file notification to the intended recipient, which includes a link to requeue the file for delivery if it is legitimate. BANEXT EZIP BANEXT rar BANEXT bas BANEXT bat BANEXT ceo BANEXT chm BANEXT cmd BANEXT com BANEXT cpl BANEXT exe BANEXT hta BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT msp BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT sct BANEXT shb BANEXT shs BANEXT vb BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsc BANEXT wsf BANEXT wsh Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:26 AM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a "pif" extension like "your_letter.pif"? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
> If you also want to block them in zips and encrypted zip: > BANZIPEXTS ON > BANEZIPEXTS ON Only works in Virus Pro. He said he has Virus Standard. Darin. - Original Message - From: "Info Wind" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:47 AM Subject: Re: [Declude.Virus] Blocking PIF Files virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files > Hello, All, > I don't know whether this would be more appropriate for the virus list or > the junkmail list so please point me towards junkmail if appropriate. > > What is the proper technique for blocking messages that have an attachment > that ends in a "pif" extension like "your_letter.pif"? > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > Thanks In Advance! > Dan Geiser > [EMAIL PROTECTED] > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
You could use banned file notification so that if a banned file gets held that is not a known virus a notification is sent out. We send these notifications to the recipient, including enough information for them to decide if the email is legit, and include a link to an ASP script that requeues the file for delivery. The user then just clicks the link if they want to receive the email. Works great for our users. Note that we also use AVAFTERJM ON, so banned files that first fail spam filtering do not send out these notifications, which cuts down significantly on notifications resulting from new virus variants. An/or you could spring for EVA Pro and ban files inside the zip, which should lead to less legit banned files...at least for the time being. Darin. - Original Message - From: "Rick Davidson" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 22, 2005 10:57 AM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Point well taken... Problem is that prior to virus writers exploiting zip files we pounded it into everyones head to use zip files... can't win for losing. I will spend a day grabbing copies and see what that ramafications of blocking zips would be. Main concern is avoiding getting screamed at for holding up a million dollar real-estate deals. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 9:13 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > This is not about executable formt is is about banning zips and encrypted > zip files. > > > Kevin Bilbee > >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 5:51 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> I would but my conundrum is that we receive alot of our loan packages in >> executable format and the lenders could careless about what I have to say >> about that... So I have to temporarily block them then have someone watch >> for legit files and release them from quaratine as they come in. >> >> f-prot was right on top of it with a def release. kudos to them. >> >> John C that is hilarious! >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> - >> - Original Message - >> From: "John T (Lists)" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, November 21, 2005 4:53 PM >> Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> If you have Pro version you should be always blocking using >> "BANZIPEXTS ON" >> and "BANEZIPEXTS ON". >> >> John T >> eServices For You >> >> > -Original Message- >> > From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >> > On Behalf Of Rick Davidson >> > Sent: Monday, November 21, 2005 12:12 PM >> > To: Declude.Virus@declude.com >> > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> > >> > It is coming in with alot of different zip file names and body >> names now, >> I >> > blocked all zip files and submitted samples >> > >> > I am really getting hit hard >> > >> > Rick Davidson >> > National Systems Manager >> > North American Title Group >> > 440-639-0607 - Office >> > 951-233-6342 - Mobile >> > [EMAIL PROTECTED] >> > - >> > - Original Message - >> > From: "Matt" <[EMAIL PROTECTED]> >> > To: >> > Sent: Monday, November 21, 2005 2:51 PM >> > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> > >> > >> > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] >> F-Prot is still >> > > missing it. My first hit was at 2:08 p.m. EST, just 40 >> minutes ago and >> > > McAfee seems to have had this one tagged prior to the >> outbreak starting >> > > since none have slipped through yet. >> > > >> > > Matt >> > > >> > > >> > > >> > > Rick Davidson wrote: >> > > >> > >> heads up folks, I am stopping a new zip virus with the following >> junkmail >> > >> rules, this is all I have seen so far. Contains an exacutable >> > >> payload >> > >> called File-packed_dataInfo.exe >> > >> >> > >> Rick Davidson >> > >> National Systems Manager >> > >> North American Title Group >> > >> 440-639-0607 - Office >> > >> 951-233-6342 - Mobile >> > >> [EMAIL PROTECTED] >> > >> - >> > >> --- >> > >> This E-mail came from the Declude.Virus mailing list. To >> > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> > >> type "unsubscribe Declude.Virus".The archives can be found >> > >> at http://www.mail-archive.com. >> > >> >> > >> >> > > --- >> > > This E-mail came from the Declude.Virus mailing list. To >> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> > > type "unsubscribe Declude.Virus".The archives can be found >> > > at http://www.mail-archive.com. >> > > >> > > >> > >> > --- >> > This E-mail came from the Declude.Virus mailing list. To >> > unsubscribe
Re: [Declude.Virus] New Virus Strain Pounding my systems
For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EAD&VSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Tuesday, November 15, 2005 6:05 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Sober to be released, > possible variation? > > Most the new Sober variants are expected to be low volume, so > I'm not surprised that Netsky.P continues to outstrip them. > > Security vendors are varying as to what they are detecting > with 6 new Sober variants yesterday and today. Best bet is > to ban the files at least until virus definition files have > caught up. We keep the bans in place for the usual overlap > in new variants. > > Darin. > > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 15, 2005 8:44 AM > Subject: RE: [Declude.Virus] New Sober to be released, > possible variation? > > > Thank you Darin. > > just curious after watching our virus logfiles today > Anyone else can confirm that there are only a few of the > today new virus and > far more netsky (most .p variant) showing up in the logfiles? > > Today I've had some reports that certain varaints of the new > virus slipped > trough while it was definitively catching some others. > > Markus > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 2:33 PM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > I just went through all of the reports. Here's a list of new > > filenames to > > ban: > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > BANNAME email_photo.zip > > BANNAME excel_table.zip > > BANNAME liste.zip > > BANNAME reg_text.zip > > BANNAME registration.zip > > BANNAME tabelle.zip > > > > > > Darin. > > > > > > - Original Message - > > From: "Doug Anderson" <[EMAIL PROTECTED]> > > To: > > Sent: Tuesday, November 15, 2005 8:24 AM > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > > > Looks like varying attachment names. I got one thats excel_table.zip > > > > - Original Message - > > From: "David Dodell" <[EMAIL PROTECTED]> > > To: "John T (Lists)" > > Sent: Tuesday, November 15, 2005 6:50 AM > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > > > > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: > > > > > >> Sophos is now calling it Sober-R. > > > > > > Possible variation received this morning ... the text discussed > > > receiving a problem email, and the attachment was email_photo.zip > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > > > > --- > > This E-mail came from the Declud
Re: [Declude.Virus] New Sober to be released, possible variation?
Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Tuesday, November 15, 2005 2:33 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Sober to be released, > possible variation? > > I just went through all of the reports. Here's a list of new > filenames to > ban: > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > BANNAME email_photo.zip > BANNAME excel_table.zip > BANNAME liste.zip > BANNAME reg_text.zip > BANNAME registration.zip > BANNAME tabelle.zip > > > Darin. > > > - Original Message - > From: "Doug Anderson" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 15, 2005 8:24 AM > Subject: Re: [Declude.Virus] New Sober to be released, > possible variation? > > > Looks like varying attachment names. I got one thats excel_table.zip > > - Original Message - > From: "David Dodell" <[EMAIL PROTECTED]> > To: "John T (Lists)" > Sent: Tuesday, November 15, 2005 6:50 AM > Subject: Re: [Declude.Virus] New Sober to be released, > possible variation? > > > > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: > > > >> Sophos is now calling it Sober-R. > > > > Possible variation received this morning ... the text discussed > > receiving a problem email, and the attachment was email_photo.zip > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
Thanks, Uwe. I'm sure there will be more. Darin. - Original Message - From: "Info Wind" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 8:52 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? We get one with foto.zip and word-text.zip Uwe P.S.: Thank you, Darin for the list. - Original Message ----- From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 2:33 PM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? >I just went through all of the reports. Here's a list of new filenames to > ban: > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > BANNAME email_photo.zip > BANNAME excel_table.zip > BANNAME liste.zip > BANNAME reg_text.zip > BANNAME registration.zip > BANNAME tabelle.zip > > > Darin. > > > - Original Message - > From: "Doug Anderson" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 15, 2005 8:24 AM > Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > > > Looks like varying attachment names. I got one thats excel_table.zip > > - Original Message - > From: "David Dodell" <[EMAIL PROTECTED]> > To: "John T (Lists)" > Sent: Tuesday, November 15, 2005 6:50 AM > Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > > >> Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: >> >>> Sophos is now calling it Sober-R. >> >> Possible variation received this morning ... the text discussed >> receiving a problem email, and the attachment was email_photo.zip >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> [This E-mail scanned for viruses by Declude Virus] >> >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: "Doug Anderson" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "John T (Lists)" Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: > >> Sophos is now calling it Sober-R. > > Possible variation received this morning ... the text discussed > receiving a problem email, and the attachment was email_photo.zip > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > [This E-mail scanned for viruses by Declude Virus] > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Yep...seeing them here as well. Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 14, 2005 7:57 PM Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ? Well, I am not sure about tomorrow, but in the last hour I have started to see some messages being caught with banned ZIP-EXE with a subject line of Thanks for your registration and a file name of reg_text.zip and a D file size of 184 Kb that I have not seen before. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Monday, November 14, 2005 3:36 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? > > Hmmm, now that's interesting. > > http://www.f-secure.com/weblog/#0705 > > > Andrew. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Well... so who's putting a ban on registration.zip in tonight? Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Monday, November 14, 2005 6:36 PM Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? Hmmm, now that's interesting. http://www.f-secure.com/weblog/#0705 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ban exe in zip file
See "15. Banning files based on extension in the manual" http://www.declude.com/Version/Manuals/EVA/EVA_2.0.6.asp Note that banning files inside zips is only available in EVA Pro. Darin. - Original Message - From: Schmeits, Roger To: Declude.Virus@declude.com Sent: Thursday, November 03, 2005 5:44 PM Subject: [Declude.Virus] ban exe in zip file In light of the latest Beagle variant how can I ban a zip that has a exe inside a zip file? Thanks. ##Roger SchmeitsSr. Network EngineerClarkson Collegehttp://www.clarksoncollege.edu(402) 552-2542##Disclaimer:The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. Thank you.
