RE: [Declude.Virus] Who is minding the store
If Scott would chime in here and say DON'T worry Doug these people know their stuff, you are in good hands. I would order a renewal. But he left. I'm not completely gone. :) Everyone does things differently, and I knew when I sold that company that the new owners wouldn't do everything exactly the way that I did. Any new way of operating has its tradeoffs. As you pointed out, one of the changes is that there isn't as much of a company presence on this mailing list as there was before. It used to be that I was a major contributor to this list. However, a lot of what I was posting was stuff that others could have posted (as they are now). What is happening, though, is that the list is being monitored. You would be surprised at how many times one of the owners would be discussing something with me, and then bring up a post from this list. And this definitely includes some A lot of people are asking for Feature X. Right now the company is at a crucial point -- it is seeing how it can manage without my daily involvement. My personal opinion is that they are doing a good job with it. -Scott --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues
The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile This indicates that something happened to the D*.SMD file, which contains the E-mail body. If you are running an on-access virus scanner, for example, the on-access virus scanner may have deleted the E-mail. 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD And this one means that the Q*.SMD file isn't there, either. This would seem unusual, except we then get: 02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory F:\IMail\spool\Dcb3e09ed005291c3.vir\. This one means that the F:\IMail\spool\Dcb3e09ed005291c3.vir\ directory already exists. That is a major clue, as Declude Virus is the only program that will create a directory with that name. This means that IMail is calling Declude multiple times. We've seen this happen a few times before -- you may want to make sure that you are running the latest version of IMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues
Continue to see a lot of these type things, at times, the only to aid the situation is stop/restart the Queue Mgr/SMTP If stopping/restarting the Queue Manager and/or SMTP fixes the problem, it is almost certainly an issue with IMail. In this case: 02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] Here, IMail tried starting Declude at least 10 times on the same E-mail. It sounds like something is being corrupted in IMail that is causing it to keep re-trying the same E-mail. Note that this all happened in the space of about 1 second, so IMail isn't simply re-trying an E-mail because it couldn't be delivered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot help
This has been hashed out before and I checked the archive. I cannot get my installation of declude to work. This is my config: C:\scanners\fprot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB REPORT=report.txt That should be /REPORT=report.txt (with a / in front of it). Without the /, F-Prot doesn't save the report.txt file, so: 02/18/2005 14:25:30 Q412a0025005613ea 1 [1 of 2 not deleted] files were deleted; assuming external virus scanner found a virus Declude Virus doesn't see the report.txt file it expects, and thinks that an on-access virus scanner deleted the file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mismatched extensions
Will this help? Yes: =_Next_Part_04_Feb_2005_14.41.20 Content-Type: application/octet-stream; name=2458.pdf Content-Disposition: attachment; filename= 2458.pdf Content-Transfer-Encoding: base64 The issue here is that the 2nd MIME header in this section has a space after the filename=. The quotes here actually are valid, but since the filename in the 2nd MIME header begins with a space (not a quote), it causes the end quote to be part of the filename, and therefore the extension to have the quote in it. In fact, the first character cannot be a space, so the header itself is malformed. RFC1806 covers the format of the Content-Disposition header, and it refers to the value BNF in RFC1521. The summary is to remove the space after the filename=, and all will be well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[17]: [Declude.Virus] testvirus.org #22
Yes, we have a PF gateway on the front end. I thought of that originally but PF doesn't do anything to modify messages that get past it's basic blocking. Are you positive? I've seen PF modify E-mail headers, such as adding a Message-ID: or Date: header if one isn't present in the original E-mail (things that are good once the E-mail is ready to be delivered, but can prevent programs from scanning the original E-mail properly). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[16]: [Declude.Virus] testvirus.org #22
RSP As far as I can tell, Declude Virus is handling this properly. The E-mail RSP is plain text, and therefore should not be scanned. But the exact same email is getting scanned by Andrew. Do you see any difference in the log files that would give a clue? Do you have a gateway in front of your mailserver? Comparing the two log file snippets, they showed the plaintext segment ending in different places, which would suggest that they were scanning two different E-mails. This could also occur if there was a gateway that might make modifications (such as a Postfix gateway). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.Virus] RAR Support - why not?
