[Declude.Virus] bloodhound exploit 163 - Slipping Through
A customer running Norton reports receiving several infected e-mails today. We are only running the built-in AVG scanner at this time, which isn't catching this new virus. The Symantec site is not too helpful about the characteristics, which would better enable writing a filter. http://www.symantec.com/security_response/writeup.jsp?docid=2007-102318-0451-99 Our customer reports they show: From: Lorena Bernal, Subject: Statement of retained earnings However, no doubt there are other variants. They are caught upon receipt by his Norton anti-virus and quarantined, so he really can't (and I don't want him to) supply more info. Anyone else noticing this virus slipping through? Any suggestions appreciated. Thanks, Don Brown - Dallas, Texas USA Internet Concepts® [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sender.eml was sent even though forging virus?
Perhaps there is some marketing value to notifying the client. It reminds them of the valuable service which is being delivered behind the scenes. We stopped sending to the sending parties, some time ago. It was useless noise. At some point, long ago, we also killed the client notification because it had become spam, to a certain extent. At that time, I thought a daily or weekly manifest or report to the client would have been better. Friday, December 22, 2006, 7:04:55 PM, Douglas Cohn <[EMAIL PROTECTED]> wrote: DC> Isn't it better to just remove all the eml files so as to be more of the DC> solution and less of the problem. DC> It just seems that is all of us stopped sending eml's that millions of DC> useless messages would be stopped. DC> What am I missing? What value do these messages possibly have? DC> Doug DC> -Original Message- DC> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy DC> Schmidt DC> Sent: Wednesday, December 13, 2006 1:45 PM DC> To: declude.virus@declude.com DC> Subject: RE: [Declude.Virus] Sender.eml was sent even though forging virus? DC> Oh? DC> I've never had the problem with my external McAfee scanner. DC> Could this be a problem with Declude's internal AVG scanner? DC> Best Regards DC> Andy Schmidt DC> Phone: +1 201 934-3414 x20 (Business) DC> Fax:+1 201 934-9206 DC> -Original Message- DC> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary DC> Steiner DC> Sent: Wednesday, December 13, 2006 01:11 PM DC> To: declude.virus@declude.com DC> Subject: re: [Declude.Virus] Sender.eml was sent even though forging virus? DC> I've seen similar behavior with viruses found by AVG. DC> Original Message >> From: "Andy Schmidt" <[EMAIL PROTECTED]> >> Sent: Wednesday, December 13, 2006 12:42 PM >> To: "'Declude Virus List'" >> Subject: [Declude.Virus] Sender.eml was sent even though forging virus? >> >> Hi, >> >> My "sender.eml" has the line: >> SKIPIFFORGING >> >> And my virus.CFG has: >> >> AUTOFORGE ON >> >> FORGINGVIRUS Anonymous Driver >> FORGINGVIRUS Antiman >> FORGINGVIRUS Avril >> FORGINGVIRUS Bagle >> >> Yet, declude virus just sent the "sender.eml" for the following details: >> >> File:"Unknown File" >> Result: FoundI-Worm/Bagle >> Message ID:<[EMAIL PROTECTED]> >> Our Domain:Schmidt.AS for Schmidt.AS >> Queue ID: D324e0153b795.smd >> >> Based on these headers: >> >> -Original Message Headers- >> Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP >> (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500 >> Date: Wed, 13 Dec 2006 18:03:11 +0100 >> To: "Andy" <[EMAIL PROTECTED]> >> From: "Webmaster" <[EMAIL PROTECTED]> >> Subject: price 13-Dec-2006 >> Message-ID: <[EMAIL PROTECTED]> >> MIME-Version: 1.0 >> Content-Type: multipart/mixed; >> boundary="oibzhbgyvnajpcxfwpdt" >> >> >> >> >> >> --- >> This E-mail came from the Declude.Virus mailing list. To unsubscribe, >> just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. DC> --- DC> This E-mail came from the Declude.Virus mailing list. To unsubscribe, just DC> send an E-mail to [EMAIL PROTECTED], and DC> type "unsubscribe Declude.Virus".The archives can be found DC> at http://www.mail-archive.com. DC> --- DC> This E-mail came from the Declude.Virus mailing list. To DC> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DC> type "unsubscribe Declude.Virus".The archives can be found DC> at http://www.mail-archive.com. DC> --- DC> This E-mail came from the Declude.Virus mailing list. To DC> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DC> type "unsubscribe Declude.Virus".The archives can be found DC> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: SPAM-WARN: Re: [Declude.Virus] On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
If the root of the problem is that they are unbalanced, then why should I care if there are more Lf than Cr or more Cr than Lf? What am I missing? Sunday, October 22, 2006, 11:28:14 AM, Michael Thomas - Mathbox <[EMAIL PROTECTED]> wrote: MTM> Don, MTM> Cr<>Lf indicates only that they are not balanced. Lf>Cr and Cr>Lf indicates MTM> which is missing, so one can choose their own poison and apply different MTM> weights. If you were to test a sample batch of messages, you would find that MTM> one is more prevalent than the other, by a large factor. MTM> Michael Thomas MTM> Mathbox MTM> 978-683-6718 MTM> 1-877-MATHBOX (Toll Free) MTM> >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >> Behalf Of Don Brown >> Sent: Sunday, October 22, 2006 6:03 AM >> To: declude.virus@declude.com >> Subject: SPAM-WARN: Re: [Declude.Virus] On RFC Violation - >> Declude allows attachments and Virus to pass through >> untouched and unscanned >> >> Michael, >> >> Why is it necessary to run two tests (failing on Cr>Lf and on Lf>CR)? >> Why not just one test (failing on Cr<>Lf)? >> >> >> Thursday, October 19, 2006, 9:49:07 PM, Michael Thomas - >> Mathbox <[EMAIL PROTECTED]> wrote: >> MTM> Hi All, >> >> MTM>[SNIP] >> >> MTM> Finally, if you want to test for these RFC violations, see >> MTM> http://www.mathbox.com/NoCrTest/NoCrTest.zip >> >> MTM> Michael Thomas >> MTM> Mathbox >> MTM> 978-683-6718 >> MTM> 1-877-MATHBOX (Toll Free) >> >> >> >> >> >> >> >> Don Brown - Dallas, Texas USA Internet Concepts, Inc. >> [EMAIL PROTECTED] http://www.inetconcepts.net >> (972) 788-2364Fax: (972) 788-5049 >> >> >> >> >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> >> MTM> --- MTM> This E-mail came from the Declude.Virus mailing list. To MTM> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MTM> type "unsubscribe Declude.Virus".The archives can be found MTM> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Michael, Why is it necessary to run two tests (failing on Cr>Lf and on Lf>CR)? Why not just one test (failing on Cr<>Lf)? Thursday, October 19, 2006, 9:49:07 PM, Michael Thomas - Mathbox <[EMAIL PROTECTED]> wrote: MTM> Hi All, MTM>[SNIP] MTM> Finally, if you want to test for these RFC violations, see MTM> http://www.mathbox.com/NoCrTest/NoCrTest.zip MTM> Michael Thomas MTM> Mathbox MTM> 978-683-6718 MTM> 1-877-MATHBOX (Toll Free) Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Vulnerability Flag Codes = 862
I think there used to be a way to lookup the meaning of a vulnerability code on the Declude web site, but I can't find it. I need to figure out what 862 means. Can anyone point me to the lookup or tell me the translation? Thanks. ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0
