[Declude.Virus] Declude with IMail 2006
Just in case anybody is interested, we upgraded to Imail 2006 last week, and we aren't having any problems using declude v3.0.5.22 with it EXCEPT that the confirm function for listserves doesn't seem to work right. Declude intercepts the subscription and sends out the notification for the double opt-in, but doesn't seem to see replies when they come back. Oh, an just in case you were thinking of upgrading to 2006 -- don't. Ipswitch released a patch for it today which they claim addresses some of the problems we're having, but our big webmail users have been screaming bloody murder ever since we upgraded. I'll be putting in the upgrade on Monday and we'll see how much it fixes... --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Did SOBIG REALLY stop?
Every SoBig.F virus I have received in the past 32 hours has been part of a failure notification, where the message is returned because it never reached its intended recipient. The biggest offenders I blocked at our border routers, and I'm not seeing the counters on the access list go up anymore. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff > (Lists) > Sent: Wednesday, September 10, 2003 8:58 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Did SOBIG REALLY stop? > > > 4 Sobig.F in the last hour. Nothing all day before that. > > John Tolmachoff MCSE CSSA > Engineer/Consultant > eServices For You > www.eservicesforyou.com > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of Jeff Kratka > > Sent: Wednesday, September 10, 2003 11:06 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.Virus] Did SOBIG REALLY stop? > > > > 707 yesterday and 1 today? Things are looking up? > > > > Jeff Kratka > > * > > TymeWyse Internet > > P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 > > tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > > * > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Jeff Maze - > > Hostmaster > > Sent: Wednesday, September 10, 2003 8:12 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.Virus] Did SOBIG REALLY stop? > > > > > > 48 inbound SoBig's yesterday.. Nothing so far today.. A few > Klez, MiMail > > but nothing major.. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blank Folding
With no email address you would normally get a "no transport provider available" because outlook wouldn't know what to do with it. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of ISPhuset Nordic AS > Sent: Friday, October 03, 2003 9:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Blank Folding > > > The problem is that "folding" is used to take a long line and split it up > into several smaller lines (if you have looked at Received: headers, most > of them do this -- if the header starts with a space or a tab, it is a > continuation of the previous line). However, with just a single space or > tab, that's like taking one line and making two out of it, with the first > line containing the whole line, and the second line completely blank. It > just doesn't make any sense. > > -Scott > thats right but if I send an email to someone this is taken > automaticly to outlook > and in outlook it just appeas as "benny" not the email address > then Outlook will try to send to this contact even if there is not an > email address in that contact, then this one will appear as blank > and can cause this ? > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus Getting Through?
I'm running IMail 8.05 and Declude 1.76i20 This morning Norton caught a copy of MyDoom in my inbox. At first I assumed it was just one of the damaged variants, but I decided to track it down and make sure. Following is a log snippet from when the message came in. 20040201 205721 127.0.0.1 SMTPD (6F420102) [198.77.222.101] connect 4.5.245.119 port 1178 20040201 205721 127.0.0.1 SMTPD (6F420102) [4.5.245.119] EHLO edgertonstravel.com 20040201 205721 127.0.0.1 SMTPD (A4840146) [80.53.129.115] HELO yx115.internetdsl.tpnet.pl 20040201 205722 127.0.0.1 SMTPD (6F420102) [4.5.245.119] MAIL FROM:<[EMAIL PROTECTED]> 20040201 205722 127.0.0.1 SMTPD (6F420102) [4.5.245.119] RCPT TO:<[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (A4840146) [80.53.129.115] MAIL FROM: <[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [198.77.222.54] connect 64.186.56.58 port 48837 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] EHLO bkupmail.tspec.net 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] MAIL From:<[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] RCPT To:<[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] d:\IMail\spool\Dae852ca400ee3baa.SMD 32192 20040201 205725 127.0.0.1 SMTPD (2CA400EE) performing antispam checks 20040201 205726 127.0.0.1 SMTPD (6F420102) [4.5.245.119] d:\IMail\spool\Dae826f4201022dc0.SMD 32178 20040201 205726 127.0.0.1 SMTPD (6F420102) performing antispam checks Both of the incoming message are actually infected, but when we look in the virus log: 02/01/2004 20:56:30 Qae4b6f4101025959 Scanned: Virus Free [MIME: 1 3939] 02/01/2004 20:56:31 Qae4da47d01466157 Scanned: Virus Free [MIME: 2 2743] 02/01/2004 20:56:33 Qae516aed013a6f90 Scanned: Virus Free [MIME: 1 1866] 02/01/2004 20:57:08 Qae74a4800146f877 Scanned: Virus Free [MIME: 1 4498] 02/01/2004 20:57:12 Qae676af0013ac34e Scanned: Virus Free [MIME: 1 29053] 02/01/2004 20:57:26 Qae852ca400ee3baa File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 02/01/2004 20:57:26 Qae852ca400ee3baa Scanned: CONTAINS A VIRUS [MIME: 2 22887] 02/01/2004 20:57:26 Q6d63d8e0b0c Scanned: Virus Free [MIME: 1 1036] 02/01/2004 20:57:30 Q6d64d3e0a8c Scanned: Virus Free [MIME: 1 244] 02/01/2004 20:59:01 Q6d7b20e0988 Scanned: Virus Free [MIME: 1 506] 02/01/2004 20:59:15 Qaef29dca0116e226 Scanned: Virus Free [MIME: 1 4783] You'll see that only one of the two messages was even scanned. Obviously Declude can't catch it if imail isn't passing the message to it. Is this a known issue? BTW, Comparison of the logs shows that other messages from the same IP address were scanned and caught, so this one doesn't look like it is a "damaged variant" issue. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Getting Through?