DS Is 1.82 out? If so, do we need BANERAR like BANEZIPS? Ok, I checked the Junkmail list and it looks like Declude is at 1.82 based on the messages but I didn't see an official notice. 1.82 is not an option to download when I logon to Declude's site. 1.82 was released earlier this month; it is identical to 1.81 except that it fixes the SPAMHEADERS issue. For some reason, it is listed as something like SPAMHEADERS fix for v1.76+ on the website, rather than as v1.82. Also, original question still holds. Do we need to make a change to the virus.cfg to employ blocking of executable extensions in encrypted .rar files? No. If .ZIP files are being handled the way you want, .RAR files will too. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[5]: [Declude.Virus] RAR Support - why not?
BANEZIPEXTS ON Then I repeat my list of banned extensions using: BANEXT BAS BANEXT BAT etc, etc. By my understanding, this will ban these extensions by themselves, ban these extensions when found within encrypted .zip files, NOT ban these extensions from within normal .zip files and with 1.82 ban these extensions in encrypted .rar files. Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
In fact, I wonder if Declude 2.1 could use those libraries to unrar files to look inside RAR archives? How about 1.82? :) 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Error on Scanners
What would the following indicate: 01/21/2005 15:04:06 Q5df1239b014af8b3 Error 183 creating temp directory F:\IMail\spool\D5df1239b014af8b3.vir\. That indicates that the F:\IMail\spool\D5df1239b014af8b3.vir\ directory already exists. Declude Virus uses that as a temporary directory. Most likely, IMail accidentally called Declude Virus twice, and the second instance generated this message (and terminated gracefully, allowing the first instance to properly scan the E-mail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade issues
Well - it is my understanding that there is now an automated Setup again and people have either been reporting (or possibly only speculating?) that it might fiddle with my carefully laid out configuration files and or message templates. Yes. That was due to a bug in the install program. It was my understanding that these were Imail users - and it certainly would create both an availability and installability issue if my configuration was rendered useless after running Setup! Correct, but this is unrelated to the MAC issue. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] PB installing 2.0B
I'm sure you have been watching this thread. Suggestion: if Declude is determined to use only the install program, have person responsible for it add an option to update only -- copying over the old declude.exe and leaving the configuration and eml's intact. (I haven't used the install program, so I'm assuming this option isn't there based on others comments.) This is a bug. A Declude install program absolutely, positively should not change any .eml files (unless you specifically request it to do so). I'll see what I can find out about this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Upgrade issues [was: DO NOT UPGRADE]
Just upgraded to 2.0B, and declude stoped working When running -diag I am getting a strange line: Declude v2.0b key request on MAC 000E7F2E754C. What is this key request ? For the next release, we are looking at having activation codes handled automatically. Why is declude not working ? I cannot say; this is an issue that should be handled via support. The IMail version of Declude should work fine with your current activation code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade issues [was: DO NOT UPGRADE]
I had the same problem with 2.0b not working. E-mails kept piling up in the spool. Cycled queue manager, emails went through, unchecked by Declude. We are aware of an issue with 2.0b where this could happen; we are awaiting more information to resolve the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Turn off Warning to One Domain?
Is there a way to remote the footer: [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] from emails to just one domain? We have one account forwarding alerts to a cell phone, and with the length of the footer, all messages split into 2. No -- the FOOTER option in Declude Virus is global. However, if you use Declude JunkMail as well, you can accomplish the what you want (by removing the FOOTER ... lines in virus.cfg, adding CATCHALLMAILS FOOTER ... lines in the $default$.JunkMail file, and having per-domain config files for the domains that do not want the footer). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[6]: [Declude.Virus] testvirus.org #22
I turned if off and it still got through. This test message contains: Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) ... I just checked this one, and it got through here, too. I examined the raw source of the E-mail, and there doesn't appear to be a lone CR character in it, so it doesn't appear to actually contain the Outlook CR Vulnerability. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #22
[1] Phishing E-mails were sometimes not getting caught. This is beyond the scope of Declude Virus, as those are spam, not viruses. However, if your AV program can detect phishing E-mails, you can easily get it to work with Declude Virus by making sure not to use the PRESCAN ON option in Declude Virus. I had PRESCAN OFF in my virus.cfg. Not caught when scanned via Declude - caught when the raw D*.SMD file was manually scanned via the command prompt using the same switches that were in the virus.cfg file. OK, in that case, it was probably the same as the second issue (the AV program was expecting the E-mail headers). So there is still no indication that a virus can get through a mailserver protected by Declude Virus. Maybe/maybe not - see William Stillwell's earlier message. I'll address that. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
