Re: [Declude.Virus] Declude and IMail 2006
Does Declude (Virus and JM Pro) 1.82 work with Imail 2006?? Call me "chicken"... lol... but I really don't have the guts to do both upgrades at the same time... :) There are entirely t many instances of sober and mytob hitting us daily. Thanks ~Joe --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sober.z
Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: "Bruce Loughlin" <[EMAIL PROTECTED]> To: Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z Has any one else noticed that sober.z just stopped today? I was getting hundreds a day and now I have 0. Wasn't this the day it was to morph? Bruce L. AFM --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] How to block an IP
Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How to block an IP
I guess I've forgotten the order in which processes occur. I thought it was kill.lst, rules.ima, and then Declude. I thought I was clear. I want to block certain IP addresses which get stopped by Declude AV for a vulnerability. Certain ones are prolific and tend to leave a couple of hundred in my virus hold file each day. I want to have them deleted so I don't have to deal with them. They don't get caught by my Declude IP blacklist since they are stopped by AV first. It's only about 6 or 8 IP blocks which have never show a valid email in over 2 years. BTW.. I responded to you off-list on my last subject a few days ago. After thinking about it, I didn't think the subject had much place on the Declude list. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, December 25, 2006 11:38 PM Subject: RE: [Declude.Virus] How to block an IP Using Imail rules, no! Imail rules are the last to run of all other items. Exactly what are you intending to do? John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Monday, December 25, 2006 8:07 PM To: declude.virus@declude.com Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] php attachments??
I've received some emails today designated as being from places like Verisign and Cox stating I should put a attached php file on our servers. The attachments are not being caught by F-Prot, so they're probably not viruses, but probably would be bad news if I added them to our web servers. Declude identifies the sender as being ipowerweb.com and they don't fail enough tests to be caught by our system. Anyone else seen these?? I guess I should block php attachments.Are they being caught by anything? Anyone investigated these attachments to see what they really do? ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot Updates?
I emailed F-Prot about this, but I haven't yet had a response.How can I tell if the F-Prot data files are being updated properly? Doesanyone have an idea of how often they are updated or what is the date of thecurrent data files?I've set the schedule to update once per day, but all I get is a windowstating that there are no files at this location to update. Am I missingsomething??My data files are current as of the date I bought the software.. Aug 8th.I knew that viruses were rampant, but we've caught over 100 just today.We only have about 1000 mail boxes. ThanksJP
Re: [Declude.Virus] need help selecting av product
We're very successfully using Declude with the Win version of F-Prot. We've caught 126 emails just today containing SirCam. Of course, about 90 of those originated from one computer on Prodigy. Dear ol' Sircam can crank out 40 to 60 emails an hour. I sure wish I could shut them down, but our emails even get rejected because their mail box is full... ... I wonder why???... lol... We're an ISP and handle about 1000 mailboxes on a PII-350 running Win NT4 Workstation. IMail version is 7.03. And yes, we chose F-Prot because of the cost and funky licesing associated with McAfee. McAfee offered us a "special" deal to get their antivirus for email based on the number of clients in our site license... not the number of mailboxes. But... we would have had to install another NT4 Server (full server, not WS) to run it on a separate box. Will Declude help you??? I have the higest regard for Scott and Declude. All you have to do is read the IMail user's group messages to find the multitudes that will agree. You know the old saying about pleasing some of the folks all the time...etc?? We all know it's true, but Scott and Declude are pleasing with a 99.99+% rating. Scott.. Keep up the good work or I'll take back half the good things I said about ya.. :)) - Original Message - From: Serge Dergham To: [EMAIL PROTECTED] Sent: Friday, August 24, 2001 9:11 PM Subject: [Declude.Virus] need help selecting av product Hi all, I saved an email message infected with Sircam virus as a .eml file, and tried to scan it with different AV programs. of all what I used (Fprot, Mcafee, Sophos, Norton), only norton detected the virus. What does that mean ? if I use Mcafee or fprot with declude, they wont detect sircam ? or is my test not represantative of the way declude works? Are you having success intercepting sircam, when using declude with Fprot ? dos or windows version ? what about Mcafee ? also, are you running on nt server or WS ? and what version of fprot or mcafee are you using ? declude website mentioned a "multiplatform" version of virussacn that can run on NT server, wasn't able to find such a product. can anyone point me to the right direction ? will declude tech support help us choose configure and test the AV product ? Thanks in advance for sharing your experience. serge This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] ORDB:server load
Ours is a PII - 350 - 256MB - 4GB SCSI running 1020 email accounts IMail 7.03 + Declude with F-PROT for Win - Windows NT4 Workstation I've seen close to 10,000 emails in one day and nary a hiccup. A couple of weeks ago we got bombarded by a server in Europe that got locked in a loop... their end, not ours.. and was hitting our server every few seconds for a couple of days requesting a listserver. We had 60+MB log files where we normally have about 6 to 8MB per day. Even through all that, I don't think we ever missed an email. IMail is the only thing running on this system; no web server except IMails for web messaging. We catch 30 to 200 emails per day that have a virus. ~Joe~ - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 01, 2001 8:00 PM Subject: Re: [Declude.Virus] ORDB:server load > > >What kind of load can I expect to put on my server when using declude. I > >have a PII with 256ram running 650 email accounts and a web server. > > The most important factor is the number of E-mails scanned per day. With > 650 E-mail accounts, unless you do a much higher than average volume, I > don't expect performance will be much of an issue. > -Scott > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] new virus FPROT not stopping
I received an email this AM containing a new virus which got through our IMail server running Declude with FPROT. It was from sales@my with a subject containing some characters + desktopdesktopsample and has an attachment named readme.exe Anyone else seen this?? My antivirus data files should be current. We're also being pounded by systems infected with this new worm I just heard about which is sorta like the Code Red worm. ~Joe~
Re: Re[4]: [Declude.Virus] Fw: New version of F-PROT (3.11b)
I haven't upgraded to 311b yet but I sure saw a big drop off in the number of viruses caught in the last couple of days. I also noticed that the signature files were updated a couple of times in the last few days. Could this incident be related to signature files rather than engine version?? I noticed something different about 311a. I run the Windows version and leave the window open so the updater is supposed to update every 6 hours. In 311 this worked fine. Now 311a leaves an OK window up and won't move on to the next update unless it's clicked. Anyone else seen this?? ~JP - Original Message - From: "Visual Web Norge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, December 22, 2001 9:34 AM Subject: RE: Re[4]: [Declude.Virus] Fw: New version of F-PROT (3.11b) > on the down load page there are a link to two different mirrors take the > upper link > > go to f-prot.com download choose download f-prot for DOS > > Benny > > Else lett me know and i can send u the zip file by mail > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of David Dodell > Sent: 22. desember 2001 15:56 > To: Visual Web Norge > Subject: Re[4]: [Declude.Virus] Fw: New version of F-PROT (3.11b) > > > Saturday, December 22, 2001, 1:56:35 AM, you wrote: > > > got a serius problem with the 3.11b version it slipped through a lot of > > virus tonight, I downloaded the version for Europe, this morning i changed > > back to the 3.11a from the US based ftp and voila i started imedialy > caching > > virus, anything special we have to look up for in the new engine ? > > Where is the us ftp site for the (a) version ... I'm having problems > too. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] another new virus??