ae826f4201022dc0 doesn't appear anywhere in the declude virus log, nor does it appear in the imail spam log. We ARE using some DNSBL's with IMail 8's anti-spam, but that ip address isn't in any of them and there were no imail spam headers inserted into the message. However, I think you hit it with the SMTP service being restarted. While I didn't restart it, I found this in the event log: The IMail SMTP Server service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 0 milliseconds: No action. It would then appear that IMail monitor service then restarted the SMTP service -- and it would appear that someone took my pager out of the notification list so I wasn't notified. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Monday, February 02, 2004 11:10 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Virus Getting Through? > > > > >This morning Norton caught a copy of MyDoom in my inbox. At > first I assumed > >it was just one of the damaged variants, but I decided to > track it down and > >make sure. > > > >Following is a log snippet from when the message came in. > > > >20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] > >d:\IMail\spool\Dae852ca400ee3baa.SMD 32192 > >20040201 205726 127.0.0.1 SMTPD (6F420102) [4.5.245.119] > >d:\IMail\spool\Dae826f4201022dc0.SMD 32178 > >20040201 205726 127.0.0.1 SMTPD (6F420102) performing > antispam checks > > Does "ae826f4201022dc0" appear anywhere in the Declude Virus log > file? Have you checked the IMail anti-spam logs to see if it > did anything > with the E-mail? Do you know if you stopped/restarted the IMail SMTP > service around that time? Are you using the DNSBLs in IMail > v8's anti-spam? > > >BTW, Comparison of the logs shows that other messages from > the same IP > >address were scanned and caught, so this one doesn't look > like it is a > >"damaged variant" issue. > > Given the similarity in file sizes between the one that was > caught and the > one that was not, I would tend to agree with you here. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day > evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Title: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files If we are already blocking those extensions, how would that help? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > Sent: Tuesday, March 02, 2004 6:40 PM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] New interim Declude Virus Pro to block bogus > .bat, .com, .pif, and .scr files > > > We now have a new interim release 1.78i8 of Declude Virus Pro at > http://www.declude.com/interim that will look for invalid > .bat, .com, .pif, > and .scr files, and will treat them as vulnerabilities. It > is expected > that this will cut down significantly on the impact of future > viruses in > the time before new virus definitions are available. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. >
[Declude.Virus] Beagle@mm!zip got past declude & fprot
I'm running Declude 1.78i27 I'm running FProt 3.14e I just had a customer send me an email that they received that was questionable, and Norton on my desktop caught it as [EMAIL PROTECTED] -- which has been out for a couple of weeks. Since this is an encrypted EXE inside of a zip file, it doesn't suprise me that FProt didn't catch it (actually, according to the log it gave an errorlevel 8), but I thought I had it banned by declude. I have the following in my virus.cfg. BANEXT ocx BANEXT scr BANEXT bat BANEXT vbs BANEXT dll BANEXT pif BANEXT wsh BANEXT cmd BANEXT nws BANEXT exe BANZIPEXTS OFF BANEZIPEXTS ON The idea was that I will let anything go through in a standard zip, but not as a stand-alone file or encrypted in an archive. Where did I screw up? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus counts?