But the Mcafee DOES detect the Virus string in the SMD file., But declude reports no virus. (This is for test #17) Declude Virus doesn't detect a virus, because there are no vulnerabilities in the E-mail (despite what the test description says). McAfee does not detect it when called by Declude Virus, because Declude Virus only sends MIME segments, attachments, and other such files to McAfee. Since the eicar.com file appears in the headers, where mail clients should be unable to see an attachment, the eicar.com file isn't sent to McAfee. As to why McAfee detects it, it is most likely due to differences in the way that the E-mail is scanned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[8]: [Declude.Virus] testvirus.org #22
Also, does Declude recursively unpack MIME segments, if one of the attachments is itself a .eml file or .smd file, would any attachments inside it be unpacked and the scanner(s) called on those? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
So Declude doesn't actually Send the SMD file to the Scanner.. Correct. It takes the Message Body, wirtes it to a Tmp File, and then scans it? Why not just scan the SMD file , Headers and All ? Because very few AV programs can read a .SMD file. They make their big bucks by selling mailserver virus scanners ($1,000s), as opposed to desktop scanners ($10s), so they don't want the deskstop scanners to scan .SMD files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[8]: [Declude.Virus] testvirus.org #22
Scott, what do you get for test #22. Some have reported it caught while others haven't. My F-Prot config is: It's caught here. Unfortunately, I can't find any information on that vulnerability, so I can't explain why it might or might not get caught. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PB installing 2.0B
I am trying to upgrade to 2.0B Getting an error of: Error copying file to taret directory With status at removing backup files The best thing to do here would be to E-mail [EMAIL PROTECTED] -- the person responsible for the install program should be able to figure out what the problem is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Disable all virus notifications except BAN
Scott, can you shed some light on why this might be? With Declude Virus, you can send out as many notifications to as many people as you want -- some people have a dozen or so notifications. To do that, Declude Virus sends out any \IMail\Declude\*.eml file (that isn't used by other Declude programs). So if you rename recip.eml to recip.bak, it won't get sent out. But if you rename recip.eml to bak.eml, it will get sent out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocked Extension getting through
I hope that what you're assuming is NOT true. Given that Declude Virus unpacks all of the attachments and calls your antivirus scanner(s) on the unpacked attachments, I would expect that the BAN option takes effect based on that MIME decoding, so that it sees the correct filename. The problem here is that the filename is encoded using a very unusual format -- we are currently investigating this. The files will get caught by a virus scanner, but the banned file extensions may not work as expected. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Supress Universal Footer for 1 Domain
Given this information is it possible to supress the Universal Footer which is attached to all e-mails which are scanned by Declude Virus for just one domain or set of domains? Including incoming and outgoing e-mail? Yes and no. :) Unfortunately, the Declude Virus FOOTER option is global, and if present, will apply to all incoming and outgoing E-mail for all domains on your server. However, in your case, you could remove the FOOTER option, and use Declude JunkMail to add the footers. You could do that by adding CATCHALLMAILS FOOTER ... to the \IMail\Declude\$default$.JunkMail file, and then having a per-domain setting without that line for the domain(s) that you do not want it applied to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scanning on forwarded addresses
We run Declude Virus Standard with F-Prot and I am unsure whether a forwarded message is scanned. If an infected message is sent to a domain which is NOT set up for virus scanning, but is then forwarded to a domain which IS in the Virus_Domains list, will it then be quarantined? The way that IMail works, Declude won't see forwarded E-mails. Therefore, if you set up Declude Virus not to scan an E-mail to one of your users, the E-mail that gets forwarded will not get scanned either. Declude is completely blind to the forwarding. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
Hmmm, I thought that since Declude Virus does the decoding and scanner calls, that you might be interested it testing this yourself... Yes. That's why I tested it, and found that Declude Virus is decoding the attachments properly, and found a very plausible explanation as to why ClamAV isn't catching these. Might you consider such an option with Declude Virus? The problem is that it would be quite a bit of extra work to add such a feature, and there isn't any indication that it would improve AV detection in any way. Phishing attacks are bad, but beyond the scope of AV software, especially when it comes to a workaround to deal with a bug in a third-party program. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] about Imail1.exe security issue