means). DB> So people (including myself) have a hard time understanding that there is no DB> functional difference between 3.0 and 4.0. Moreover, most of the us suspect DB> that there will be more differences in features in the future. DB> The second problem is your new pricing scheme. All of us existing Declude DB> owners have our SAs, so presumably it's not an issue for us. However, I DB> think most of us expect that you will eventually try to force us out of SAs DB> into annual licensing, which we don't want. Moreover, most of us worry that DB> your new pricing scheme will not be accepted by your customer base, and that DB> could lead to the death of Declude. So while I may not be directly impacted DB> by version 4.0, I have good reason to worry about the future success of DB> Declude and whether I can expect you to continue to provide a growing and DB> satisfactory product. I may have to look at alternatives just to protect my DB> future. DB> The third problem that you haven't addressed at all is your poor timing. DB> You know that the vast majority of your users are current/former IMail users DB> who are still stinging from their fiasco, and yet you walk into the same DB> stupid trap, with the same lack of forethought and customer communications. DB> You also do this at a time when a lot of your clients are upset about a lack DB> of true improvements (how about just a stable, current product??). So you DB> have all of these customers who are losing patience over your upgrades, who DB> are still upset at Ipswitch, and then you ambush them with this new scheme. DB> Any wonder people are upset? DB> I really suggest you take a good, long look at the troubles experienced by DB> Ipswitch over the last year, and decide if you really want to go through all DB> that. And if you do, then change the names to something besides 3.0 and DB> 4.0. DB> Ben Bednarz DB> BC Web DB> - Original Message - DB> From: "David Barker" <[EMAIL PROTECTED]> DB> To: ; DB> Sent: Sunday, February 12, 2006 8:37 AM DB> Subject: RE: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0 >> Let me quote myself on point 5. >> >> "EXCEPT that 4.0 runs as a single product with Declude EVA PRO, Junkmail >> PRO >> and Hijack. Where as Version 3.0 still supports 3 individual products." >> >> As to NO major differences, there are NO major differences in >> functionality >> but rather minor differences which have to do with integration into >> SmarterMail 3.0 which makes it a little easier for New Customers which I >> will explain in greater detail with the notes I promised in point 7, but >> again these differences do NOT effect existing customers. >> >> David B >> www.declude.com >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown >> Sent: Sunday, February 12, 2006 11:23 AM >> To: Declude.JunkMail@declude.com; Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0 >> >> Saturday, February 11, 2006, 9:47:07 AM, David Barker >> <[EMAIL PROTECTED]> >> wrote: >> DB> [Snip] >> >> DB> 5. With regards to Version 3.0 and 4.0 there is NO major difference >> DB> in functionality except that 4.0 runs as a single product with >> DB> Declude EVA PRO, Junkmail PRO and Hijack. Where as Version 3.0 still >> DB> supports 3 individual products. >> >> DB> [Snip] >> >> DB> 7. I am pulling together some additional release notes on a >> DB> comparison between version version 3.0 and 4.0 which I hope to have >> DB> available next week. >> >> DB> David B >> DB> www.declude.com >> DB> [Snip] >> >> Items 5 & 7 are contradictory, to the extent that no comparison, as >> promised >> in 7, would be needed, if the only difference was, as quoted in 5. >> >> >> >> Don Brown - Dallas, Texas USA Internet Concepts, Inc. >> [EMAIL PROTECTED] http://www.inetconcepts.net >> (972) 788-2364Fax: (972) 788-5049 >> >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To unsubscribe, >> just >> send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- &
Re: [Declude.Virus] [Declude.JunkMail] Declude 3.0 / 4.0
Saturday, February 11, 2006, 9:47:07 AM, David Barker <[EMAIL PROTECTED]> wrote: DB> [Snip] DB> 5. With regards to Version 3.0 and 4.0 there is NO major difference in DB> functionality except that 4.0 runs as a single product with Declude EVA PRO, DB> Junkmail PRO and Hijack. Where as Version 3.0 still supports 3 individual DB> products. DB> [Snip] DB> 7. I am pulling together some additional release notes on a comparison DB> between version version 3.0 and 4.0 which I hope to have available next DB> week. DB> David B DB> www.declude.com DB> [Snip] Items 5 & 7 are contradictory, to the extent that no comparison, as promised in 7, would be needed, if the only difference was, as quoted in 5. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Changes @ Declude
Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee <[EMAIL PROTECTED]> wrote: KB> [Snip] KB> KB> On the buying issue what do you get, the two products will be kept in parity feature wise. KB> KB> Kevin Bilbee KB> KB> [Snip] If that is truly the case, then it makes sense to have only one version, 4.0. Then, the only difference will be that some customers are on an annual maint agreement and others pay an annual subscription. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Encoded viruses...worried
day. This likely was a PIF file inside, though it could also have MG> been a JPG according the notes on this virus. I, like most of us MG> here, don't allow PIF's to be sent through our system, but when MG> the PIF is encoded in at least BinHex format, it gets MG> past this type of protection. MG> Here's the conundrum. This mechanism could be exploited MG> just like the Zip files were by the Sober writers and MG> continually seeded, but instead of requiring some of us to at MG> least temporarily block Zips with executables inside, an MG> outbreak of continually seeded variants with executables MG> within one of these standard encoding mechanisms would MG> cause us to have to block all such encodings. I MG> therefore think it would be prudent for Declude to MG> support banned extensions within any of these encoding mechanisms MG> if it doesn't already. I readily admit that this could MG> be a lot of work, but it could be very bad if this MG> mechanism becomes more common. This particular virus is MG> so destructive that a single copy could cause severe MG> damage to one's enterprise. I cross my fingers hoping that MG> none of this would be necessary, but that's not enough to be safe. MG> Matt MG> Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
We are also running the latest release of v 3. We only have one open question to Declude Tech support as to why Base64 does not trigger sometimes. No crashes or other problems with either AV or JM. It is a lot faster. Thanks, Sunday, January 29, 2006, 4:06:28 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: >> I'm still on Declude v2.x and am comfortable there, as Don >> points out, many of us are waiting for the v3.x to be utterly >> stable and to have desired new features before going to it. >> As the software is maturing, so is much of the userbase; >> there used to be a lot of early adopters when the releases >> were coming out fast and furious. MG> I've running it on 3 different servers and except the strangenes with the MG> declude.cfg file on one if this servers that was solved be recreating it I'm MG> very impressioned from stability and performance of v3. The amount of MG> incomming messages is growing rapidly and so the number of hold viruses and MG> spam too. (v3 can process much more messages the previous versions!) MG> So I search for something simple to clean out all this stuff as fast as it's MG> comming in. MG> Markus MG> --- MG> [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG> --- MG> This