Since almost all modern virus carry their own SMTP engine, almost none will be flagged as outgoing and will be caught as incoming when they try to send their payload to other users on the system. I use the SENDONLYIFIP in a series of .eml files to catch messages originating from local IP subnets and direct them to a special email address. This way I even flagged viruses from customers who run their own mail servers as they try to infect our servers ;-) My only problem is that I seem to have run into a wall as to the number of .eml files I can have. Last week I added another one to flag a customer who uses us for email but doesn't reside on our IP range, and declude stopped sending out the postmaster.eml file, though it continued to process others. :-( Renaming the file I had just added made the mail flow again. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Greg Little > Sent: Tuesday, April 27, 2004 3:46 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Virus counts? > > > I use a much more "low tech" technique for this. > Declude E-Mails me (and a couple of other techs) every time > it finds a > virus, Vulnerability or Banned Ext. . > This is around a 1,000 per day lately. (Most of which are just more > Netsky or Vulnerability junk to ignore) > > In the body of the e-mail I dump a variable (as I recall it is in the > standard templates), but I can get the detail if needed. > That variable returns Incoming or Outgoing. > Once you get that far, I recommend setting up rules within > your e-mail > program to route certain e-mail to a Folder that will get > your attention. > (also Banned Extensions should get the same treatment, > because these may > be normal user work that is getting trapped or a very new virus.) > > Let us know which part you need help with. (lots of folks can help) > > Greg > > > Bob McGregor wrote: > > >thanks greg, if you are using unxutils, would you mind > sharing how you put the incoming/outgoing together? > > > >We have very few infections (so far) from within our school > distrcit but when they do occur, it would be nice to know > it I t's a great add! > > > >bob > > > > > > > --- > [This E-mail scanned for viruses by Findlay Internet] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Attack?
Since these all look like they have null originating addresses, to me they look a lot more like virus bounce messages. In order for it to be a reflective attack, the system being DDOS'd would have to be listed as the originating address. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of IS - Systems Eng. > (Karl Drugge) > Sent: Tuesday, September 21, 2004 11:29 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Attack? > > > Oh wow. I've seen this before. > > I can't remember the name, something like an 'inadvertent reflective > DDOS attack'. > > Here's whats happening. A spammer is sending you emails to known bad > addresses at your domain, with the real intended address forged as the > return address. Your machine will faithfully 'return' the 'poorly' > addressed email to the 'sender', in effect reflecting the spam off of > you.. > > The last time I saw this, I couldn't block the offending IP's > ( over 2k > of them ), and filtering was such a huge load on the machine > ( over 500k > a month, and climbing ), the only option left was changing > domain names > or co-locating a beefier Declude box upstream... Changing domain names > was cheaper. > > > Karl Drugge > > > > > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Stan Buck > Sent: Tuesday, September 21, 2004 11:50 AM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] Attack? > > > For three days now we've been getting these emails addressed to random > strings every few minutes. IPs keep changing. Sometimes one mail per > IP, sometimes several. What is this? Zombie computers? Forged IPs? > And how many hits are you going to get with random strings? > > 09:21 00:00 SMTPD(54FA0120) [10.0.0.109] connect 216.167.161.91 port > 34112 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] EHLO > pop3.nts-online.net 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] MAIL > FROM:<> 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] RCPT > TO:<[EMAIL PROTECTED]> > 09:21 00:00 SMTPD(54FA0120) [216.167.161.91] ERR > mdchildcare.org invalid > user <[EMAIL PROTECTED] 09:21 00:01 SMTPD(56180120) > [10.0.0.109] connect 131.103.218.79 port 20368 09:21 00:01 > SMTPD(56180120) [131.103.218.79] HELO mail15a.boca15-verio.com 09:21 > 00:01 SMTPD(56180120) [131.103.218.79] MAIL FROM:<> 09:21 00:01 > SMTPD(56180120) [131.103.218.79] RCPT > TO:<[EMAIL PROTECTED]> 09:21 > 00:01 SMTPD(56180120) [131.103.218.79] ERR mdchildcare.org > invalid user > <[EMAIL PROTECTED] 09:21 00:14 SMTPD(6B9E0124) [10.0.0.109] > connect 64.29.144.72 port 49234 09:21 00:14 SMTPD(6B9E0124) > [64.29.144.72] EHLO mx305.megamailservers.com 09:21 00:14 > SMTPD(6B9E0124) [64.29.144.72] MAIL From:<> 09:21 00:14 > SMTPD(6B9E0124) > [64.29.144.72] RCPT To:<[EMAIL PROTECTED]> 09:21 00:14 > SMTPD(6B9E0124) [64.29.144.72] ERR mdchildcare.org invalid user > <[EMAIL PROTECTED] 09:21 00:14 SMTPD(6BB80124) > [10.0.0.109] connect > 206.190.36.133 port 20018 09:21 00:14 SMTPD(6BB80124) [206.190.36.133] > HELO mta137.mail.re2.yahoo.com 09:21 00:14 SMTPD(6BB80124) > [206.190.36.133] MAIL FROM:<> 09:21 00:14 SMTPD(6BB80124) > [206.190.36.133] RCPT TO:<[EMAIL PROTECTED]> 09:21 00:14 > SMTPD(6BB80124) [206.190.36.133] ERR mdchildcare.org invalid user > <[EMAIL PROTECTED] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > -- > PLEASE NOTE : Florida has a very broad public records law. > Most written > communications to or from City officials regarding City business are > public records available to the public and media upon request. Your > E-mail communications may be subject to public disclosure. > PLEASE NOTE : Florida has a very broad public records law. > Most written communications to or from City officials > regarding City business are public records available to the > public and media upon request. Your E-mail communications may > be subject to public disclosure. > --- > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Attack?