Has anyone found out anymore about this issue? Is it related to Imail and Declude users only? There is no indication that the issue affects Declude users (aside from the fact that all Declude users are currently using IMail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
Nope, in my testing of three command-line scanners, the attached test.txt file contains the minimum needed to detect the file as containing a virus (copied your virustrap address, as well, in case this gets blocked to the list). It certainly does. The question is whether the AV program is expecting the headers. If there is not a fix coming for this, would you consider sending the entire message file to the scanner? There isn't any known bug here. This would be considered a very low priority, as it does not affect AV scanning, except that we need to be sure that there isn't a problem where actual viruses would not be properly detected. The test.txt file you sent does *not* match the actual HTML of the original E-mail. The CR/LFs were off, and there was a part at the end that was missing. And, the length of the HTML segment that was decoded (per the log files) doesn't match the length of the HTML segment in the E-mail you sent. After further analysis, it seems that the problem is with the AV software. Specifically, the E-mail you sent was using quoted-printable encoding, yet the body of the E-mail wasn't encoded using quoted-printable encoding. So when it had a line: alink=#99 Declude Virus decoded it to something like: alink#99 The AV software was probably looking for the way that you (incorrectly) decoded it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
If the virus scanner were at fault (because of a decoding issue) then I have to ask again, why can TrendMicro detect the virus when scanning the raw D*.SMD file, but not when sent to it by Declude Virus? You would have to ask them. Declude Virus is decoding the E-mail properly. My guess is that they are *not* doing any decoding (which would make sense, as that is the responsibility of the mailserver AV program). Therefore, because the spam is malformed (saying that it is encoded, when it is actually not), they are seeing what the spammer intended to be seen (the actual spam). However, when decoding is done, they see a malformed E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
Scott, attached is the raw source of this BOFRA.B message, it looks like HTML to me. In fact, when I scan the D*.SMD file from the command-line, TrendMicro identifies the file as HTML_BOFRA.B and ClamAV as HTML.Mydoom.email-gen-1. What does the Declude Virus log file show for this E-mail? Declude Virus definitely should have sent the HTML segment to the virus scanner (except if PRESCAN ON is being used). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
Attached is the log output for the message I forwarded to your virustrap address. It looks like everything is working fine. My guess is that the virus scanner will only try to detect the phishing E-mails if it gets the entire E-mail file (including headers), perhaps as a precaution to help prevent false positives on actual web pages (although any web pages that contain the text of the phish E-mails are likely problematic, too). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
Scott, we have the following entry in our virus.cfg files on both of our IMail/Declude servers: SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt VIRUSCODE2 1 REPORT2 Found I also have: PRESCAN OFF However, this particular PayPal phishing message is not getting caught by Declude Virus. If I run the following from the command-line: This is almost certainly because your AV program is reporting a different error code when it finds a phishing message than it does when it finds a virus. If you check the log file, you should see the code that they return when they detect a phishing message. Are these not getting tagged by Declude Virus because of the Undet []( ) line that is listed just before the Found [HTML_BOFRA.B](1) line in the report file? If so, is there a way to fix this? Shouldn't Declude Virus be looking for the word Found in the report file? We are running Declude v1.81. If that were the problem, Declude Virus would block the E-mail, and just report it as Unknown Virus. However, since it is not being blocked, that means that Declude Virus doesn't know there is a virus there. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
As you can see, Declude is seeing the exit code as 0 from both scanners. How is the file changed when scanned by Declude Virus versus when scanned manually by TrendMicro that would cause TrendMicro to report the file differently? Declude Virus won't send the text section to the virus scanner, as text sections can't contain viruses. So a phish with HTML could get caught by your virus scanner, but not one sent with just text. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Not detecting viruses
Downloaded F-Prot 3.16 yesterday and changed our configuration accordingly (I think). I've got something messed up. Not detecting viruses. Did you switch from F-Prot.exe to fpcmd.exe? If so, you'll need to remove the /NOBOOT switch from the SCANFILE line in your virus.cfg file. The log shows virus free on every message. Have you sent the test eicar.com file through? If so, what does the log file show for it? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Not detecting viruses