Re: [Declude.Virus] Declude 3.0.5.12 Posted
David, Thank you very much for posting these notices to the list. This is incredibly helpful. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: ; Sent: Wednesday, October 26, 2005 2:32 PM Subject: [Declude.Virus] Declude 3.0.5.12 Posted Declude 3.0.5.12 ADDED - When the \proc directory is empty winsock cleanup will be called after the shorter of either the number of worker threads going to 0 or 5 minutes. Any files found in the work directory will then be moved to the \review directory. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
True... but it's not about Scott anymore. Declude is a larger company, with more resources, and should be documenting this stuff... especially in light of all of the issues trying to get a new version to market. This kind of documentation will go a long way towards making the user community more comfortable with the new product. And let's face it folks... we're not asking for a lot here. Just a quick posting to the list to let everyone know a new release is available, and a quick statement on the website as to what it fixes or doesn't fix. A known issues list with the latest release would be extremely helpful as well. Would save many of us a ton of time. This would take very little time, and has to be documented internally in the software development process, so why not make it available to help the user community? This is not about blame, so don't take it wrong. We all understand there were a lot of factors involved in the new release because of architectural changes by Ipswitch. This is entirely about helping users stay current, get any problems they might be experiencing resolved, and stabilize the product. Darin. - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Saturday, October 22, 2005 8:54 PM Subject: Re: [Declude.Virus] 3.0.5.10 I would consider 3.0.5.10/11 interim releases... Scott would never have documented them. I too would like to see the release notes updated with each and every version... but it's a long long standing issue. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Saturday, October 22, 2005 7:36 AM Subject: Re: [Declude.Virus] 3.0.5.10 > On that note, I would also like to reraise the need for documentation on > reported/known issues with a particular release. A simple page with a > quick > note about each reported issue would be very beneficial. > > Also, I would think each release would be reported on the Declude Releases > list like Scott used to do. Now we have to go check the website for new > releases. Very inefficient. > > Darin. > > > - Original Message - > From: "John Carter" <[EMAIL PROTECTED]> > To: ; > Sent: Saturday, October 22, 2005 12:27 AM > Subject: [Declude.Virus] 3.0.5.10 > > > This one is just for the record since .10 is not on the website anymore -- > thank goodness. > > Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). > MISTAKE! Things looked ok at first, but didn't realize mail was stacking > up > in \proc\. When I was not getting anything at the house, came back in > (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. > It > is flowing now. > > Wonder if that is the reason .10 disappeared from the web site so fast. > This raises (at least for me) an old discussion. I know new documentation > for each little update is not possible or even reasonable to expect. But > maybe a quick and dirty page on what the update fixed.?? > > John > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
Totally agree... there are not enough announcements of bugs and fixes/releases especially when there's an unused list for that purpose. Darin. - Original Message - From: "Andy Schmidt" <[EMAIL PROTECTED]> To: Sent: Saturday, October 22, 2005 4:52 PM Subject: RE: [Declude.Virus] 3.0.5.10 Well, that's just plain wrong. When there's enough time to update versions and a web site, it should be time enough to either send an email to the Declude announcement list - or to update a simple "what's new" page with 3 or 4 lines of text. It's important to know what was wrong with a release I just installed a day earlier by looking at whatever is fixed in the new release. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Saturday, October 22, 2005 12:28 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
On that note, I would also like to reraise the need for documentation on reported/known issues with a particular release. A simple page with a quick note about each reported issue would be very beneficial. Also, I would think each release would be reported on the Declude Releases list like Scott used to do. Now we have to go check the website for new releases. Very inefficient. Darin. - Original Message - From: "John Carter" <[EMAIL PROTECTED]> To: ; Sent: Saturday, October 22, 2005 12:27 AM Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Confidentiality notice
This has long been limited only to text-based emails, but Sandy released a utility in the past month See http://www.mail-archive.com/declude.virus@declude.com/msg12388.html Darin. - Original Message - From: Rodney Bertsch To: Declude.Virus@declude.com Sent: Thursday, October 13, 2005 11:31 AM Subject: [Declude.Virus] Confidentiality notice Hey all! I'm not sure if this is a function of Declude or I-Mail, but I am trying to add a confidentiality notice to the bottom of all our outgoing e-mails. I've been poking around and haven't seen anywhere that I can do this. Is anyone else using this and how do I enable it? Thanks, Rodney
[Declude.Virus] Possible BANnotify.EML problem with Declude 1.82
Just ran across a possible problem with the BANnotify.EML in Declude Virus 1.82. If a SKIPIFFORGING line is in it, it doesn't send the notification. Is this an inappropriate setting? i.e. If virus checking is done first then SKIPIFFORGING would not apply.Darin.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Nope... the notification includes quite a bit of information so they can completely decide for themselves if they want it. Many just leave them for the 7 days, at which point they are deleted. If you give the user enough information, they are capable of making a decision... and it's rare that we see something banned that isn't legit... otherwise it's generally caught as spam or virus. Darin. - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 11, 2005 11:38 PM Subject: RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content You have a user base that is educated and that you trust enough to click a link that would send them a potential virus? I so envy you... I'm scared to let them open and send and receive regular e-mail. I had one user ready to open an account for someone in Nigera. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, October 11, 2005 8:14 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possible new virus
Another possible variant overnight at 4:30AM ET. Same routing as the new Sober variant from yesterday, but different attachment: screen_photo.zip Darin. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
My first hit was right around that time as well. That's a quick catch by FProt. Darin. - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:46 PM Subject: Re: [Declude.Virus] Possible new virus Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
[Declude.Virus] Possible new virus
We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Virus directory
Are they viruses, or are they vulnerabilities and banned files? Best method is to set up notifications to the intended recipient for banned files with a link for them to requeue the message if it was legit, and have a scheduled script to clear out files older than X days. This has been discussed previously in the archives. Darin. - Original Message - From: "Harry Vanderzand" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 04, 2005 1:33 PM Subject: [Declude.Virus] Virus directory Declude puts all e-mails with viruses into a separate directory I find I always have to go there and delete files. Is there a way to set the system to just delete those e-mails rather than move them into a separate directory? Thank you Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Info Wind > Sent: Friday, September 30, 2005 8:29 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Version 3.0.5.5 > > same to me, there seams to be problems when not uninstalling. > I had the same issue. > Thanks John for the proper procedure, that helped me. > > Bye, > Uwe > > - Original Message - > From: Harry Vanderzand > To: Declude.Virus@declude.com > Sent: Friday, September 30, 2005 1:50 PM > Subject: RE: [Declude.Virus] Version 3.0.5.5 > > > that is what I thought, but I had to go into add remove > programs and remove > the service before I could use the install procedure. If I had the > decludeproc.exe file then I could likely have "copied the new file" > > Harry Vanderzand > inTown Internet & Computer Services > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > 519-741-1222 > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Thursday, September 29, 2005 6:09 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Version 3.0.5.5 > > > The proper procedure is: > Stop Imail SMTP > Stop Imail Queue Manager > Make sure spool\proc and spool\proc\work are empty of files. > If not, wait > until they are processed. > Stop Decludeproc > Copy in the new file > Start Decludeproc > Start Imail SMTP > Start Imail Queue Manager > > John T > eServices For You > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee > Sent: Thursday, September 29, 2005 2:07 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Version 3.0.5.5 > > You need to stop SMTP and queuemanager. It probably got > started back up. By > the stub program. > > Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Harry Vanderzand > Sent: Thursday, September 29, 2005 1:59 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Version 3.0.5.5 > I downloaded this update > > stopped decludeproc > > ran the update > > got message: Another version is already running, cannot update > > what's up with that? > > Harry Vanderzand > inTown Internet & Computer Services > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > 519-741-1222 > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman > Sent: Thursday, September 29, 2005 2:53 PM > To: Declude.Virus@declude.com; Declude.JunkMail@declude.com > Subject: [Declude.Virus] Version 3.0.5.5 > Declude Version 3.0.5.5 is available on the website for download. > There are two changes from version 3.0.5.3 > > Fix for special character scanning causing abnormal > termination. Special > thanks to John Tolmachoff for identifying and helping us fix > this nasty. > For SmarterMail only. Correctly handle parsing the XML file > for the email > installation path. > > SY, Bill Billman > Declude > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.344 / Virus Database: 267.11.7/112 - Release > Date: 9/26/2005 > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Anyone have any outstanding issues with the 3.0.5 release?
I see 3.0.5 was released today. Anyone know if this fixes the reported performance and stability issues reported here with the 3.0.x betas? Darin.
Re: [Declude.Virus] New Variant of Bagle?