If the bounce messages give you enough header information to track the orignating IP you can complain to the guy's upstream, but my experience is that most of these guys these days are using distributed zombie machines and all you end up with is a bunch IP's of spyware infected residential users -- but it is still worth checking. Since the messages don't originate from you or travel through your network, there are no technical means that you can deploy to prevent this from happening. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Stan Buck > Sent: Wednesday, September 22, 2004 8:38 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Attack? > > > I turned on the nobody alias for a few minutes, and the > messages are actual > bounce messages from postmasters who are getting spam from > someone forging > our return address. Very active spammer. Anything we can do? > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JPEG Vulnerability
The best writeup I have found so far is at http://www.bleepingcomputer.com/forums/topict3077.html BTW, while the bug is in the decoding of the jpeg files, the jpeg file can be renamed to a variety of extensions and still activate the vulnerability. As such, the following can be now considered "dangerous" extensions: .jpg .jpeg .jpe .jfif .bmp .dib .emf .gif .ico .png .rle .tif .tiff .wmf > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Doug Anderson > Sent: Wednesday, September 29, 2004 5:50 PM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] JPEG Vulnerability > > > Could someone please explain what this Microsoft GDIPlus.DLL JPEG > Vulnerability is? > Are all JPEG's vulnerable or just some with a bad format? > > The company I work for does a lot of graphics work and people > email jpegs > around. A few have been caught and I'm trying to understand why. I'm > assuming (yes I shouldn't do that) that more are sent then are caught. > Anyone got a good explaination? > > > *Scanned for viruses by Declude Virus* > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Zafi.d
We're getting hammered as well. One thing I did notice is that the virus seems be targeting mail. instead of doing an MX lookup for the correct mail server, and seems to be using a dictionary of common usernames instead of working off of a compromised address book -- yet another reason to get rid of "nobody" aliases ;-) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Sharyn Schmidt > Sent: Tuesday, December 14, 2004 2:36 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Zafi.d > > > Zafi.d sends messages in different european languages having > "christmas > content" (for example in Italian with the subject line "Buon natale") > > > We are getting HAMMERED by these but Declude/McAfee is > catching them and > identifying them correctly, DAT 4414.. > > Declude Virus caught a virus with the subject "Merry Christmas!" > from [EMAIL PROTECTED] to: [EMAIL PROTECTED] > > The spool file name is D141c002003280212.SMD. > > The domain that this virus came from is hine.fr > > The IP address of the offending server is 212.180.84.86 > > The name of the virus is link.postcard.index.htm2663.cmd. > The attachment is the W32/[EMAIL PROTECTED] > > Sharyn > > > We are the worldwide producer and marketer of the award winning Cruzan > Single Barrel Rum, judged "Best in the World" at the annual > San Francisco Wine and Spirits Championships. For > more information, please click (go to) href="http://www.cruzanrums.com";>www.cruzanrums.com > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I'm seeing it here. Neither Norton or FPROT detect it as a virus yet. The non-encrypted Zip file includes a .PIF file, but the filename seems to be mangled in some way. For now I have added BANNAME account_info.zip to my config. With your report, I have added account_info-text.zip as well. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Chuck Schick > Sent: Monday, May 02, 2005 12:58 PM > To: Declude. Virus > Subject: [Declude.Virus] Viruses appearing to be getting through... > > > I am seeing several files getting through that appear to have viruses > attached as zip files. I am running Declude with F-Prot. We > ban encrypted > zips and I have error code 8 included. Anyone else seeing > this behavior? > Here is part of the log. > > > 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; > Length=53728 Checksum=5837399] > 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] > > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