E-mail came from the Declude.Virus mailing list. To MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG> type "unsubscribe Declude.Virus".The archives can be found MG> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler <[EMAIL PROTECTED]> wrote: MG> I hav no stat's or numbers. MG> Only the fact that AV-Engines has introduced a suspicious category that is MG> catching more and more new outbreaks. Additionaly it seems that the scanning MG> process is becoming more and more complex. Each variant (we have up to MG> two-letter versions!) seems to need complete new definitions. Another more MG> alarming: certain virus-signatures seems catching only a part of one single MG> but polymorphic and encrypted virus variant. MG> Try to send a vb-script containing one single call of the filesystem-object MG> even if zipped or with renamed file extension trough some av-engines. MG> DELETEVIRUS ON will delete the entire message and you will have to tell some MG> fairy story to the customer who call you because he misses some messages. MG> Don't deleting messages immediately as many of us do is one way. MG> Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very simple MG> possibility to keep clean and small the virus folder. And I repeat: It MG> should be something very very simple to implement. Anyone who doesn't want MG> or need it could simply not turn it on. MG> Regarding the allready existing FORGINGVIRUS DNS lookup feature and a MG> possible enhancement like AUTODELETEKNOWNWORMS. MG> I wouldn't say that I don't trust declude's FORGINGVIRUS list. But first of MG> all I realy want to know what I categorize FORGING and what not an my MG> server. Beside the fact that since we don't send out notfications to MG> customers anymore my personal FORGINGVIRUS list is simply a good way to MG> filter out 99% of all postmaster notifications, and so a wave of thus MG> notifications is an excellent indicator that something new is around that I MG> should give a look. MG> An additional DNS lookup for each hold virus in my eyes is not really MG> usefull if the number of forging viruses is so small as it is today. Ok it's MG> a nice thing for someone who doesn't want daily care his server. MG> Another unclear aspect is how this DNS-based list handles different virus MG> names. We have seen in the last months that there is no more consistent MG> naming between AV-Companies. Does Declude maintain and serve forging virus MG> names for all AV-Engines? MG> I still consider Declude my swiss army knife for handling SMTP-traffic and MG> keep our customer mailboxes usable for the daily work. And even if I know MG> that some tools in my knife can be dangerous I want to have them when it MG> will become neccessary. MG> Markus >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown >> Sent: Friday, January 27, 2006 8:24 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME >> >> There is no perfect Spam or Virus system. There will either >> be false positives, missed Spam or Viruses or a combination of both. >> Therefore, if the customer is expecting absolute perfection, >> then I think the problem is one of a customer with >> unrealistic expectations. >> &
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Friday, January 27, 2006, 1:12:04 PM, Dan Horne <[EMAIL PROTECTED]> wrote: DH> [SNIP] DH> IMO, AVAFTERJM should be changed so that only deleted emails, not held DH> ones, by pass the AV scan. In other words, all messages should be DH> first scanned for spam, then the ones that are not DELETED should all be DH> scanned for viruses. This would close the security risk from re-queued DH> messages. DH> [SNIP] DH> --DH [SNIP] I agree. However, as a work-around for now, could we use ROUTETO and a mailbox, but on the 'directory' tab for that user/mailbox, change to specify the Spam hold folder? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thanks. We use both hold and delete, but not routeto. I don't mind saving cycles. I guess that instead of using HOLD we could ROUTETO the Spam Hold folder and mitigate the risk of dropping a virus infected message back into the queue. Comments about this?? Thanks, Friday, January 27, 2006, 12:51:41 PM, Darrell ([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote: Dsic> Don, Dsic> Messages that are "HOLD" or "DELETE" are not virus scanned. ROUTETO gets Dsic> virus scanned. In summary you have to look at your situation and if it Dsic> makes sense for you. We don't do much ROUTETO so it makes sense for us and Dsic> saves a signifigant amount of CPU. Dsic> Darrell Dsic> --- Dsic> Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic> mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic> integration, MRTG Integration, and Log Parsers. Dsic> Don Brown writes: >> Your first and second message seem to be contradictory or I'm dense. >> >> #1 "The main benefit is that it cuts down on the amount of messages >> virus scanned thus saving resources." >> >> #2 "It still gets virus scanned." >> >> So, with or without AVAFTERJM, it looks like each message is scanned by the >> virus >> scanner (which makes sense to me). If that is so, then how does it >> cut down on machine resources? >> >> >> >> Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) <[EMAIL >> PROTECTED]> wrote: >> Dsic> Keith, >> >> Dsic> It still gets virus scanned. I have tons of viruses in my virus drop >> point >> Dsic> for ROUTETO accounts. >> >> Dsic> Darrell >> Dsic> --- >> Dsic> Check out http://www.invariantsystems.com for utilities for Declude, >> Imail, >> Dsic> mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI >> Dsic> integration, MRTG Integration, and Log Parsers. >> >> >> Dsic> Keith Johnson writes: >> >>>> Darrell, >>>> What happens in this scenario. Virus file comes in, AVAFTERJM >>>> is turned on, thus Declude scans it for spam content, lets say it is >>>> spam, thus ROUTETO sends it to a specific mailbox for customer to review >>>> for certain amount of days. Does Declude Virus still run against it >>>> prior to ROUTETO? My fear is that the virus file will land in their >>>> spam box untouched and the user will fire the virus off by looking at >>>> file. >>>> >>>> Keith >>>> >>>> -Original Message- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of Darrell >>>> ([EMAIL PROTECTED]) >>>> Sent: Friday, January 27, 2006 10:02 AM >>>> To: Declude.Virus@declude.com >>>> Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME >>>> >>>> >>>>> How does AVAFTERJM cut down on work? I thought it only affected the >>>>> order in which JM and AV ran, and that AV ran each time, regardless of >>>> >>>>> this setting. >>>> >>>> The main benefit is that it cuts down on the amount of messages virus >>>> scanned thus saving resources. It has been a MAJOR help for me. >>>> >>>> Darrell >>>> --- >>>> Check out http://www.invariantsystems.com for utilities for Declude, >>>> Imail, >>>> mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI >>>> integration, MRTG Integration, and Log Parsers. >>>> >>>> --- >>>> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >>>> >>>> --- >>>> This E-mail came from the Declude.Virus mailing list. To unsubscribe, >>>> just send an E-mail to [EMAIL PROTECTED], and >>>> type "unsubscribe Declude.Virus".The archives can be found >>>> at http://www.mail-archive.com. >>>> --- >>>> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >>>> >>>> --- >>>> This E-mail came from the Declude.Virus mailing list. To >>>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>>> type "unsubscribe Declude.Virus".