These have been sufficient for us in the past to handle any new Bagle, MyTob, and JS/IllWill variants until updated defs caught them, though the list is over a year old now, so there may be some new filenames to add to the list. BANNAME info-text.zip BANNAME 1.zip BANNAME 5.zip BANNAME 6.zip BANNAME 7.zip BANNAME 8.zip BANNAME be_not_jealous.zip BANNAME price_new_16_04_05.zip BANNAME work.zip BANNAME 08_price.zip BANNAME new__price.zip BANNAME new_price.zip BANNAME newprice.zip BANNAME price.zip BANNAME price_08.zip BANNAME price__new.zip BANNAME price_new.zip BANNAME price2.zip Darin. - Original Message - From: "Mario Antonio" <[EMAIL PROTECTED]> To: Sent: Monday, September 19, 2005 10:28 AM Subject: Re: [Declude.Virus] New Variant of Bagle? Darin, Thanks, I am running the latest def of F-prot, and banning those filenames. I will ban zip extensions if the thing gets nasty. Mario Antonio - Original Message ----- From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, September 19, 2005 10:11 AM Subject: Re: [Declude.Virus] New Variant of Bagle? > There may be a new variant of Bagle. There was a new one just last week. > > You should make sure your FProt defs are up to date. If it is a new > variant, you may want to block these files in your virus.cfg at least until > the defs have been updated to catch it. > > Darin. > > > - Original Message - > From: "Mario Antonio" <[EMAIL PROTECTED]> > To: > Sent: Monday, September 19, 2005 10:01 AM > Subject: [Declude.Virus] New Variant of Bagle? > > > I see that Declude/F-PROT is not catching these virus: > > price.zip, new_price.zip, newprice.zip, price_09.zip, price2.zip, > new__price.zip > > I guess it could be a new variant of W32/[EMAIL PROTECTED] that was released > on > August last year. > > or Am I missing something? > > > Mario Antonio > > --- > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection > System] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] > > --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Variant of Bagle?
There may be a new variant of Bagle. There was a new one just last week. You should make sure your FProt defs are up to date. If it is a new variant, you may want to block these files in your virus.cfg at least until the defs have been updated to catch it. Darin. - Original Message - From: "Mario Antonio" <[EMAIL PROTECTED]> To: Sent: Monday, September 19, 2005 10:01 AM Subject: [Declude.Virus] New Variant of Bagle? I see that Declude/F-PROT is not catching these virus: price.zip, new_price.zip, newprice.zip, price_09.zip, price2.zip, new__price.zip I guess it could be a new variant of W32/[EMAIL PROTECTED] that was released on August last year. or Am I missing something? Mario Antonio --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
ge----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
Just loaded it (1.5.1 beta). Seems to be almost identical to OE for the way I use it...except slower. Speed is one of the reasons I use OE instead of Outlook. :( Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 3:07 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Thunderbird just simply works. My only complaint is that the spell checker sucks and has serious problems if you are off by more than one letter. For the type of work that we do, it is definitely a better application. The E-mail is stored in plain text files so you can search it that way, and there's none of that magic stuff that hides important things from you the way that Outlook does. And of course hardly any known vulnerabilities for auto-execution.MattDarin Cox wrote: Plain text would be my preference as well, to see headers and message at once. Hmmm...may have to try Thunderbird again. It seemed to be missing some features I liked in OE the last time I tried it. I would use Outlook, but it still experiences too many failures in communicating with the TCP/IP stack, and is too slow and bloated for my taste...and preview doesn't seem to work as well as OE. If MS would combine the best features of OE and Outlook, they'd have a better mail client. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:46 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text.It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape).MattDarin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
Plain text would be my preference as well, to see headers and message at once. Hmmm...may have to try Thunderbird again. It seemed to be missing some features I liked in OE the last time I tried it. I would use Outlook, but it still experiences too many failures in communicating with the TCP/IP stack, and is too slow and bloated for my taste...and preview doesn't seem to work as well as OE. If MS would combine the best features of OE and Outlook, they'd have a better mail client. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 2:46 PM Subject: Re: [Declude.Virus] blocking eml and msg attachments Hmm, works fine in Thunderbird/Netscape, or at least I can see it as plain text.It seems from Pete's MIME headers that he intended for the message to just simply be attached and viewable as the original message. If he changed the extension to .eml that should work. I'm not sure whether or not is is better to see the plain text source or the rendered message. I guess I am used to seeing the plain text and it is easier for me to figure out what the rule matched that way without a Ctrl+U to view the source (shortcut in Thunderbird/Netscape).MattDarin Cox wrote: Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Wednesday, September 14, 2005 11:01 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking eml and msg attachemtns With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachments
Yep... banning 1.msg wouldn't be a good idea unless we can get Pete to change the name of his attachments. I myself would prefer them not to be named .msg (.txt would be _great_) as I can't open them directly in OE that way. I have to save them to disk in order to see which false positive I reported. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 2:27 PM Subject: RE: [Declude.Virus] blocking eml and msg attachments My bad. I was not banning eml and msg. I realized that as I was getting AOL feedbacks. What I was banning was 1.msg as there was a virus reported to be using that. Sniffer responds to false positives and in doing so, renames the request to 1.msg as an attachment to the response. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Wednesday, September 14, 2005 11:01 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] blocking eml and msg attachemtns > > With Declude 1.82, we haven't had any trouble with decoding and blocking > viruses or banned attachments in attached .eml or .msg files. We wouldn't > block them separately because of all of forwarded messages sent as > attachments, both by us, AOL feedback loops, and by our users. > > Darin. > > > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, September 14, 2005 1:32 PM > Subject: [Declude.Virus] blocking eml and msg attachemtns > > > What are others thoughts on blocking eml and msg attachments? > > If there is an eml or msg attachment which that has a executable or virus > attachment, will Declude properly decode it and will it be scanned for > viruses and banned attachments? > > John T > eServices For You > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachemtns
With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
LOL - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 3:39 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown NO NO NO NO Then all of our clients will be asking us how come we have not done the work yesterday that they asked us to do tomorrow. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Friday, September 09, 2005 11:39 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > Hmmm... that gets me thinking... maybe all offices should be located > straddling the international date line. Then if someone wants something > done on a particular day, and you missed it, you could just walk over to the > other side of the building, finish it, and tell them it's done. > > Darin. > > > - Original Message - > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: > Sent: Friday, September 09, 2005 2:07 PM > Subject: RE: [Declude.Virus] Sudden Internet Slowdown > > > No problem, Darin. > > We'll have Newfoundland reboot it. They're half an hour off of > everybody else. > > Andrew 8) > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Friday, September 09, 2005 10:55 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > You mean 4AM ET... We do have some sickos over here that get > > up to go to work then perhaps we could just send them > > over to you to solve this whole problem. If not, perhaps we > > could just insert an hour between 1am PT/4am ET and 1:00:01am > > PT/4:00:01am ET. That would fix it. > > > > Darin. > > > > > > - Original Message - > > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > > To: > > Sent: Friday, September 09, 2005 1:42 PM > > Subject: RE: [Declude.Virus] Sudden Internet Slowdown > > > > > > Nope, we here on the West coast protested loudly. We clearly > > stated it could > > not be done before 1 AM. However, 1 AM here is 5 AM in the > > Atlantic time > > zone, and those people stated it must be done before 5 AM. > > Therefore the > > normal reboot of the Internet has been on hold for a long > > time until this > > dispute can be resolved. > > > > John T > > eServices For You > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of Darin Cox > > > Sent: Friday, September 09, 2005 10:33 AM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > I thought it was rebooted every night around 3 am ET... > > > > > > Darin. > > > > > > > > > - Original Message - > > > From: "Scott Fisher" <[EMAIL PROTECTED]> > > > To: > > > Sent: Friday, September 09, 2005 12:01 PM > > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > > > > You can't do an internet reboot on a Friday. You need to > > wait until the > > > weekend. > > > > > > - Original Message - > > > From: "Matt" <[EMAIL PROTECTED]> > > > To: > > > Sent: Friday, September 09, 2005 10:48 AM > > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > > > > > Maybe someone should reboot the Internet. > > > > > > > > Matt > > > > > > > > > > > > > > > > Keith Johnson wrote: > > > > > > > >>I am seeing this as we attempting to get to certain > > websites and they > > > >>can't be displayed. > > > >> > > > >>Keith > > > >> > > > >>-Original Message- > > > >>From: [EMAIL PROTECTED] > > > >>[mailto:[EMAIL PROTECTED] On Behalf Of > > Rodney Bertsch > > > >>Sent: Friday, September 09, 2005 11:30 AM > > > >>To: Declude.Virus@declude.com > > > >>Subject: [Declude.Virus] Sudden Internet Slowdown > > > >> > > > >>Hello all! > > > >> > > > >>This may be off topic, but has anyone else experienced a > > sudden Internet >
Re: [Declude.Virus] Sudden Internet Slowdown