Did the removal of the /NOBOOT switch just start with the 3.16 version? I still have this in my fpcmd.exe line. It also shows that switch on the Declude Online Manual. It's the /NOFLOPPY switch that must be used with F-Prot.exe and must not be used with fpcmd.exe. /NOBOOT can (and should) be used with both. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Not detecting viruses
I made the required changes but now suddenly get the following in the VIRUS log: 11/24/2004 11:46:20 Qc8de001001d4d5de 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the IMail directory or sub-directories. This means that either [1] You're running an on-access scanner, which must be disabled, or [2] Your SCANFILE/REPORT settings are mismatched (such as having /report=report.txt with no REPORT line). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Not detecting viruses
Here are the relevant lines for the config file: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /NOFLOPPY /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection: Those log file entries appear correct; have you triple-checked that you are not running an on-access virus scanner (you can try typing \IMail\Declude -diag from a command prompt; it will let you know if you are). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Not detecting viruses
Here is the output of the diag: That shows that there is no on-access scanner interfering. Is the SCANFILE line all on one line (starting with SCANFILE and ending in report.txt)? Are there any errors/warnings in the log file? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: F-prot 3.16 real time protector (was: RE: [Declude.Virus] Not detecting viruses)
Any ideas on how I might change my configuration so this doesn't happen? Have you tried uninstalling and reinstalling? If I recall correctly, old versions of F-Prot that were installed with the RealTime Protector had to be uninstalled and then re-installed with the RealTime Protector disabled (just reinstalling without uninstalling first wouldn't work). It sounds like 3.16 may be automatically installing the RealTime Protector. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Message id with ATTACH action
I'm using Imail+Declude as a anti-spam+virus smtp-relay in front of my exchange server. It seems to me that when I use the ATTACH options every message gets a message-id [EMAIL PROTECTED] I suspect that causes some strange issues at my exchange server - at least when I use message tracking. What is the cause of this, and should something be done? That's because we never got around to creating unique Message-ID: headers. Until now, we hadn't heard of any problems with this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on? PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous. In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say hi in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm). The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them. What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Whitelist
I have a filter I use for a whitelist which I give a negative weight to for certain e-mail addresses. Is there a limit of the amount of addresses that can be put into a whitelist? There is a limit of 200 WHITELIST entries in the global.cfg file for Declude JunkMail, but the filters can have an unlimited number of lines. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Invalid EXE vulnerability question
I've been getting some infrequent Declude bans of EXE files with little or no size that the sender's system must have stripped out the virus portion. Looking through my reports, I note I have never seen an Invalid EXE vulnerability. I see Invalid BAT, COM, CPL, PIF and SCR. Is there such a thing and the Invalid EXE vulnerability? It would be nice to have an Invalid EXE vulnerability to block instances like this where the size is pretty much nothing. There wasn't such a test (with the thought being that a virus wouldn't try to use an .exe extension while really being another file type). But this can handle both the problem with 0-byte .exe files, and also can help protect against script viruses appearing in .exe files (I'm not sure why they would do that, but they might). So this is something that will likely be in the next release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] test 17 20 failed
Hi, on my mail server I use: Imail, 7.15 Declude, 1.60 NetShield, 4.5 .. I have excuted again the test from testvirus.org but now failed test 17 and test 20. I'm guessing NetShield is the problem. For test 17: Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) If your mail server's virus scanner did not detect this email, it allows some viruses through! .. in my OE is not presente the attach. I'm guessing that NetShield decided to be nice and changed the CR to a CRLF. For test 20: Test #20: Eicar virus within zip file hidden using the MIME Boundary Space Gap Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) If your mail server's virus scanner did not detect this email, it allows some viruses through .. in my OE is presente the attach. Because failed two test on my mail server ?? perhaps I don't have configured declude correctly ?? ... and that NetShield also removed the space, so that the vulnerability can no longer be detected. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] test 17 20 failed
.. but if I use OE 6 with all patchs installed, this vulnerability (17 and 20) they are a problem or no ?? You would have to ask Microsoft. E-mails with the Outlook vulnerabilities will affect at least one version of Outlook. However, nobody that I know of is keeping track of which version(s) it affects, and whether or not Microsoft has changed the behavior of Outlook recently. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses getting through...