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, "what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature." Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had "bagal" hard coded to be deleted and that was the buggy one in the signature file. How often does this really happen - does it happen more than 1% of the time? It hasn't shown to be an issue in our case, but I think we'd all be interested in your statistics which show it as a significant exposure to false positives. You said, "or because a legit message unexpected contains something "sospicious." My previous comment was to hold all of those tagged as suspicious. Do you have good statistics on these, which show a significant false positive rate? I think we'd all be interested in your finding . . . Thanks, Friday, January 27, 2006, 10:56:56 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: >> aren't you out hunting mosquitos with hand grenades? MG> If the "mosquito" is a very nasty but important customer it's bether using MG> tank's, mg's and whatever you can organize in order to prevent painfull MG> stings... MG> On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in MG> order to keep the server disk clean. But what happens if tommorow turns out MG> that one of the scan engines has catched many legit messages as viruses due MG> to a new buggy singature or because a legit message unexpected contains MG> something "sospicious". How do you explain to customers that the messages MG> are already deleted? MG> F-Prot's exit code 8 (suspicious files) has catched a lot of new unknow MG> viruses before singatures was available. So I use this exit code in my MG> config to hold messages. But suspicous could also be something legit we MG> don't know at the moment. MG> As I can understand a feature like DELETEVIRUSNAME wouldn't require more MG> then 30 lines of code and 3 hours of work and it would eliminate any need MG> for own scripts on each server. This is not what I consider a hand MG> grenade... MG> Markus MG> --- MG> [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG> --- MG> This E-mail came from the Declude.Virus mailing list. To MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG> type "unsubscribe Declude.Virus".The archives can be found MG> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Seems there is some confusion about whether or not AVAFTERJM prevents AV from running. Some say it does and some say it doesn't matter - AV still runs on all messages. So, I guess we first need to have someone from Declude tell us, FOR SURE, which it is. There isn't much in either section 9.1 or elsewhere in the JM manual and I didn't find anything in the AV manual about AVAFTERJM. So, DECLUDE, does, under any circumstances, AVAFTERJM cause AV not to be ran on a message? In the event that Declude responds that AV is prevented from running under some or all circumstances by using AVAFTERJM, then: 1. It seems to me that if you are holding messages which were not AV scanned and which could later be dropped into the queue for processing, that eventually Murphy will make sure that a virus infected message is released to an end-user. 2. You are putting a bandaid on a gunshot wound or treating the symptom rather than the disease. If you are starved for cycles, plan to scale up or use gateways to separate the processes and reduce the bottleneck. FWIW Friday, January 27, 2006, 11:02:32 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: >> So, with or without AVAFTERJM, it looks like each message is >> scanned by the virus scanner (which makes sense to me). MG> Wrong... if you block the messages on the servers: As we know usualy >>50% of all incomming messages are spam. MG> We know too that resource usage of one or two scan-engines is way above the MG> entire spam filtering even if you use 5-6 external applications like MG> sniffer, inv-uribl, spamchk, ... MG> So if you're spam filters are set up properly they will filter out at least MG> 50% of all incomming messages before they will reach the av-engines. MG> Markus MG> --- MG> [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG> --- MG> This E-mail came from the Declude.Virus mailing list. To MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG> type "unsubscribe Declude.Virus".The archives can be found MG> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Your first and second message seem to be contradictory or I'm dense. #1 "The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources." #2 "It still gets virus scanned." So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote: Dsic> Keith, Dsic> It still gets virus scanned. I have tons of viruses in my virus drop point Dsic> for ROUTETO accounts. Dsic> Darrell Dsic> --- Dsic> Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic> mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic> integration, MRTG Integration, and Log Parsers. Dsic> Keith Johnson writes: >> Darrell, >> What happens in this scenario. Virus file comes in, AVAFTERJM >> is turned on, thus Declude scans it for spam content, lets say it is >> spam, thus ROUTETO sends it to a specific mailbox for customer to review >> for certain amount of days. Does Declude Virus still run against it >> prior to ROUTETO? My fear is that the virus file will land in their >> spam box untouched and the user will fire the virus off by looking at >> file. >> >> Keith >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Darrell >> ([EMAIL PROTECTED]) >> Sent: Friday, January 27, 2006 10:02 AM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME >> >> >>> How does AVAFTERJM cut down on work? I thought it only affected the >>> order in which JM and AV ran, and that AV ran each time, regardless of >> >>> this setting. >> >> The main benefit is that it cuts down on the amount of messages virus >> scanned thus saving resources. It has been a MAJOR help for me. >> >> Darrell >> --- >> Check out http://www.invariantsystems.com for utilities for Declude, >> Imail, >> mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI >> integration, MRTG Integration, and Log Parsers. >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To unsubscribe, >> just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. Dsic> Dsic> --- Dsic> [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic> --- Dsic> This E-mail came from the Declude.Virus mailing list. To Dsic> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic> type "unsubscribe Declude.Virus".The archives can be found Dsic> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a practical matter, about what percent fall into the category of the Virus Scanner making a false positive? IOW, aren't you out hunting mosquitos with hand grenades? Friday, January 27, 2006, 8:58:25 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: >> Instead of doing something like that, which will require >> on-going, hands-on maint, why not just tag to hold those >> which are identified by the scanner as suspicious or generic >> and delete the rest? MG> This is another possible solution but my intention is to clean my server MG> from messages containing certain viruses. Thus are the well know top viri MG> like Sober, Netsky and Co. MG> Deleting them immediatly there will remain only a little crowd of viruses MG> and suspicious files. Whatever will happen in the future I have them on my MG> server and can keep it there also for one or two weeks in the case it turns MG> out that some user is missing a legit message. In this cas I can find the MG> message in my virus-folder on the server and requeue it even if it was MG> "false positive"-identified by some scanner as a fiften year old MG> "tequila"-Virus. MG> Andrews idea to parse the virus logfile instead of the content from each MG> virus-message is definitively an excellent idea. However there is a more MG> simplier and efficient possibility if we could delete infected messages by MG> the virus name. MG> Markus >> >> >> Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler >> <[EMAIL PROTECTED]> wrote: >> MG> Maybe someone has already requested it: >> >> MG> Why not allow commands like >> >> MG> DELETEVIRUSNAME Netsky >> MG> DELETEVIRUSNAME Bagle >> MG> ... >> >> MG> in the virus.cfg file? >> >> MG> I won't and can't delete all viruses on our server >> because there is >> MG> always the possibility that a scanner is catching something as >> MG> "suspicious" or "generic" >> >> MG> But commands to delete certain virusnames should be very easy to >> MG> implement and allow us to eliminate > 95% of all hold >> viruses on out servers. >> >> MG> Markus >> >> MG> --- >> MG> [This E-mail was scanned for viruses by Declude EVA >> www.declude.com] >> >> MG> --- >> MG> This E-mail came from the Declude.Virus mailing list. To >> MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> MG> type "unsubscribe Declude.Virus".The archives can be found >> MG> at http://www.mail-archive.com. >> >> >> >> >> Don Brown - Dallas, Texas USA Internet Concepts, Inc. >> [EMAIL PROTECTED] http://www.inetconcepts.net >> (972) 788-2364Fax: (972) 788-5049 >> >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> MG> --- MG> [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG> --- MG> This E-mail came from the Declude.Virus mailing list. To MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG> type "unsubscribe Declude.Virus".The archives can be found MG> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew <[EMAIL PROTECTED]> wrote: CA>[SNIP] CA> Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM CA> to cut down on the work, and this definitely leaves a gap in my CA> statistics. Similarly, it follows that I wouldn't want to scan my whole CA> SPAM folder. Even reading the directory of the filenames is a disk CA> workout. [SNIP] How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler <[EMAIL PROTECTED]> wrote: MG> Maybe someone has already requested it: MG> Why not allow commands like MG> DELETEVIRUSNAME Netsky MG> DELETEVIRUSNAME Bagle MG> ... MG> in the virus.cfg file? MG> I won't and can't delete all viruses on our server because there is always MG> the possibility that a scanner is catching something as "suspicious" or MG> "generic" MG> But commands to delete certain virusnames should be very easy to implement MG> and allow us to eliminate > 95% of all hold viruses on out servers. MG> Markus MG> --- MG> [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG> --- MG> This E-mail came from the Declude.Virus mailing list. To MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG> type "unsubscribe Declude.Virus".The archives can be found MG> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus Config Update
Wednesday, November 23, 2005, 2:55:34 PM, David Barker <[EMAIL PROTECTED]> wrote: Snip DB> The complete SCANFILE config would be something like this: DB> SCANFILEC:\Progra~1\Grisoft\AVG7\avg.exe /NOBOOT /NOMEM /NOSELF /ARC Is it avgscan.exe or avg.exe in the above for the 32 bit scanner? Snip DB> David B DB> www.declude.com DB> --- DB> This E-mail came from the Declude.Virus mailing list. To DB> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DB> type "unsubscribe Declude.Virus".The archives can be found DB> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thanks. Friday, August 12, 2005, 9:47:16 AM, Matt <[EMAIL PROTECTED]> wrote: M> Here's what I turned off: M> ALLOWVULNERABILITYOLCR M> ALLOWVULNERABILITYOLSPACEGAP M> ALLOWVULNERABILITYOLMIMESEGMIMEPRE M> ALLOWVULNERABILITYOLMIMESEGMIMEPOST M> ALLOWVULNERABILITYOLLONGFILENAME M> ALLOWVULNERABILITYOLBLANKFOLDING M> ALLOWVULNERABILITYOBJECTDATA M> ALLOWVULNERABILITYOLBOUNDARYSPACEGAP M> This only works with 2.0.6.14+. There are more that are listed when you M> log into your account on declude.com and go to the page for 2.0.6.16. M> All of the above were producing repeated false positives from multiple M> sources, and ones like OLCR were especially problematic. M> Matt M> Don Brown wrote: >> >>Thursday, August 11, 2005, 10:50:32 PM, Matt <[EMAIL PROTECTED]> wrote: >>M> David, >> >>M> With 2.0.6.16, which is available from the Declude site, you can turn >>M> off the Outlook CR Vulnerability. I have turned off all but a couple of >>M> these because of numerous false positive issues. >> >>Which ones have you turned off and what is the syntax to use? >> >> >> >> >> >>Don Brown - Dallas, Texas USA Internet Concepts, Inc. >>[EMAIL PROTECTED] http://www.inetconcepts.net >>(972) 788-2364Fax: (972) 788-5049 >> >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >> >> >> >> M> --- M> This E-mail came from the Declude.Virus mailing list. To M> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and M> type "unsubscribe Declude.Virus".The archives can be found M> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 10:50:32 PM, Matt <[EMAIL PROTECTED]> wrote: M> David, M> With 2.0.6.16, which is available from the Declude site, you can turn M> off the Outlook CR Vulnerability. I have turned off all but a couple of M> these because of numerous false positive issues. Which ones have you turned off and what is the syntax to use? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update
Wednesday, May 25, 2005, 3:42:59 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: [SNIP] BD> Customer Information BD> We have migrated a large portion of our customer accounts from the older BD> system. The majority of customers can now view their Host information at the BD> foot of the 'My Account' page on www.declude.com. Please review it and let BD> us know of any discrepancies, missing hosts, wrong names, etc. BD> Barry Merchant Card Service is listed on our account, but they should have their own account. We sold the initial product to them, but we will not be involved in maintenance. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude and Linux?