Hmmm... that gets me thinking... maybe all offices should be located straddling the international date line. Then if someone wants something done on a particular day, and you missed it, you could just walk over to the other side of the building, finish it, and tell them it's done. Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 2:07 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Friday, September 09, 2005 10:55 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > You mean 4AM ET... We do have some sickos over here that get > up to go to work then perhaps we could just send them > over to you to solve this whole problem. If not, perhaps we > could just insert an hour between 1am PT/4am ET and 1:00:01am > PT/4:00:01am ET. That would fix it. > > Darin. > > > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Friday, September 09, 2005 1:42 PM > Subject: RE: [Declude.Virus] Sudden Internet Slowdown > > > Nope, we here on the West coast protested loudly. We clearly > stated it could > not be done before 1 AM. However, 1 AM here is 5 AM in the > Atlantic time > zone, and those people stated it must be done before 5 AM. > Therefore the > normal reboot of the Internet has been on hold for a long > time until this > dispute can be resolved. > > John T > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Darin Cox > > Sent: Friday, September 09, 2005 10:33 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > I thought it was rebooted every night around 3 am ET... > > > > Darin. > > > > > > - Original Message - > > From: "Scott Fisher" <[EMAIL PROTECTED]> > > To: > > Sent: Friday, September 09, 2005 12:01 PM > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > You can't do an internet reboot on a Friday. You need to > wait until the > > weekend. > > > > - Original Message - > > From: "Matt" <[EMAIL PROTECTED]> > > To: > > Sent: Friday, September 09, 2005 10:48 AM > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > > Maybe someone should reboot the Internet. > > > > > > Matt > > > > > > > > > > > > Keith Johnson wrote: > > > > > >>I am seeing this as we attempting to get to certain > websites and they > > >>can't be displayed. > > >> > > >>Keith > > >> > > >>-Original Message- > > >>From: [EMAIL PROTECTED] > > >>[mailto:[EMAIL PROTECTED] On Behalf Of > Rodney Bertsch > > >>Sent: Friday, September 09, 2005 11:30 AM > > >>To: Declude.Virus@declude.com > > >>Subject: [Declude.Virus] Sudden Internet Slowdown > > >> > > >>Hello all! > > >> > > >>This may be off topic, but has anyone else experienced a > sudden Internet > > >>slowdown this morning starting about 11:00 EST? We have > locations > > >>across > > >>the country and are experiencing problems in about half > our locations, > > >>most > > >>using SBC DSL for Internet service. Our primary Telnet > app is DOA in > > >>these > > >>locations and e-mail and web surfing is slow everywhere. > > >> > > >>Thanks, > > >> > > >>Rodney Bertsch > > >> > > >>--- > > >>This E-mail came from the Declude.Virus mailing list. To > > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >>type "unsubscribe Declude.Virus".The archives can be found > > >>at http://www.mail-archive.com. > > >>--- > > >>This E-mail came from the Declude.Virus mailing list. To > > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >>type "unsubscribe Declude.Virus".The archives can be found > > >>at http://www.mail-archive.com. > > >> > > >
Re: [Declude.Virus] Sudden Internet Slowdown
Oh, you said Atlantic, and I was thinking Atlantic Coast/Eastern time. Ok, but I still think we should insert an hour into the clock. I could use an extra hour of sleep . Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 2:09 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Since when is Maine no longer in the Atlantic time zone? How come I did not get the notice? I never get the notices! Has any one informed the president? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Friday, September 09, 2005 10:55 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > You mean 4AM ET... We do have some sickos over here that get up to go to > work then perhaps we could just send them over to you to solve this > whole problem. If not, perhaps we could just insert an hour between 1am > PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. > > Darin. > > > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Friday, September 09, 2005 1:42 PM > Subject: RE: [Declude.Virus] Sudden Internet Slowdown > > > Nope, we here on the West coast protested loudly. We clearly stated it could > not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time > zone, and those people stated it must be done before 5 AM. Therefore the > normal reboot of the Internet has been on hold for a long time until this > dispute can be resolved. > > John T > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Darin Cox > > Sent: Friday, September 09, 2005 10:33 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > I thought it was rebooted every night around 3 am ET... > > > > Darin. > > > > > > - Original Message - > > From: "Scott Fisher" <[EMAIL PROTECTED]> > > To: > > Sent: Friday, September 09, 2005 12:01 PM > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > You can't do an internet reboot on a Friday. You need to wait until the > > weekend. > > > > - Original Message - > > From: "Matt" <[EMAIL PROTECTED]> > > To: > > Sent: Friday, September 09, 2005 10:48 AM > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > > > > Maybe someone should reboot the Internet. > > > > > > Matt > > > > > > > > > > > > Keith Johnson wrote: > > > > > >>I am seeing this as we attempting to get to certain websites and they > > >>can't be displayed. > > >> > > >>Keith > > >> > > >>-Original Message- > > >>From: [EMAIL PROTECTED] > > >>[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch > > >>Sent: Friday, September 09, 2005 11:30 AM > > >>To: Declude.Virus@declude.com > > >>Subject: [Declude.Virus] Sudden Internet Slowdown > > >> > > >>Hello all! > > >> > > >>This may be off topic, but has anyone else experienced a sudden Internet > > >>slowdown this morning starting about 11:00 EST? We have locations > > >>across > > >>the country and are experiencing problems in about half our locations, > > >>most > > >>using SBC DSL for Internet service. Our primary Telnet app is DOA in > > >>these > > >>locations and e-mail and web surfing is slow everywhere. > > >> > > >>Thanks, > > >> > > >>Rodney Bertsch > > >> > > >>--- > > >>This E-mail came from the Declude.Virus mailing list. To > > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >>type "unsubscribe Declude.Virus".The archives can be found > > >>at http://www.mail-archive.com. > > >>--- > > >>This E-mail came from the Declude.Virus mailing list. To > > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >>type "unsubscribe Declude.Virus".The archives can be found > > >>at http://www.mail-archive.com. > > >> > > >> > > >> > > > --- > > > This E-mail came from the Declude.Virus mailing list. T
Re: [Declude.Virus] Sudden Internet Slowdown
Oh, right.. *nix is set to reboot at 4am. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:45 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown That's just the Windows version :)MattDarin Cox wrote: I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Friday, September 09, 2005 10:33 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > I thought it was rebooted every night around 3 am ET... > > Darin. > > > - Original Message - > From: "Scott Fisher" <[EMAIL PROTECTED]> > To: > Sent: Friday, September 09, 2005 12:01 PM > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > You can't do an internet reboot on a Friday. You need to wait until the > weekend. > > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Friday, September 09, 2005 10:48 AM > Subject: Re: [Declude.Virus] Sudden Internet Slowdown > > > > Maybe someone should reboot the Internet. > > > > Matt > > > > > > > > Keith Johnson wrote: > > > >>I am seeing this as we attempting to get to certain websites and they > >>can't be displayed. > >> > >>Keith > >> > >>-Original Message- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch > >>Sent: Friday, September 09, 2005 11:30 AM > >>To: Declude.Virus@declude.com > >>Subject: [Declude.Virus] Sudden Internet Slowdown > >> > >>Hello all! > >> > >>This may be off topic, but has anyone else experienced a sudden Internet > >>slowdown this morning starting about 11:00 EST? We have locations > >>across > >>the country and are experiencing problems in about half our locations, > >>most > >>using SBC DSL for Internet service. Our primary Telnet app is DOA in > >>these > >>locations and e-mail and web surfing is slow everywhere. > >> > >>Thanks, > >> > >>Rodney Bertsch > >> > >>--- > >>This E-mail came from the Declude.Virus mailing list. To > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>type "unsubscribe Declude.Virus".The archives can be found > >>at http://www.mail-archive.com. > >>--- > >>This E-mail came from the Declude.Virus mailing list. To > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>type "unsubscribe Declude.Virus".The archives can be found > >>at http://www.mail-archive.com. > >> > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
Oh... so that's what those scuff marks on the cases are... I was wondering... ;^P Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 1:45 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Hey Darin, No - that must be your servers only, check if you have your scheduler to do a reboot at 3am every night you may be pleasantly surprised :) David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 1:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown > Maybe someone should reboot the Internet. > > Matt > > > > Keith Johnson wrote: > >>I am seeing this as we attempting to get to certain websites and they >>can't be displayed. >> >>Keith >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch >>Sent: Friday, September 09, 2005 11:30 AM >>To: Declude.Virus@declude.com >>Subject: [Declude.Virus] Sudden Internet Slowdown >> >>Hello all! >> >>This may be off topic, but has anyone else experienced a sudden Internet >>slowdown this morning starting about 11:00 EST? We have locations >>across >>the country and are experiencing problems in about half our locations, >>most >>using SBC DSL for Internet service. Our primary Telnet app is DOA in >>these >>locations and e-mail and web surfing is slow everywhere. >> >>Thanks, >> >>Rodney Bertsch >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >> >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown > Maybe someone should reboot the Internet. > > Matt > > > > Keith Johnson wrote: > >>I am seeing this as we attempting to get to certain websites and they >>can't be displayed. >> >>Keith >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch >>Sent: Friday, September 09, 2005 11:30 AM >>To: Declude.Virus@declude.com >>Subject: [Declude.Virus] Sudden Internet Slowdown >> >>Hello all! >> >>This may be off topic, but has anyone else experienced a sudden Internet >>slowdown this morning starting about 11:00 EST? We have locations >>across >>the country and are experiencing problems in about half our locations, >>most >>using SBC DSL for Internet service. Our primary Telnet app is DOA in >>these >>locations and e-mail and web surfing is slow everywhere. >> >>Thanks, >> >>Rodney Bertsch >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >> >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability
Yep. I've had that confirmed by Barry in the past. Though if you renew 6 months later, they back date your renewal so you only get 6 months of additional coverage. Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 29, 2005 11:57 AM Subject: Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability Hi, All, OK, then. Well since it may be some time before I hear anything from Declude perhaps someone on here can help answer my question. We are currently running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. Our Service Agreement expired on June 15th. Since our Service Agreement ended on June 15th I assume this means we can legally upgrade to any version which was released before that date? During the conversations I had with Scott in the past that was the case but I just wanted to make sure before I upgraded to 2.0.6. TIA, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 29, 2005 10:02 AM Subject: Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability > Yep... I find that typically only a few questions or comments on the list > get formal response by Declude nowadays, so email to their support address > is the only way to get a response. There's just not the same level of > service or customer attention. > > Darin. > > > - Original Message - > From: "Dan Geiser" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, June 29, 2005 9:28 AM > Subject: Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability > > > Thanks for the info, Darrell. I'm sure that'll be enough to get me > pointed > in the right direction. > > I had another quick question for anyone willing to answer. Typically I > get > most of my questions answered through these Declude discussion lists. > Yesterday afternoon I submitted a request to [EMAIL PROTECTED] regarding > this issue (and a few tertiary issues) and I have yet to get any sort of > response whatsoever. I checked their web site and they said that e-mail > is > the best way to get support. Is this typical of Declude's support to be > unresponsive like this? > > TIA, > Dan > > - Original Message - > From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, June 28, 2005 5:35 PM > Subject: Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability > > >> Dan, >> I have been running 2.0.6 with no "major" issues that plague me on a >> daily >> basis. The only issue I have encountered is when the server is under >> high >> load and Declude spawns processes until the server starts generating >> errors. Since I upgraded the server it doesnt happen very often. >> For the install you can grab the package from "your account" on the >> declude site. The manual install was pretty easy - just install and >> select manual along with a directory. The upgrade for 2.0.6.16 the last >> beta is just an exe download. >> Hope this helps, >> Darrell >> >> Check out http://www.invariantsystems.com for utilities for Declude And >> Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, >> MRTG Integration, and Log Parsers. >> >> >> Dan Geiser writes: >>> Hi, Again, >>> I was able to find the "ALLOWVULNERABILITIESFROM" in the Declude Release >>> Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this >>> feature was added in Declude 2.0. But it appears the current version of >>> Declude 2.0.6. Since we are running 1.82 I assume that I'll have to >>> upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light >>> of the issues people have added with bugs and the like? If so, is there >>> a special place where I can go to get instructions on doing a Manual >>> Upgrade to 2.0.6? Thanks In Advance, >>> Dan Geiser >>> [EMAIL PROTECTED] - Original Message - From: "Dan >>> Geiser" <[EMAIL PROTECTED]> >>> To: >>> Sent: Tuesday, June 28, 2005 3:52 PM >>> Subject: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability >>>> Hello, All, >>>> We are running... Declude 1.82 >>>> Declude JunkMail Status: PRO version registered. >>>> Declude Virus Status:Standard Version Regis
Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability
Yep... I find that typically only a few questions or comments on the list get formal response by Declude nowadays, so email to their support address is the only way to get a response. There's just not the same level of service or customer attention. Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 29, 2005 9:28 AM Subject: Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability Thanks for the info, Darrell. I'm sure that'll be enough to get me pointed in the right direction. I had another quick question for anyone willing to answer. Typically I get most of my questions answered through these Declude discussion lists. Yesterday afternoon I submitted a request to [EMAIL PROTECTED] regarding this issue (and a few tertiary issues) and I have yet to get any sort of response whatsoever. I checked their web site and they said that e-mail is the best way to get support. Is this typical of Declude's support to be unresponsive like this? TIA, Dan - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 28, 2005 5:35 PM Subject: Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability > Dan, > I have been running 2.0.6 with no "major" issues that plague me on a daily > basis. The only issue I have encountered is when the server is under high > load and Declude spawns processes until the server starts generating > errors. Since I upgraded the server it doesnt happen very often. > For the install you can grab the package from "your account" on the > declude site. The manual install was pretty easy - just install and > select manual along with a directory. The upgrade for 2.0.6.16 the last > beta is just an exe download. > Hope this helps, > Darrell > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG Integration, and Log Parsers. > > > Dan Geiser writes: >> Hi, Again, >> I was able to find the "ALLOWVULNERABILITIESFROM" in the Declude Release >> Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this >> feature was added in Declude 2.0. But it appears the current version of >> Declude 2.0.6. Since we are running 1.82 I assume that I'll have to >> upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light >> of the issues people have added with bugs and the like? If so, is there >> a special place where I can go to get instructions on doing a Manual >> Upgrade to 2.0.6? Thanks In Advance, >> Dan Geiser >> [EMAIL PROTECTED] - Original Message - From: "Dan >> Geiser" <[EMAIL PROTECTED]> >> To: >> Sent: Tuesday, June 28, 2005 3:52 PM >> Subject: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability >>> Hello, All, >>> We are running... Declude 1.82 >>> Declude JunkMail Status: PRO version registered. >>> Declude Virus Status:Standard Version Registered. We >>> have a customer who has an important e-mail which is being blocked by >>> our >>> virus protection with the "Outlook 'Boundary Space Gap' Vulnerability". >>> Is there anyway that I can turn off checking for the "Outlook 'Boundary >>> Space Gap' Vulnerability" on either a specific incoming e-mail address >>> or a >>> specific incoming e-mail domain? Thanks In Advance, >>> Dan Geiser >>> [EMAIL PROTECTED] - -- >>> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- >>> This E-mail came from the Declude.Virus mailing list. To >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>> type "unsubscribe Declude.Virus".The archives can be found >>> at http://www.mail-archive.com. >>> --- >>> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) >> --- >> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL P
[Declude.Virus] FYI - new virus as yet unidentified
Don't know what it is yet, but the attached file was named kitten.zip containing an unencrypted EXE. Darin.
Re: [Declude.Virus] [sniffer] New Spam/Virus?
Similar pattern to Markus' here, except that ours fell off to nothing slipping through from mid-March to mid-May. Previous pattern of receiving two or three a week resumed mid-May, but has gotten better over the past couple of weeks thanks to Sniffer. Darin. - Original Message - From: Markus Gufler To: Declude.Virus@declude.com Sent: Tuesday, June 07, 2005 3:02 AM Subject: RE: [Declude.Virus] [sniffer] New Spam/Virus? In the last hours? Not here. I can see an increased number of spams passing the filter in the last two weeks. From 01/01/05 up to the mid of May I've recieved less then 30 spam messages to my own inbox (by catching >300 each day) but from mid of May up to now I've received around 20 spam messages. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 11:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [Declude.Virus] [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: [removed] - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [Declude.Virus] Newbie question
Great... Could the Declude staff have this added to the manual? Darin. - Original Message - From: "Guhl, Markus (LDS)" <[EMAIL PROTECTED]> To: Sent: Monday, June 06, 2005 4:28 AM Subject: AW: [Declude.Virus] Newbie question hi darin, we use AVAFTERJM ON with Declude 2.0.6.14 and it works like we need it. mfg i.a. gez. markus guhl *** lds nrw ref. 241 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Darin Cox Gesendet: Sonntag, 5. Juni 2005 23:02 An: Declude.Virus@declude.com Betreff: Re: [Declude.Virus] Newbie question I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: >Do you have the Pro version of Declude Junkmail? You have to have pro to >use filters and outbound scanning. The fromfile filter I mentioned will >work in the standard version, though. > >Darin. > > >- Original Message - >From: "Kevin Rogers" <[EMAIL PROTECTED]> >To: >Sent: Sunday, June 05, 2005 2:56 PM >Subject: Re: [Declude.Virus] Newbie question > > >I changed it to HEADERS and still I am receiving emails from these >addresses (got 4 of them personally yesterday). My virus scanner is now >updated every four hours, so F-Prot caught these viruses, but I still am >receiving the virus notifications. Perhaps the scanning takes place >(and the notifications are sent out) before my filter is called? > >This is what my filter file contains: >HEADERS0CONTAINS[EMAIL PROTECTED] >HEADERS0CONTAINS[EMAIL PROTECTED] >etc. > >This is what I have in my global.cfg >MYFILTERfilterC:\Imail\Declude\Filter.txtx200 > >This is in my $default$.junkmail file >WEIGHT20HOLD > >What am I missing? > >Thanks. > > >Scott Fisher wrote: > > > >>The MAILFROM filter test is seperate from anything in the headers. It >>is the envelope sender. >> >>If you want to test on the header from (I call it display from because >>that's what Outlook displays), you need to check the HEADERS. >> >> >>- Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> >>To: >>Sent: Friday, June 03, 2005 3:26 AM >>Subject: Re: [Declude.Virus] Newbie question >> >> >> >> >>>Great. Exactly what I needed. >>>I was also confused about the MAILFROM. Does MAILFROM mean what is >>>displayed as the FROM: in the headers or what it says in the "X-Note: >>>This E-mail was sent from 206-72-95-86.wi.skypipeline.com >>>([206.72.95.86])" or in the X-Declude-Sender field? >>> >>>Maybe I should just use the HEADERS 0 CONTAINS instead. >>> >>>Thanks again. >>> >>> >>> >>>Scott Fisher wrote: >>> >>> >>> >>>>One caveat. The MAILFROM uses the envelope mailfrom, which is >>>>different than the ones displayed in the headers. >>>>If the below doesn't stop it, add >>>>HEADERS 0 CONTAINS [EMAIL PROTECTED] >>>>HEADERS 0 CONTAINS [EMAIL PROTECTED] >>>> >>>>- Original Message - From: "Kevin Rogers" >>>><[EMAIL PROTECTED]> >>>>To: >>>>Sent: Thursday, June 02, 2005 10:37 PM >>>>Subject: Re: [Declude.Virus] Newbie question >>>> >>>> >>>> >>>> >>>>>I looked up the filter section at the manual. This is what I did. >>>>> >>>>>I made a file called filter.txt. This contains: >>>>>MAILFROM0CONTAINS[EMAIL PROTECTED] >>>>>MAILFROM 0CONTAINS[EMAIL PROTECTED] >>>>>etc. >>>>> >>>>>I then added this line in global.cfg: >>>>>MYFILTERfilterC:\Imail\Declude\filter.txtx200 >>>>> >>>>>In my $default$.junkmail file there was already this line: >>>>>WEIGHT20HOLD >>>>> >>>>>Do I need to do anything else to the junkmail
Re: [Declude.Virus] Newbie question