We are running Declude Pro with Fprot and we see a lot of viruses getting through with the attachment of Joke.com, Joke.exe, Price.com - Anyone else seeing the same thing? It appears to be the beagle variant. Are you running a recent (within the past few months) version of F-Prot (.exe file)? Do you have the latest virus definitions? A couple new variants came out a couple days ago, but with the latest .exe and virus definitions, they should get caught. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Now the F-prot update is arrived also here. Catching it as Bagle.AP from 12:30 GMT+1 on. Mcafee is catching it as Bagle.bb from 13:05 GMT+1 on. But I still can't understand what's happened with the Unknown virus string...? The problem is that F-Prot was detecting it as a suspicious file (VIRUSCODE 8), but not reporting the virus name in the report.txt file (since it did not detect a virus, it can't know the name of it). As a result, the name of the virus was left blank, but Declude Virus would show Unknown Virus where ever you wanted to display the virus name (such as in virus notifications). But for the SKIPIFVIRUSNAMEHAS option, it was just seeing a blank string, so it was not seeing Unknown Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown virus warnings
Thanks for the clarrification. Is there anything we can do against this or would it be possible to have some fix for future releases? Something like SKIPIF... ISBLANK I expect that we will change the code to treat these as forging, so SKIPIFFORGING would catch 'em. We could also add a separate SKIPIF... option just to detect these, just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request
Different actions for different attached file extensions So I can delete PIF, SCR, CPL without review. (I have to review EXEs) Or is this possible now ? There isn't any way to do that now, but that is something that we will look into. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MAILBOX spam
When using the MAILBOX action for test failures, we have noticed that forward or alias addresses do not get sent to the spam folder but actually get delevered to the main inbox. Do we have something configured wrong or is there way to fix this or are we stuck with it? That's just how IMail works. If an E-mail is sent to a user account, the action is taken for that user account. If the E-mail is received by the account (meaning that the HOLD, DELETE, ROUTETO, etc. actions aren't used), then the E-mail will be forwarded as-is. IMail will not re-scan the E-mail if the forwarded account is on the IMail server. For an alias, though, the E-mail address that it points to will use the MAILBOX action (unless the E-mail address isn't on the IMail server, since the MAILBOX action is IMail-specific). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Regular Zip Blocked by Declude as EZIP
I sent a e-mail from a customer site to myself with a regular ZIP file attached. I received the following message back... Are you running Declude v1.81? If not, you should -- some previous versions would detect some technically invalid .ZIP files as being encrypted .ZIP files, even though they were not intended to be. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses being quarantined when DELETEVIRUSES=ON
It seems to me I should not be collecting viruses in the spool/virus directory when I have DELETEVIRUSES ON. Yet I am collecting them there. Any way to stop this? The DELETEVIRUSES ON setting only deletes E-mails where a virus is detected. Declude Virus does not have a way to automatically delete E-mail with vulnerabilities or banned file extensions. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Scott, what is our future?
If you haven't called yet to register concerns/complaints about the changes, please do so. Since the collaboration product uses Imail as a component, there is nothing irreversible in Ipswitch's current decision. If enough current customers call to let them know that are NOT in the group asking for a bundled product, hopefully Ipswitch management will reconsider their direction and offer a wider range of mail products. Ipswitch's number is (800) 793-4825. ... and for E-mail besides standard support/sales, there's Roger Greene (president/CEO of Ipswitch; [EMAIL PROTECTED]), William Pollack (COO, [EMAIL PROTECTED]), Patrick Loring (Business Development Manager, [EMAIL PROTECTED]), Jill Jones (Messaging Product Manager, [EMAIL PROTECTED]). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] What are these
Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner That error means that the .vir directory already exists -- this will happen if IMail accidentally calls Declude multiple times. Although you will see the warnings in the log file, Declude will still function properly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What are these
We are backing up in our Queue of about 8000 emails and we started seeing the below messages as well: Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32. ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Are these related? It almost certainly is related. Those warnings can occur if there are multiple Declude processes trying to handle the same E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scott, what is our future?