Both have merit and there is a place for both, AFAIC. They don't have to agree or even like each other, as long each product just works :-) Wednesday, March 30, 2005, 4:05:48 PM, Dan Horne <[EMAIL PROTECTED]> wrote: DH> I'd definitely like to see Declude plug into postfix. But then wouldn't DH> that be kind of like Len and Scott holding hands? <~Shudder~> DH> -Original Message- DH> From: [EMAIL PROTECTED] DH> [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha DH> Sent: Wednesday, March 30, 2005 4:52 PM DH> To: Declude.Virus@declude.com DH> Subject: Re: [Declude.Virus] Declude and Linux? DH> That is definitely in the stack of cards, Jeff. But we cannot yet DH> project a release date. We will, however, keep you informed as we get DH> closer to formulating that project. We would be interested in hearing DH> any input you would care to provide, such as: your Linux platform, the DH> mail server(s) you would like to see targeted, etc. DH> David Franco-Rocha DH> - Original Message - DH> From: "Jeff Kratka" <[EMAIL PROTECTED]> DH> To: DH> Sent: Wednesday, March 30, 2005 4:29 PM DH> Subject: [Declude.Virus] Declude and Linux? >> Will there be a version of Declude for Linux? >> >> Jeff Kratka >> >> TymeWyse Internet >> P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 >> tel/fax: (541) 839-6027 - [EMAIL PROTECTED] >> >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> DH> --- DH> This E-mail came from the Declude.Virus mailing list. To DH> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DH> type "unsubscribe Declude.Virus".The archives can be found DH> at http://www.mail-archive.com. DH> --- DH> This E-mail came from the Declude.Virus mailing list. To DH> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DH> type "unsubscribe Declude.Virus".The archives can be found DH> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot 3.15b break Declude Virus?
I read the thread about this, but I didn't determine the final conclusion. Does F-Prot 3.15b break Declude virus? ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address
Get a command prompt and type "ipconfig" (without the quotes) and a carriage return. To get a command prompt, Select Start/Run and type "CMD" (without the quotes) in the box and click the "ok" button. If you need to change the IP address, then Select Start/Settings/Network Connections. Select something other than "make a new network connection." Next, click "properties," choose "Internet Protocol (TCP/IP)" and click "Properties." You should be able to find your way around from there. HTH Thanks, Sunday, May 23, 2004, 12:05:12 PM, Jeff Pereira <[EMAIL PROTECTED]> wrote: JP> Windows..sorry I left that out. JP> JP> jeff JP> - Original Message - JP> From: Rich JP> To:[EMAIL PROTECTED] JP> Sent: Sunday, May 23, 2004 11:57 AM JP> Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address JP> What OS? JP> - Original Message - JP> From: Jeff Pereira JP> To:[EMAIL PROTECTED] JP> Sent: Sunday, May 23, 2004 8:22 AM JP> Subject: Possible Spam: [Declude.Virus] OT - Need IP from MAC address JP> Sorry for the OT post, but I am in need of help. JP> JP> I have a piece of equipment that I inherited that was JP> assigned a fixed IP address, but I do not know what it is. JP> JP> I am pretty sure that there is a way to determine the IP JP> by way of the MAC address, but I am unable to figure out how. JP> JP> Any help will be appreciated. JP> JP> jeff JP> Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
You might want to use the 32b version of the scanner, as well. # F-PROT - 1st scanner SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1 Infection: Thursday, March 18, 2004, 9:57:41 AM, R. Scott Perry <[EMAIL PROTECTED]> wrote: >>We have been running the latest interims for a couple of weeks (since >>the EZIP stuff came out). We are seeing the following error in the >>virus logs: >> >>03/18/2004 07:25:33 Qa32252df006a099c Could not find parse string >>Infection: in report.txt >>03/18/2004 07:25:33 Qa32252df006a099c Error 8 in virus scanner 1. >>03/18/2004 07:25:33 Qa32252df006a099c Scanned: Error in virus scanner. >>[MIME: 3 23481] RSP> That is normal. The "Error 8" indicates that F-Prot detected a suspicious RSP> file, in which case it will not know the name of the virus (since it didn't RSP> detect one). >>We have f-prot 3.14e and Declude v1.78i27. Running on Imail 7.15. Here >>is the Scan line from the virus.cfg: >> >>SCANFILEC:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM >>/ARCHIVE /NOFLOPPY /NOBOOT /DUMB /SERVER /REPORT=report.txt RSP> The "/SERVER" is not recommended, and will cause the "Error 8"'s. RSP> -Scott RSP> --- RSP> Declude JunkMail: The advanced anti-spam solution for IMail mailservers RSP> since 2000. RSP> Declude Virus: Ultra reliable virus detection and the leader in mailserver RSP> vulnerability detection. RSP> Find out what you've been missing: Ask for a free 30-day evaluation. RSP> --- RSP> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP> --- RSP> This E-mail came from the Declude.Virus mailing list. To RSP> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP> type "unsubscribe Declude.Virus".The archives can be found RSP> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: CBL:RE: [Declude.Virus] SKIPIFFORGING Question
The release notes tend to indicate it is On by default. Scott? Thursday, March 4, 2004, 8:09:08 AM, Paul Ingram <[EMAIL PROTECTED]> wrote: PI> Hello, PI> Wednesday, March 3, 2004, 11:54:36 PM, you wrote: >>> Do I need to do something on my end to hit this DB?? >> Run recent version of declude >> and set AUTOFORGE ON in virus.cfg PI> Ok that was essy. Thanks. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Mime Segments
Over the last few days, the majority (about 98%) of entries in our Virus log look like this: 11/18/2003 04:10:10 Qeff80ed6013007fe 50 is too many MIME levels to recurse 11/18/2003 04:10:10 Qeff80ed6013007fe 50 is too many MIME levels to recurse 11/18/2003 04:10:10 Qeff80ed6013007fe 50 is too many MIME levels to recurse Could it be true that 98%+ of our inbound traffic has too many mime levels? We're running Declude PRO 1.76i9, F-Prot 3.14b under W2k3 Server, web edition. Any ideas? Thanks, ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Manifest
Hi Scott, I like the idea of an e-mail notification when a dangerous attachment is quarantined and when a virus is killed. They remind the customers of the services we are providing them. However, these notifications became a significant impact during the recent outbreak and now, I'm wondering about the possibility of incorporating a daily manifest, as an option. Do you think that a manifest option is a possibility for the future? Thanks, ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MacAfee kosher or not?