I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: >Do you have the Pro version of Declude Junkmail? You have to have pro to >use filters and outbound scanning. The fromfile filter I mentioned will >work in the standard version, though. > >Darin. > > >- Original Message - >From: "Kevin Rogers" <[EMAIL PROTECTED]> >To: >Sent: Sunday, June 05, 2005 2:56 PM >Subject: Re: [Declude.Virus] Newbie question > > >I changed it to HEADERS and still I am receiving emails from these >addresses (got 4 of them personally yesterday). My virus scanner is now >updated every four hours, so F-Prot caught these viruses, but I still am >receiving the virus notifications. Perhaps the scanning takes place >(and the notifications are sent out) before my filter is called? > >This is what my filter file contains: >HEADERS0CONTAINS[EMAIL PROTECTED] >HEADERS0CONTAINS[EMAIL PROTECTED] >etc. > >This is what I have in my global.cfg >MYFILTERfilterC:\Imail\Declude\Filter.txtx200 > >This is in my $default$.junkmail file >WEIGHT20HOLD > >What am I missing? > >Thanks. > > >Scott Fisher wrote: > > > >>The MAILFROM filter test is seperate from anything in the headers. It >>is the envelope sender. >> >>If you want to test on the header from (I call it display from because >>that's what Outlook displays), you need to check the HEADERS. >> >> >>- Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> >>To: >>Sent: Friday, June 03, 2005 3:26 AM >>Subject: Re: [Declude.Virus] Newbie question >> >> >> >> >>>Great. Exactly what I needed. >>>I was also confused about the MAILFROM. Does MAILFROM mean what is >>>displayed as the FROM: in the headers or what it says in the "X-Note: >>>This E-mail was sent from 206-72-95-86.wi.skypipeline.com >>>([206.72.95.86])" or in the X-Declude-Sender field? >>> >>>Maybe I should just use the HEADERS 0 CONTAINS instead. >>> >>>Thanks again. >>> >>> >>> >>>Scott Fisher wrote: >>> >>> >>> >>>>One caveat. The MAILFROM uses the envelope mailfrom, which is >>>>different than the ones displayed in the headers. >>>>If the below doesn't stop it, add >>>>HEADERS 0 CONTAINS [EMAIL PROTECTED] >>>>HEADERS 0 CONTAINS [EMAIL PROTECTED] >>>> >>>>- Original Message - From: "Kevin Rogers" >>>><[EMAIL PROTECTED]> >>>>To: >>>>Sent: Thursday, June 02, 2005 10:37 PM >>>>Subject: Re: [Declude.Virus] Newbie question >>>> >>>> >>>> >>>> >>>>>I looked up the filter section at the manual. This is what I did. >>>>> >>>>>I made a file called filter.txt. This contains: >>>>>MAILFROM0CONTAINS[EMAIL PROTECTED] >>>>>MAILFROM 0CONTAINS[EMAIL PROTECTED] >>>>>etc. >>>>> >>>>>I then added this line in global.cfg: >>>>>MYFILTERfilterC:\Imail\Declude\filter.txtx200 >>>>> >>>>>In my $default$.junkmail file there was already this line: >>>>>WEIGHT20HOLD >>>>> >>>>>Do I need to do anything else to the junkmail file to reference >>>>>MYFILTER or does the WEIGHT20 take care of everything? >>>>> >>>>>Thanks. >>>>> >>>>>Kevin >>>>> >>>>> >>>>> >>>>>Darin Cox wrote: >>>>> >>>>> >>>>> >>>>>>Nope... add a "filter" test and put those lines in it. The same >>>>>>thing I >>>>>>mentioned without pro applies here for adding test names to the >>>>>>global.cfg >>>>>>and $default$.junkmail. >>>>>> >>>>>>The manual at http://declude.com/junkmail/manual
Re: [Declude.Virus] Newbie question
Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: > The MAILFROM filter test is seperate from anything in the headers. It > is the envelope sender. > > If you want to test on the header from (I call it display from because > that's what Outlook displays), you need to check the HEADERS. > > > - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 03, 2005 3:26 AM > Subject: Re: [Declude.Virus] Newbie question > > >> Great. Exactly what I needed. >> I was also confused about the MAILFROM. Does MAILFROM mean what is >> displayed as the FROM: in the headers or what it says in the "X-Note: >> This E-mail was sent from 206-72-95-86.wi.skypipeline.com >> ([206.72.95.86])" or in the X-Declude-Sender field? >> >> Maybe I should just use the HEADERS 0 CONTAINS instead. >> >> Thanks again. >> >> >> >> Scott Fisher wrote: >> >>> One caveat. The MAILFROM uses the envelope mailfrom, which is >>> different than the ones displayed in the headers. >>> If the below doesn't stop it, add >>> HEADERS 0 CONTAINS [EMAIL PROTECTED] >>> HEADERS 0 CONTAINS [EMAIL PROTECTED] >>> >>> - Original Message - From: "Kevin Rogers" >>> <[EMAIL PROTECTED]> >>> To: >>> Sent: Thursday, June 02, 2005 10:37 PM >>> Subject: Re: [Declude.Virus] Newbie question >>> >>> >>>> I looked up the filter section at the manual. This is what I did. >>>> >>>> I made a file called filter.txt. This contains: >>>> MAILFROM0CONTAINS[EMAIL PROTECTED] >>>> MAILFROM 0CONTAINS[EMAIL PROTECTED] >>>> etc. >>>> >>>> I then added this line in global.cfg: >>>> MYFILTERfilterC:\Imail\Declude\filter.txtx200 >>>> >>>> In my $default$.junkmail file there was already this line: >>>> WEIGHT20HOLD >>>> >>>> Do I need to do anything else to the junkmail file to reference >>>> MYFILTER or does the WEIGHT20 take care of everything? >>>> >>>> Thanks. >>>> >>>> Kevin >>>> >>>> >>>> >>>> Darin Cox wrote: >>>> >>>>> Nope... add a "filter" test and put those lines in it. The same >>>>> thing I >>>>> mentioned without pro applies here for adding test names to the >>>>> global.cfg >>>>> and $default$.junkmail. >>>>> >>>>> The manual at http://declude.com/junkmail/manual.htm decribes >>>>> adding filter >>>>> files pretty well. >>>>> >>>>> Darin. >>>>> >>>>> >>>>> - Original Message - From: "Kevin Rogers" >>>>> <[EMAIL PROTECTED]> >>>>> To: >>>>> Sent: Thursday, June 02, 2005 7:09 PM >>>>> Subject: Re: [Declude.Virus] Newbie question >>>>> >>>>> >>>>> I have pro. How do I add filters? >>>>> >>>>> Should I add that line "MAILFROM10 CONTAINS [EMAIL PROTECTED]" in >>>>> virus.cfg or global.cfg? Do I need to use another file? >>>>> >>>>> If I use the HEADERS option "HEADERS 10 CONTAINS >>>>> [EMAIL PROTECTED]" >>>>> - where would I put that? >>>>> >>>>> Sorry for the newbie questions. >>>>> >&g
Re: [Declude.Virus] System resources
Thanks, Bill. Darin. - Original Message - From: Bill Billman To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 5:05 PM Subject: RE: [Declude.Virus] System resources Thanks Darin. The problem seems to be with IMail 8.2 and any version of Declude. We haven’t seen this problem using any version of Declude and older versions of IMail. Bill From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Friday, June 03, 2005 4:33 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] System resources Hi Bill, First, welcome. I hope yours will be a constant voice on the list. Questions: 1. What version of Declude? 2.06 only, or other versions as well? 2. How about older versions of IMail (8.1x, 8.0x, 7, 6, etc.) Thanks. Darin. - Original Message - From: Bill Billman To: Declude.JunkMail@declude.com ; Declude.Virus@declude.com Sent: Friday, June 03, 2005 4:24 PM Subject: [Declude.Virus] System resources Hello Everyone, I would like to introduce myself and say hello to everyone. I’m new to Declude, having just joined last week. I’m very excited about working for Declude and looking forward to working with you all. We have uncovered an intermittent issue with Declude and IMail 8.2. Basically, system resources are consumed until the system will no longer run. I want you to know that we are aware of the situation. We are working on a solution to this problem now and hope to have it solved in the near future. When ready we will conduct a limited beta program. If all goes well we will provide the solution in an interim release. I apologize for any inconvenience this may have caused and thank you for your patience. This is my first post here but assure you that it will not be my last. All the best, Bill Bill Billman Director of Engineering Declude - internet security software 978.499.2933 office 603.930.4886 mobile 978.477.8930 fax [EMAIL PROTECTED] www.declude.com --No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005 --No virus found in this incoming message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005 --No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005
Re: [Declude.Virus] System resources
Hi Bill, First, welcome. I hope yours will be a constant voice on the list. Questions: 1. What version of Declude? 2.06 only, or other versions as well? 2. How about older versions of IMail (8.1x, 8.0x, 7, 6, etc.) Thanks. Darin. - Original Message - From: Bill Billman To: Declude.JunkMail@declude.com ; Declude.Virus@declude.com Sent: Friday, June 03, 2005 4:24 PM Subject: [Declude.Virus] System resources Hello Everyone, I would like to introduce myself and say hello to everyone. I’m new to Declude, having just joined last week. I’m very excited about working for Declude and looking forward to working with you all. We have uncovered an intermittent issue with Declude and IMail 8.2. Basically, system resources are consumed until the system will no longer run. I want you to know that we are aware of the situation. We are working on a solution to this problem now and hope to have it solved in the near future. When ready we will conduct a limited beta program. If all goes well we will provide the solution in an interim release. I apologize for any inconvenience this may have caused and thank you for your patience. This is my first post here but assure you that it will not be my last. All the best, Bill Bill Billman Director of Engineering Declude - internet security software 978.499.2933 office 603.930.4886 mobile 978.477.8930 fax [EMAIL PROTECTED] www.declude.com --No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005
Re: [Declude.Virus] Newbie question
I guess when it comes down to it either could be forged. If I'm going to block like this, I generally prefer to do it by IP rather than domain or email... for exactly that reason. Does fromfile actually use something different than MAILFROM in filter tests? I didn't catch that from the manual. Darin. - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 11:59 PM Subject: Re: [Declude.Virus] Newbie question I was going to suggest a fromfile. One potential problem.. the fromfile would use the enevelope from. In the case of a virus, I don't know if the envelope from would have the forged address in it. You'd have to capture some of the messages to know for sure. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 5:48 PM Subject: Re: [Declude.Virus] Newbie question > You don't have to have PRO. You can also use a FROMFILE test with a text > file listing all of the email addresses and/or domains you want to > penalize. > Just put a line like this in your Global.CFG: > > FROMBLACKLIST fromfile C:\IMail\Declude\fromblacklist.txt x 200 > 0 > > This penalizes every address/domain in the fromblacklist.txt file with 200 > points. > > You'll need to add the action for the test name to the bottom of your > Global.cfg for outgoing messages, and add it to your $default$.junkmail as > well. > > Lastly, make sure you have a carriage return at the end of the > fromblacklist.txt to avoid the last line being ignored.. > > Darin. > > > - Original Message - > From: "Scott Fisher" <[EMAIL PROTECTED]> > To: > Sent: Thursday, June 02, 2005 6:37 PM > Subject: Re: [Declude.Virus] Newbie question > > > If you've got pro, you could add a filter: > MAILFROM10 CONTAINS [EMAIL PROTECTED] > that will check the envelope mailfrom. > > To check for those addresses in the headers: > HEADERS 10 CONTAINS [EMAIL PROTECTED] > > Another option is to update your virus software more often to minimize the > opportunity window for the virus. > > - Original Message - > From: "Kevin Rogers" <[EMAIL PROTECTED]> > To: > Sent: Thursday, June 02, 2005 5:15 PM > Subject: [Declude.Virus] Newbie question > > >> How do I ban certain email addresses? >> >> Some viruses have gotten through lately (first that I know about since >> installing Declude) sent from forged email addresses using our own >> domain. >> We do not whitelist our domain. I'd like to ban some of these common >> addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) >> >> Thanks. >> >> --- >> [This E-mail was scanned for viruses.] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