Is there another new virus?? I just got a notification from our IMail/Declude that said: Unknown VirusUnknown Filemuch the same as MyParty did before FProt was updated to identify it by name. ~JP~ Shop till Ya Drop @EastARK SuperStorehttp://EastARK.exciteshops.com
Re: [Declude.Virus] Spam
I don't know for what reason you run an email server.. We're an ISP.. but I'd consider myself fortunate if I only got 10 to 15 per day in my personal account. I keep track of the ones my personal account sees by shuffling them into a folder. Every so often I sort and then ban the ones I get the most of by adding them to the domain processing rules. I figure if I'm getting multiples, our clients are too. I'm seeing a great rise in the number of different sources, particularly from .ru, .cz, .nl, .de and other domains with foreign county extensions. If it keeps increasing at the current rate, we'll be adding declude junkmail too. - Original Message - From: "Serge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, April 21, 2002 8:06 PM Subject: [Declude.Virus] Spam > for the last few days, i'm beiing bombarded by spam (10-15 per day instead > of 1 or 2) > I did not add my adress to any new web site lately > > any idea of what is going on, or what can try ? > (before buying declude junkmail ) > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Klez question
The Klez virus fakes the return email address using a valid addy but not the one of the infected system... right?? Do all Klez variants do this? ~JP~ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Scanner other then McAfee
How about Norman Virus Control?? Their license appears to be no-nonsense, is $60/year, and doesn't seem to care whether a system is a server or not. - Original Message - From: "Paul Ingram" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 20, 2002 3:18 PM Subject: RE: [Declude.Virus] Scanner other then McAfee > Subject Change to "Scanner other then McAfee" was "MacAfee kosher or > not?" > > I rather end that one. > > >I am currently looking into Kaperseky and Command AV, plus a few > others. > > Thanks let us know how it goes. > What about Sophos? I guess I could try that one. I bet it cost I > will let the list know. Or someone else been there done that. > > I am going to keep F-Prot works and it is the right price. Plus I think > I have 10 or so copies left out of the 20 to use. LoL!! > > Still question is a secound scanner really that much better if you keep > the first up dated? > > Only point I see is if one company has the geatest latest defs and the > other does not. > > ~Paul~ > > > --- > [This E-mail scanned for viruses by Declude Virus/McAfee] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses at HNB.com] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: EMERGENCY ALERT: W32/Bugbear-A spreading rapidly
Our system, running F-Prot and updated every 6 hours, just caught a virus which was identified as W32/Bugbear.A@mm - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 30, 2002 12:43 PM Subject: Re: [Declude.Virus] FW: EMERGENCY ALERT: W32/Bugbear-A spreading rapidly > > >FYI, this looks to be a bad one. > > > >I am still trying to see what the payload is, whether in the e-mail > >itself or in an attachment, and what kind of attachment. > > > >Any one know? > > Mcafee has this as Low Risk, but Sophos just issued an Emergency Alert > about this, and I was about to post a warning here. It does seem > nasty. http://vil.mcafee.com/dispVirus.asp?virus_k=99728 has quite a bit > of information about it. The payload is a trojan horse that opens port > 36794 on the local machine (it is not known yet what can be done with that > port). > > The good news is that it looks like this one will get caught as an "Outlook > MIME Header Vulnerability" by Declude Virus, whether or not the virus > definitions can detect it. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses at HNB.com] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues running the fpcmd.exe scanner
Title: Issues running the fpcmd.exe scanner I ran into the same problem. Leave off the /nofloppy I found it easiest to just copy Scott's setup from the online manual then change the drive/directory for your setup. Actually, fpcmd appears to be slightly more efficient on our system running WinNT4 workstation. ~Joe - Original Message - From: Keith Johnson To: [EMAIL PROTECTED] Sent: Friday, December 20, 2002 12:14 PM Subject: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express.
[Declude.Virus] Where do they come from??
Pardon my language... butDAM... Where are all these virus-infected emails coming from?? Are they coming from home computers, servers or what?? You'd think that by now folks would have learned to protect their systems better. Who are the ISPs that are doing such a poor job of virus-protection?? I'm a small ISP and as far as I can tell no one on our system has gotten MyDoom (Thanks to Declude) and we're stopping several hundred per day. ~Joe www.EastARK.com --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot update
I received a notice for 3.16c update from Frisk.I don't recall it being normal for them to recommend updating ASAP.Anyone tried it yet?~Joe