What if the mailbox is not on your system -- i.e. you are just acting as a conduit and forwarding elsewhere? Tuesday, August 20, 2002, 2:57:30 PM, John Tolmachoff <[EMAIL PROTECTED]> wrote: >>Although it could very easily be argued that the "per mailbox" JT> licensing >>scheme, if McAfee's license indeed requires it, would apply to *all* >>mailboxes on the Internet, requiring an unlimited number of licenses. JT> :) JT> OK, OK, I should have clarified JT> Per Mailbox being provided direct benefit. JT> So, even though you scan an outgoing e-mail, the direct benefactor is JT> the sender and the indirect benefactor is the receiver. (Although, yes, JT> an argument could be made to the contrary, but the point has be stated.) :-)>> JT> John Tolmachoff JT> IT Manager, Network Engineer JT> RelianceSoft, Inc. JT> Fullerton, CA 92835 JT> www.reliancesoft.com JT> --- JT> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JT> --- JT> This E-mail came from the Declude.Virus mailing list. To JT> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JT> type "unsubscribe Declude.Virus".The archives can be found JT> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] korea.services.net blacklist
What a great idea! Spam routing works great, too. Tuesday, August 13, 2002, 8:31:26 PM, R. Scott Perry <[EMAIL PROTECTED]> wrote: >>I think I'm OT here .. but I don't think I'm subscribed to the Junkmail >>list. Is there a separate one? RSP> Yes -- you can send an E-mail to [EMAIL PROTECTED] with "subscribe RSP> declude.junkmail your name" in the body to subscribe. >>Either way, is anyone using korea.services.net for an RBL? By the sounds >>of it, it's pretty much every ARIN block registered in korea. It might be >>alright for a weighted rule .. any success or deny stories to tell? RSP> FWIW, we're working on an automatic IP->country lookup in Declude JunkMail RSP> that would allow for weighting based on countries the E-mail passed through. RSP> -Scott RSP> --- RSP> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP> --- RSP> This E-mail came from the Declude.Virus mailing list. To RSP> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP> type "unsubscribe Declude.Virus".The archives can be found RSP> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT Mail server crashes
Yes. Increase the size of the swap file. Tuesday, June 25, 2002, 3:21:11 PM, Craig Gittens <[EMAIL PROTECTED]> wrote: CG> The drive is fuctioning well. 2 512MB sticks of ECC PC100. CG> Page file is set at 1.2GB...I know it should be ~2.3GB. I wonder if that CG> would help. Let me try that. SP2 failed to load today so I redownloaded it CG> and am going to try again after that last recovery. CG> *sigh* CG> Craig. CG> -Original Message- CG> From: [EMAIL PROTECTED] CG> [mailto:[EMAIL PROTECTED]]On Behalf Of John Tolmachoff CG> Sent: Tuesday, June 25, 2002 2:22 PM CG> To: [EMAIL PROTECTED] CG> Subject: RE: [Declude.Virus] OT Mail server crashes CG> How is your page file set? CG> You put in 1GB of memory. 1 1GB stick, or 2 512 sticks or 4 256 sticks? CG> ECC or non ECC? CG> How is the 70 GB drive functioning? CG> Did you disable the Intel Pro NIC? CG> John Tolmachoff CG> IT Manager, Network Engineer CG> RelianceSoft, Inc. CG> Fullerton, CA 92835 CG> www.reliancesoft.com CG> -Original Message- CG> From: [EMAIL PROTECTED] CG> [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Gittens CG> Sent: Tuesday, June 25, 2002 11:10 AM CG> To: [EMAIL PROTECTED] CG> Subject: [Declude.Virus] OT Mail server crashes CG> I have recently upgraded the memory in my mail server to 1GB since I CG> wore CG> out the old set(no kidding) and put in a new 70GB drive for storage and CG> a CG> 3Com NIC to replace the built in Intel Pro. CG> After all of this, the mail server started crashing with resource CG> issues. It CG> would just lockup and refuse to restart. The other day it even put CG> itself CG> into standby mode and there are no power settings to do this. CG> I run Declude Virus/JunkMail and McAfee Virus Shield. (Real time scanner CG> off) CG> Funny thing is just now I caught it before it crashed and I found CG> between CG> 12-15 Declude.exe processes running and only 2 SMTP32.exe processes. CG> This CG> continued for a while fluctuating between 5 and 15 Declude processes. I CG> couldn't map its drive. I couldn't paste clipboard data. About the only CG> thing I could do was open task manager. CG> Physical Mem: CG> Mem 1048044 CG> Available ~15 CG> System 810716 CG> Yet the mem usuage graph was saying : 399000 CG> Error message : CG> There is not enough memory or resources to complete operation. Close CG> some CG> programs and then try again. CG> During these periods lots of virii get through. The crashes seem to CG> happen CG> 2-3 days apart. Anyone have a clue? CG> I found this about Win95/8 etc CG> http://support.microsoft.com/default.aspx?scid=KB;EN-US;q253912 but CG> nothing CG> about Win2K server. CG> Craig. CG> --- CG> [This E-mail was scanned for viruses by Declude Virus CG> (http://www.declude.com)] CG> This E-mail came from the Declude.Virus mailing list. To CG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and CG> type "unsubscribe Declude.Virus". You can E-mail CG> [EMAIL PROTECTED] for assistance. You can visit our web CG> site at http://www.declude.com . CG> --- CG> [This E-mail was scanned for viruses by Declude Virus CG> (http://www.declude.com)] CG> This E-mail came from the Declude.Virus mailing list. To CG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and CG> type "unsubscribe Declude.Virus". You can E-mail CG> [EMAIL PROTECTED] for assistance. You can visit our web CG> site at http://www.declude.com . CG> --- CG> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] CG> This E-mail came from the Declude.Virus mailing list. To CG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and CG> type "unsubscribe Declude.Virus". You can E-mail CG> [EMAIL PROTECTED] for assistance. You can visit our web CG> site at http://www.declude.com . Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] DELIVERERRORS
Scott, Does "DELIVERERRORS" apply to incoming mail, outgoing mail or both incoming and outgoing? Does this variable have any impact upon a scanner time-out? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Problem with FreeMail
Why did these get a Freemail weight of 4? 01/30/2002 15:24:40 Q6475032 BADHEADERS:4 SPAMHEADERS:4 nFREEMAIL:4 . Total weight = 12 01/30/2002 15:24:40 Q6475032 Msg failed WEIGHT10 (Weight of 12 exceeds the limit of 10.). 01/30/2002 15:24:40 Q6475032 Subject: omain Transfer Request for xxx 01/30/2002 15:24:40 Q6475032 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/30/2002 15:24:40 Q6475032 Message FAILED: Deleting message! 01/30/2002 15:24:41 Q6475148 BADHEADERS:4 SPAMHEADERS:4 nFREEMAIL:4 . Total weight = 12 01/30/2002 15:24:41 Q6475148 Msg failed WEIGHT10 (Weight of 12 exceeds the limit of 10.). 01/30/2002 15:24:41 Q6475148 Subject: omain Transfer Request for xxx 01/30/2002 15:24:41 Q6475148 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 01/30/2002 15:24:41 Q6475148 Message FAILED: Deleting message! Global Config: FREEMAILfromfilex:\imail\declude\freemail.lst x x 4 0 FreeMail.lst: @yahoo.com @hotmail.com @excite.com Running Version 1.35 Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: MISSING_REVERSE_DNS:Re: [Declude.Virus] Kudos from Customers!!