If you want to know what caused the weight, then add MYFILTER WARN to both the global.cfg and the $default$.junkmail. This will add a line to the header telling you the message failed MYFILTER. Otherwise it looks good. You can add multiple filter files for different needs as well. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 11:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: >Nope... add a "filter" test and put those lines in it. The same thing I >mentioned without pro applies here for adding test names to the global.cfg >and $default$.junkmail. > >The manual at http://declude.com/junkmail/manual.htm decribes adding filter >files pretty well. > >Darin. > > >- Original Message - >From: "Kevin Rogers" <[EMAIL PROTECTED]> >To: >Sent: Thursday, June 02, 2005 7:09 PM >Subject: Re: [Declude.Virus] Newbie question > > >I have pro. How do I add filters? > >Should I add that line "MAILFROM10 CONTAINS [EMAIL PROTECTED]" in >virus.cfg or global.cfg? Do I need to use another file? > >If I use the HEADERS option "HEADERS 10 CONTAINS [EMAIL PROTECTED]" >- where would I put that? > >Sorry for the newbie questions. > >Kevin > > > >Scott Fisher wrote: > > > >>If you've got pro, you could add a filter: >>MAILFROM10 CONTAINS [EMAIL PROTECTED] >>that will check the envelope mailfrom. >> >>To check for those addresses in the headers: >>HEADERS 10 CONTAINS [EMAIL PROTECTED] >> >>Another option is to update your virus software more often to minimize >>the opportunity window for the virus. >> >>- Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> >>To: >>Sent: Thursday, June 02, 2005 5:15 PM >>Subject: [Declude.Virus] Newbie question >> >> >> >> >>>How do I ban certain email addresses? >>> >>>Some viruses have gotten through lately (first that I know about >>>since installing Declude) sent from forged email addresses using our >>>own domain. We do not whitelist our domain. I'd like to ban some of >>>these common addresses (e.g., [EMAIL PROTECTED], >>>[EMAIL PROTECTED], etc.) >>> >>>Thanks. >>> >>>--- >>>[This E-mail was scanned for viruses.] >>> >>>--- >>>This E-mail came from the Declude.Virus mailing list. To >>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>>type "unsubscribe Declude.Virus".The archives can be found >>>at http://www.mail-archive.com. >>> >>> >>> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >>--- >>[This E-mail was scanned for viruses.] >> >> >> >> >> >--- >[This E-mail was scanned for viruses.] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail was scanned for viruses.] > > > > > --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
Nope... add a "filter" test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line "MAILFROM10 CONTAINS [EMAIL PROTECTED]" in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option "HEADERS 10 CONTAINS [EMAIL PROTECTED]" - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: > If you've got pro, you could add a filter: > MAILFROM10 CONTAINS [EMAIL PROTECTED] > that will check the envelope mailfrom. > > To check for those addresses in the headers: > HEADERS 10 CONTAINS [EMAIL PROTECTED] > > Another option is to update your virus software more often to minimize > the opportunity window for the virus. > > - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> > To: > Sent: Thursday, June 02, 2005 5:15 PM > Subject: [Declude.Virus] Newbie question > > >> How do I ban certain email addresses? >> >> Some viruses have gotten through lately (first that I know about >> since installing Declude) sent from forged email addresses using our >> own domain. We do not whitelist our domain. I'd like to ban some of >> these common addresses (e.g., [EMAIL PROTECTED], >> [EMAIL PROTECTED], etc.) >> >> Thanks. >> >> --- >> [This E-mail was scanned for viruses.] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail was scanned for viruses.] > > > --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
You don't have to have PRO. You can also use a FROMFILE test with a text file listing all of the email addresses and/or domains you want to penalize. Just put a line like this in your Global.CFG: FROMBLACKLIST fromfile C:\IMail\Declude\fromblacklist.txt x 200 0 This penalizes every address/domain in the fromblacklist.txt file with 200 points. You'll need to add the action for the test name to the bottom of your Global.cfg for outgoing messages, and add it to your $default$.junkmail as well. Lastly, make sure you have a carriage return at the end of the fromblacklist.txt to avoid the last line being ignored.. Darin. - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: [Declude.Virus] Newbie question If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question > How do I ban certain email addresses? > > Some viruses have gotten through lately (first that I know about since > installing Declude) sent from forged email addresses using our own domain. > We do not whitelist our domain. I'd like to ban some of these common > addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) > > Thanks. > > --- > [This E-mail was scanned for viruses.] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MS05-16 Exploit
Title: Message Do you use scripts to set up your accounts? Saves us a ton of time when restoring or migrating accounts. When we had a similar problem mid-April that also required a server rebuild, running the scripts allowed us to recreate all of the websites on that server in a few minutes. There were a few tweaks needed from permissions that had been changed but not documented, and Frontpage Server Extensions never seems to work right without installing first 2000, then upgrading to 2002 and restarting IIS, but otherwise it went smooth. Most of our recovery time was spent on a couple of websites that have a lot of custom services. Other than that it was just the base server rebuild and some drive shuffling to get backed up data local to the server. Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 8:42 PM Subject: RE: [Declude.Virus] MS05-16 Exploit Putting in 2 new drives was the easy part. Recreating 43 websites in IIS because the backup drive on the backup server departed for parts unknown the week before and proceeded with the tape drive (Onstream) finally giving out a month ago leaving my backup solution in shambles is what has been fun. Fortunately, both the actual website data drives and their separate backups on zip disks are fine. When it rains it pours. I must be in Southern California. Needless to say, I am revamping my backup and disaster recovery solutions. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, May 31, 2005 2:42 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] MS05-16 Exploit Ok, John, get back to fixing that mirrored drive set. Andrew 8)
Re: [Declude.Virus] .EML file syntax
Title: Message Hi Goran, Oh, I thought you wanted to separate the ALLRECIPS into TO, CC, and BCC groups. Does CC work? I would think that it would, but haven't tried it. In any case, you might be able to insert a script in the process chain for virus scanning to check the result code and send your own notification instead of letting Declude do it. Then you would have more control and be able to BCC yourself. Basically the script would be called by Declude, then would in turn call the virus scanner, perform additional actions, and return the virus scanner result to Declude for normal processing. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 10:55 PM Subject: RE: [Declude.Virus] .EML file syntax Darin, Not sure if you understood what I was looking for. I want to take an EML file say for a banned file notification and send it TO: %ALLRECIPS% And BCC: me (or a monitor account). This is the functionality that does not exist. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Tuesday, May 31, 2005 10:43 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] .EML file syntax I asked about this about a month ago. >From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
Re: [Declude.Virus] .EML file syntax
Title: Message I asked about this about a month ago. From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
Re: [Declude.Virus] EXITSCANONVIRUS
Oh man...I feel your pain! Happened to us mid-April. Fortunately it was just after midnight on a Friday, so we had everything back up before morning and no one noticed the interruption in service. Was it Windows mirroring or hardware level? Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 3:30 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Sunday, May 29, 2005 4:59 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] EXITSCANONVIRUS Thanks! The grass is cut and the friends are already on the way over with beer and stuff to burn :)MattDarin Cox wrote: Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients.2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients.3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach. I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed.I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base.Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail.Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary= "_=_NextPart_001_01C55D5F.F2B051DD" This vulnerability is designed to detect spaces or tabs within message boundaries, and apparently could be exploited to package attachments which Outlook clients would read. The above example is not an example
Re: [Declude.Virus] EXITSCANONVIRUS
Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients.2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients.3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach.I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed.I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base.Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail.Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary= "_=_NextPart_001_01C55D5F.F2B051DD"This vulnerability is designed to detect spaces or tabs within message boundaries, and apparently could be exploited to package attachments which Outlook clients would read. The above example is not an example of exploitable code. RFC 2912 - http://www.faqs.org/rfcs/rfc2912.html3.1 Whitespace and folding long headers In some circumstances, media feature expressions can be very long. According to "A Syntax for Describing Media Feature Sets" [1], whitespace is allowed between lexical elements of a media feature _expression_. Further, RFC822/MIME [4,5] allows folding of long headers at points where whitespace appears to avoid line length restrictions. Therefore, it is recommended that whitespace is included as permitted, especially in long media feature expressions, to facilitate the folding of headers by agents that do not otherwise understand the syntax of this field.For this to have been the vulnerability, the whitespace would have needed to have been within the quotes that defined the boundary and not before it.MattDarin Cox wrote: Hi Matt, I think most of us always consider the "greater good" before making requests
Re: [Declude.Virus] EXITSCANONVIRUS