No. That is not what it means. We notify the intended recipient (and include the headers) whenever we catch a virus or quarantine an e-mail and attachment. Both the email and the attachment are quarantined. Wednesday, January 30, 2002, 1:38:26 PM, gf <[EMAIL PROTECTED]> wrote: g> Do you mean that is it possible to quarantine just the attachments and let g> the message to be delivered? g> If yes how can I apply this function? g> Thank you g> Giuseppe g> - Original Message - g> From: "Don Brown" <[EMAIL PROTECTED]> g> To: <[EMAIL PROTECTED]> g> Sent: Wednesday, January 30, 2002 8:14 PM g> Subject: [Declude.Virus] Kudos from Customers!! >> I just thought I would share this with the group. It is little things >> like this that can really make my day. >> >> Below is one, of many, unsolicited kudos from customers, which is a >> direct result of running Declude. >> >> This one is particular to quarantining attachments, which helped us >> block the new "party" virus until the virus companies had identified >> it and incorporated its signature into the definition file. >> >> " Not 2 or 3 hours ago Mark and I talked about how we appreciated the g> service >> you provide in helping guard against viruses. You do what you think is >> best. Thanks again " >> >> >> >> >> Don Brown - Dallas, Texas USA Internet Concepts, Inc. >> [EMAIL PROTECTED] http://www.inetconcepts.net >> PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 >> Providing Internet Solutions Worldwide - An eDataWeb Affiliate >> >> >> --- >> [This E-mail was scanned for viruses by Declude Virus g> (http://www.declude.com)] >> >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". You can E-mail >> [EMAIL PROTECTED] for assistance. You can visit our web >> site at http://www.declude.com . >> = >> [This message has been scanned for viruses and it is virus-free] >> [Questo messaggio e' stato analizzato ed e' esente da virus] >> >> g> = g> [This message has been scanned for viruses and it is virus-free] g> [Questo messaggio e' stato analizzato ed e' esente da virus] g> --- g> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] g> This E-mail came from the Declude.Virus mailing list. To g> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and g> type "unsubscribe Declude.Virus". You can E-mail g> [EMAIL PROTECTED] for assistance. You can visit our web g> site at http://www.declude.com . Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Upcoming Declude Virus product line changes
Scott,
What is the cost of the service agreement and does it cover both Junkmail &
Virus?
At 02:00 PM 1/4/02 -0500, you wrote:
>I wanted to give people some advance notice that there will likely be some
>changes to the Declude Virus product line coming up within the next month
>or so.
>
>Although everything is tentative right now, we are expecting to switch
>from the current two versions ("Standard" and "Pro") to three versions
>(likely named "Lite", "Standard", and "Pro"). The Lite version will be
>very similar to the current Standard version, and we expect will be priced
>the same as the current Standard version ($495). The new Standard version
>will have most of the features of the Pro version, and we expect will be
>priced the same as the current Pro version ($795). The new Pro version
>(expected to be $1,295) will have everything that is currently in the Pro
>version, plus a new unique feature that will help provide protection
>against new viruses before virus definitions are available (without having
>to block files based on their extension).
>
>So what does this mean for existing customers? If you purchased Declude
>Virus Standard within the past year (or have a current Service Agreement),
>you will be able to upgrade to the new Standard version at no charge
>(which will have some of the features that are currently only available in
>the Pro version). If you purchased Declude Virus Pro within the past year
>(or purchased it earlier, and have a current Service Agreement), you can
>upgrade to the new Pro version at no charge. Of course, no matter which
>version you currently run, you will not lose any features.
>
>For people who do not yet have Declude Virus, we will still offer an
>inexpensive version that offers the basic protection that is expected of
>an SMTP-based virus scanner (scanning all incoming and outgoing SMTP
>E-mail, sending notifications when viruses are found), without some of the
>frills.
>
>The only real drawback for current customers is that if you current have
>the Standard version, the cost to upgrade to the Pro version (the
>difference in price between the two products) will increase. So if you
>have the Standard version and were thinking about upgrading to the Pro
>version, you may want to do it before the change takes place. However, it
>is also possible that you will gain the feature(s) you need with the new
>Standard version, so the upgrade may not be necessary.
> -Scott
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>This E-mail came from the Declude.Virus mailing list. To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus". You can E-mail
>[EMAIL PROTECTED] for assistance. You can visit our web
>site at http://www.declude.com .
Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]http://www.inetconcepts.net
PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049
Providing Internet Solutions Worldwide - An eDataWeb Affiliate
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
Re: [Declude.Virus] Declude v1.30 released (beta) Delete Virus
Yes. "DELETEVIRUSES ON" is in the config file. Well, I was wrong. It is e-mail with banned attachments which is being quarantined. Can you add a similar config option to delete them, as well? At 09:33 PM 12/20/01 -0500, you wrote: >>It looks like 1.30 broke the Delete Virus option. The virus files are >>going to the virus directory, instead of being deleted. > >It's working here. Do you have a line: > > DELETEVIRUSES ON > >in the \IMail\Declude\virus.cfg file? > >If you don't have that line, you can use the Declude debug mode to help >track down the problem. To do this, change the "LOGLEVEL LOW" line in the >virus.cfg file to "LOGLEVEL DEBUG". Then, send the test eicar.com file >through, and then switch back to "LOGLEVEL LOW". You can then send me the >\IMail\Declude\vir.log file, and I can take a look at it to see what >the problem is. > -Scott > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". You can E-mail >[EMAIL PROTECTED] for assistance. You can visit our web >site at http://www.declude.com . Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] TempDir
Scott, What is the advantage, if any, of specifying a Temporary directory for AV to scan files? They're are scanned in the spool directory by default, aren't they? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] BANnotify
At 11:18 AM 12/10/01 -0500, you wrote: >>Question I am trying to setup the BANEXT and everything works except for >>1. The BANnotify email does not include the original message. > >That's a known issue -- the %FULLMSG% variable will not work with Declude >Virus, to ensure that if there is a virus, it is not re-transmitted. You >can use the %HEADERS% variable for now. We are planning on adding a new >variable that will display the text segment of the E-mail. > >>2. I would like to Bcc my self as postmaster to know when some receives a >>banned email and send one to the sender. Can this be done? > >No, that can not be done; only one E-mail notification can go out >(although you can choose who it goes to). >-Scott Can you put more than one recipient separated by a comma, on the "to" line? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Imail/declude log parser...
At 05:15 PM 12/6/01 -0500, you wrote: >Put this usage.cmd in c:\tools (or modify paths in the scipt to match where >you put it) The batch file is failing here because the day is 09 instead of a decimal 9. It complains it is not dec, hex or octal. How do I fix this. Running Windows 2000 server. Thanks, ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
[Declude.Virus] BANnotify.EML
Does BANnotify.EML get sent to the intended recipients or to the sender. The example of BANnotify.EML doesn't show a from or to address. Are these addresses configurable, like with the other templates? Thanks, ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.Virus] Beta testers wanted for program to confirmmailing list subscribes
Sure. We've got a couple of clients with lists, which we can use for Beta testing. At 03:48 PM 6/9/01 -0400, you wrote: >Computerized Horizons is getting ready to release a new program, Declude >Confirm, which will automatically take care of confirmations for mailing >lists. It's very easy to use (if you already have Declude installed, you >just need to copy in one or two files, and you're done; that's it!). To >see it in action, you can send an E-mail to "[EMAIL PROTECTED]" with >"subscribe testlist firstname lastname" in the body. Instead of >automatically getting subscribed, you'll get a confirmation request back >that you must reply to, at which point your subscription will be >processed. This way, Internet lowlifes can't subscribe people to your >mailing lists without your permission. > >If you would like to help beta-test it (we're expecting a short beta >cycle), please let me know. > -Scott > >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". You can E-mail >[EMAIL PROTECTED] for assistance. You can visit our web >site at http://www.declude.com . Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Missing Open Relays - 1.16b
Yes. I have checked some of them and the log says o.k. At 10:31 AM 3/28/01 -0500, you wrote: >>I have been noticing Declude miss some SPAM that is listed on >>inputs.orbs, which we are checking. We report SPAM via SPAM COP and it >>also checks MAPS RSS and Inputs.orb, ie. >> >>show] "nslookup 112.40.165.141.inputs.orbs.org." (checking ip) ip = 127.0.0.2 >>blocked by ORBS >> >>Is this an issue with Declude or something unrelated? > >I'm not aware of any such issues. Have you checked the Declude log for >that E-mail, to see if it said "Message OK" or if there were any warnings >in there? > -Scott > >[ This E-mail came from the Declude.Virus mailing list. To ] >[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] >[ type "unsubscribe Declude.Virus yourname". You can E-mail] >[ [EMAIL PROTECTED] for assistance. You can visit our web ] >[ site at http://www.declude.com . ] Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
[Declude.Virus] Missing Open Relays - 1.16b
Scott, I have been noticing Declude miss some SPAM that is listed on inputs.orbs, which we are checking. We report SPAM via SPAM COP and it also checks MAPS RSS and Inputs.orb, ie. show] "nslookup 112.40.165.141.inputs.orbs.org." (checking ip) ip = 127.0.0.2 blocked by ORBS Is this an issue with Declude or something unrelated? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
Re: [Declude.Virus] %Virusname%
At 10:09 AM 3/22/01 -0500, you wrote: >>At 10:00 PM 3/21/01 -0500, you wrote: >>>>1.16b - returns nothing in %VIRUSNAME% and %VIRUSFILE% >>> >>>That, too, is not good. Is anyone else seeing this? >> >>Yes. Mine are also blank - never reported in the notification >>letters. I am running 1.16, I think. > >Have you gotten them before? I'm looking for cases where it was working >before, but not working on 1.16b. The report parsing is pretty tricky, >and relies on the AV program to be very well behaved, so getting it to >work initially may not be easy. When this feature was initially released, it worked fine. It stopped working along the way, but well before 1.16b. I'm running McAfee on a W2K server. Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
[Declude.Virus] %Virusname% and Notification Letters
At 10:00 PM 3/21/01 -0500, you wrote: >>1.16b - returns nothing in %VIRUSNAME% and %VIRUSFILE% > >That, too, is not good. Is anyone else seeing this? Yes. Mine are also blank - never reported in the notification letters. I am running 1.16, I think. Also, it appears that letters are still being send when there is no "received from" info, as in the case of the Snow White Virus. There are several files in my spool que, ie. D.sm1 and D.sm3 - both of which have no companion Qxxx.xxx file. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
Re: DUL: Re: [Declude.Virus] v1.15 Released
So, in the case of Imail with a real mail server (MX10 name) and a virtual
server:
1) the new variables of senderhost and reciphost will reflect the real mail
server; and,
2) the existing variables of localhost and remotehost will reflect the
virtual server.
Correct?
At 10:59 AM 3/15/01 -0500, you wrote:
>>What is the difference between %REMOTEHOST% vs %SENDERHOST% and between
>>%RECIPHOST% vs %LOCALHOST%
>
>%LOCALHOST% and %REMOTEHOST% are a local domain on your IMail server, and
>a remote domain. These come from the To/From addresses, and could be
>either from the sender or recipient. They determine which domain of yours
>was used, and what the remote domain was (regardless of whether the E-mail
>is going to the remote domain or coming from it).
>
>The %SENDERHOST% and %RECIPHOST% variables are the domain that the sender
>of the E-mail is from, and the domain the recipient is from.
>
>As an example, if I send an E-mail from "[EMAIL PROTECTED]" to
>"[EMAIL PROTECTED]" ("declude.com" being a local domain here),
>you would have:
>
>%LOCALHOST% = declude.com
>%REMOTEHOST% = list.ipswitch.com
>%SENDERHOST% = declude.com
>%RECIPHOST% = list.ipswitch.com
>
>On the other hand, if "[EMAIL PROTECTED]" sends an E-mail to
>"[EMAIL PROTECTED]", you would see:
>
>%LOCALHOST% = declude.com
>%REMOTEHOST% = list.ipswitch.com
>%SENDERHOST% = list.ipswitch.com
>%RECIPHOST% = declude.com
> -Scott
>
>[ This E-mail came from the Declude.Virus mailing list. To ]
>[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
>[ type "unsubscribe Declude.Virus yourname". You can E-mail]
>[ [EMAIL PROTECTED] for assistance. You can visit our web ]
>[ site at http://www.declude.com . ]
Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]http://www.inetconcepts.net
PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049
Providing Internet Solutions Worldwide - An eDataWeb Affiliate
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
Re: DUL: [Declude.Virus] v1.15 Released
Scott, What is the difference between %REMOTEHOST% vs %SENDERHOST% and between %RECIPHOST% vs %LOCALHOST% Thanks, At 01:18 PM 3/8/01 -0500, you wrote: >We have just released Declude v1.15 (beta). Anyone running v1.10 through >1.14 should upgrade to v1.15. It fixes a number of minor issues and we >are hoping it will become the next public release. > >Changes include: > >o Will now wait 10 minutes (instead of 60) for imail1.exe to send E-mail >notifications. >o Domains with a "-" in them will now have E-mail notifications sent >properly by >imail1.exe. >o %ALLRECIPS% will now show the intended recipients, rather than the final >recipients >(IE when using aliases). >o %VIRUSFILE% will now work with McAfee .ZIP file scanning. >o Will no longer send notifications to "<>". >o imail1.exe would add a space to some domain names; fixed. >o Will now pop up the imail1.exe window if any problems occur sending >notifications. >o %SENDERHOST% and %RECIPHOST% variables added to return the host of the >sender > and recipient. > > -Scott > >[ This E-mail came from the Declude.Virus mailing list. To ] >[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] >[ type "unsubscribe Declude.Virus yourname". You can E-mail] >[ [EMAIL PROTECTED] for assistance. You can visit our web ] >[ site at http://www.declude.com . ] Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED]http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