Hi Matt, I think most of us always consider the "greater good" before making requests... and by their nature, most requests from one person have benefit to many others. I think the recommendation you outlined below is fairly good...but again, I would not like to see potentially valuable tests removed. Defaulting to off is good, but removing doesn't make sense when there's value in the test. Other than an occasional Partial vulnerability, I see no false positives with vulnerabilities from our user base. I do think your point about moving the code from Virus over to Junkmail is a good one when it is no longer an active vulnerability. I would just hate to see a valuable test removed, and again, we see a decent amount of spam caught by Virus that doesn't get caught by our Junkmail config. Code can easily be broken in moving from one place to another (Virus to Junkmail), so this may be a maintenance problem that it is desirable to avoid. However, deprecated vulnerabilities could potentially be more valuable there for use in weighting or combo tests to identify particular spammers and assist with detecting their payloads. I think this all falls under the "The more info we have about a message, the better we can classify it" category. Indeed, one of the main reasons we haven't migrated to SmarterMail is the unavailability of the CMDSPACE test. We find much of the strength in Declude is due to the variety of special tests Scott was able to come up with. So, with the caveat of not performing Item 3 in your list (Removal), it sounds very good to me. It's nowhere near #1 on my list either...just didn't want anything useful to disappear. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 4:22 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,I think there are many different ways to define "retire" in this context.Personally, I have already 'retired' the functionality on my system where I feel that it appropriate, but when I share my opinions and recommendations, I am often thinking of the greater good. I tend to not ask for things from Declude that would not also be of benefit to a good number of it's users. While having the switch alone might be good enough for the majority of us on these lists, the majority of Declude's customers don't pay attention to the lists, release notes, or many other things...they tend to run default configurations with very little in the way of tweaks. These people are most in need of a solution, though they probably mostly don't recognize the issue, and likewise wouldn't recognize the solution. By Declude providing this functionality and not working it into the overall approach for the best standard config and practices, it really only serves the few of us that are paying very close attention.So in this perspective, the best global approach in my opinion would be to establish a system for depricating such functionality. I would suggest the following: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients.2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients.3) Removal - Remove the code from the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach.Regarding their use in blocking some spam, I personally would rather Declude JunkMail tag such things, that way we could handle this as spam, as well as the potential false positives, within the systems that we have built to handle spam instead of the one built to handle viruses. Active Vulnerabilities are a different story, but I wouldn't object to seeing code added to BADHEADERS/SPAMHEADERS or another built-in test to show that something failed a depricated check within the context of Declude JunkMail. Some of these vulnerabilities are presently less than 90% accurate on my system in judging between spam and ham, though the viruses associated with them might well be deleted if they do exist and were detected by one of my scanners (I've based this
Re: [Declude.Virus] EXITSCANONVIRUS
Matt, Point taken that it may no longer be a vulnerability. So, call it something different, maybe just another type of spam test, but don't take it away. They still have value as tests. As I stated earlier, we see spam held by the vulnerability tests that were not detected by spam tests. If the vulnerability/test can be disabled so it doesn't add any processing time to your config, why argue that it should be taken away from someone else who still has a use for it? Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 2:06 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin,A vulnerability is only a vulnerability if there is an application vulnerable to it. Viruses also won't ever achieve 'critical mass' and therefore won't succeed in the wild if they rely on exploiting a vulnerability that no longer exists. Given that some of these vulnerabilities have been patched for more than two years, it is unlikely that a mass-mailing virus would attempt to exploit one of them, and if they relied on one of these methods that was long since patched, they could end up hurting their chances of success since their attachments wouldn't be seen by the E-mail clients receiving them (it would be better just to attach it normally and would make no sense to try to exploit the old vulnerability).Many of the vulnerability checks in Declude were the result of flaws in Outlook and Outlook Express. There were mostly ways to package in attachments in E-mails so that error correction in the clients would display or even execute the attachments, but the deMIMEing engines associated with E-mail virus scanners might not recognize them as attachments and therefore might not even attempt to scan the attachments. The shortcoming to many of Declude's vulnerability checks is that they might only check for the presence of the precursor or non-standard (but sometimes compliant) construction, and not the presence of the exploit (such as an attachment buried in the headers). So in essence all this is tagging is construction, and there are flaws in many of the current detection methods that can tag legitimate E-mail.This didn't become much of an issue for me until the number of addresses and domains expanded to the point where most flaws in the detection, or otherwise error prone mailers of legitimate E-mail were tripping these things in measurable numbers every single day. For servers with single domains or fewer addresses, this is probably much less of an issue, but the false positives would be more likely to go undetected.My opinion is that every vulnerability has a lifespan, and eventually should be retired if there is any chance of it causing a false positive, or even regardless. One example would be the "Object Data Vulnerability". This was discovered by eEye in the April of 2003 and patched by Microsoft on October 3, 2003. Two fairly unsuccessful Bagle variants exploited this vulnerability in April of 2004 and Declude added this to their list of vulnerabilities in response. While other viruses might have attempted to exploit this vulnerability, it would not be successful given the year and a half since the patch...it wouldn't be successful enough to achieve critical mass. On the flip side of this, I have found that Outlook can trip this vulnerability in Declude under certain circumstances, though I'm not sure what exactly they are, and the only solutions would be to fix the detection, turn it off, or retire it. I have almost zero concern about this causing me any issues by not detecting it at this point. http://www.eeye.com/html/Research/Advisories/AD20030820.html http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx There are similar conditions for other vulnerabilities as well. It was good to have them at the time, but now they are more trouble that their worth in my opinion.MattDarin Cox wrote: I would hope existing vulnerability checks would not be retired, since there are already flags to decide whether or not to check for particular ones. We catch a bit of spam in the virus queue with these checks that is not otherwise caught, especially some that someone else (Andrew?) mentioned getting rid of. Unless there is 100% probability that no one will use the functionality any longer, please add flags to turn it off instead of removing it completely. That way those that still prefer it can still use it. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 1:23 AM Subject: Re: [Declude.Virus] EXITSCANONVIRUS John,I don't think that the behavior displayed in your logs was entirely purposeful. Declude tagged it with a vulnerability and then it ran your first virus scanner and found no virus, and then apparently it decided not to run the last two virus scanners. Thi
Re: [Declude.Virus] EXITSCANONVIRUS
I would hope existing vulnerability checks would not be retired, since there are already flags to decide whether or not to check for particular ones. We catch a bit of spam in the virus queue with these checks that is not otherwise caught, especially some that someone else (Andrew?) mentioned getting rid of. Unless there is 100% probability that no one will use the functionality any longer, please add flags to turn it off instead of removing it completely. That way those that still prefer it can still use it. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 1:23 AM Subject: Re: [Declude.Virus] EXITSCANONVIRUS John,I don't think that the behavior displayed in your logs was entirely purposeful. Declude tagged it with a vulnerability and then it ran your first virus scanner and found no virus, and then apparently it decided not to run the last two virus scanners. This of course is only interim functionality and I would imagine that they would be open to reports of unexpected behavior as well as tweaks for more optimal behavior.I believe that the intended functionality for EXITSCANONVIRUS ON would be to ignore the vulnerabilities and only skip further virus scanning when a prior virus scanner reports an exit code that you have configured to mark it as a virus. This seems consistent with what you are saying it should be.In an older thread regarding some bugs with F-Prot and other related things, Andrew also suggested separate functionality that would skip virus scanning when a vulnerability was found since that would be enough to block it on most systems. At that time I suggested that this was not necessarily a good idea, but I made a mistake. For my system, and many others running BANCRVIRUSES ON, it might be an even bigger CPU savings to skip all virus scanners when a vulnerability is detected. The only downside to this is that you will fill up your virus directory when using such a switch unless you are using another new directive, DELETEVULNERABILITIES ON. Naturally skipping virus scanning for vulnerabilities would be optional and not the default setting, and so would be deleting vulnerabilities. I would be in favor of seeing something like EXITSCANONVULNERABILITY added to Declude.Note that there are many issues with the current set of vulnerability checks that Declude does, and it would help to address these at the same time. We do have a switch to turn most of this off, but I get the impression that they are aware of the issues and are considering or may have decided to approach vulnerabilities differently, or possibly retiring some where appropriate. Deleting messages that fail vulnerability checks but aren't tagged as viruses should only really be done if you can rely on the vulnerability checks to be accurate.MattJohn Tolmachoff (Lists) wrote: It appears to be stopping when it finds a vulnerability and does not get scanned for virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Saturday, May 28, 2005 5:58 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS ... that's reasonable, John. How does it work up to now? If a vulnerability and a virus are detected, which gets reported? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 5:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such. An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, May 28, 2005 10:10 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a "virus" is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Colbeck, Andrew" <[EMA