You have been strangely quiet. Are you in shock or formulating a plan -- hopefully the latter? Although I will admit to shock (disbelief would be a more appropriate term) when I first heard about this. I didn't think that Ipswitch would actually do it. But they did. As for formulating a plan, that is in the works. But a lot will depend on whether Ipswitch is smart enough to fix the problem, or whether they truly isolate the majority of their loyal customers. It may be too early to ask, but what does the future hold for Declude/Imail or Declude and _ mail server product (fill in the blank)? It's too early to say. A lot will depend on how Ipswitch responds to their customers -- I can't imagine that they will completely ignore this. A business can't survive by destroying a loyal customer base, when they have the product to offer. But I can definitely say this: Declude isn't going to go away, no matter what Ipswitch may do. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] passworded zip file
A client reguarly receives a passworded .zip file. A similiar file is batch sent to 100's of others - the sender cant/wont change the way they send these files. That would have been fine -- until March, 2004, when there was yet another change to the way E-mail needs to be handled. If they send encrypted .ZIP files, they need to either rename the extension (which may be only a temporary solution), find another method to send the E-mail (perhaps an unencrypted .ZIP file with the encrypted .ZIP file in it), or accept that some of their E-mails will be blocked. It's important to remember that sending attachments via E-mail is a hack -- FTP is the protocol designed specifically for transferring files. The file is always received from the same sender using the same ip address We have been using virus_domains.txt to bypass our clients email being scanned for virus's until very recently, but has found several virus's have recently got thru their own anti virus software Is there any way of declude virus whitelisting either the senders email address or ip address for email being sent to our client? - I have added the IP address to be whitelisted in global.cfg but it still deletes what it believes to be an infected file Note that the global.cfg file only affects Declude JunkMail (not Declude Virus). There isn't any way to whitelist users or IPs in Declude Virus. If users want to have potentially dangerous E-mail delivered to them, they need to run AV software that meets their needs. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seeing Virus Activity getting past AV scanner
I am seeing exe files getting by Fprot and triggering my banned EXE rule the attachments are archive.doc lots of spaces .exe what is the declude virus submission addy? What does the Declude Virus log file say for one of those? You can send it to the declude.com virustrap@ address, although it is likely that if you just forward it, it will be seen properly as an .exe file here (my guess is that there is an issue with the MIME headers). If you happen to have a copy in an .mbx file on the server (or .SMD file), you can send the .mbx file, which would have everything necessary for us to determine why it was not blocked. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seeing Virus Activity getting past AV scanner
here is the log entry, I see the EOF, its probly corrupt. Weird thing is that they are coming from somewhat legit addresses. Actually: 10/22/2004 10:23:08 Q17c7227e008410aa Banning file with exe extension [application/x-msdownload]. This line shows that Declude Virus detected that it was an .EXE file, and banned it. 10/22/2004 10:23:08 Q17c7227e008410aa Warning: EOF in middle of MIME segment [] [--bound--] 10/22/2004 10:23:08 Q17c7227e008410aa WARNING: EOF in multipart processing. 10/22/2004 10:23:08 Q17c7227e008410aa Scanned: Banned file extension. [MIME: 3 157090] 10/22/2004 10:23:08 Q17c7227e008410aa From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 10/22/2004 10:23:08 Q17c7227e008410aa Subject: Hello Where did you find the E-mail? Was it delivered to the recipient? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] hijack install problems
trying to install declude hijack on spooler server. virus and spam not installed here just hijack IMHO Problem arises on first run of declude.exe via command prompt C:\IMaildeclude Declude 1.81 (C) Copyright 2000-2004 Computerized Horizons. argc2 First time running... installing... What I would recommend is uninstalling Declude Hijack, and then re-installing it. This repeated First time running... has been known to happen if there was something that wasn't right during the original installation (I don't recall offhand what it was), and re-installing usually fixes the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MyDoom.o's slipping through.
I have had two reports in the last 2 days about a virus coming through. The customer forwarded these to me on an Exchange mailbox using Mcaffee which identified them as MyDoom.o. Tracing the Logs, they were scanned and Deemed Virus Free using Prescan. Given that it is in a .ZIP file, and you are using F-Prot, do you have /ARCHIVE=5 in the SCANFILE line in the \IMail\Declude\virus.cfg file? If it is just /ARCHIVE , you should change it to /ARCHIVE=5 , due to a bug in the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] DELETEVIRUSES Not working.
So why put them in the virus folder? There is no way (that I know of) to requeue these messages? Requeueing them is easy; copy the D*.SMD file and matching Q*.SMD file from the \IMail\spool\virus directory to the \IMail\spool directory. ... Or fix the vulnerability... You probably could do that, but the effort involved would likely outweigh the benefits. What is Horizon's best practices theory on how to deal with messages that land in the virus folder? It's kind of like having a best practices on dealing with spam -- there isn't a one size fits all approach. Just as some organizations are fine deleting all viruses and vulnerabilities, others need to archive them just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Banned ZIP with .exe extension
I am having files blocked since upgrading to 8.1 with this log: Q59b21fa60030b5ea Banning .ZIP file with EXE extension. Is this a self-extracting Zip or zipped .exe? This was a firmware upgrade from Linksys. That's a .ZIP file with an .EXE file in it. If you use BANZIPEXTS ON (which says to ban all .ZIP files that contain any files with extensions that you ban) and BANEXT EXE (which bans .EXE files), you'll get the above message if an E-mail comes in with an .EXE file within a .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] DELETEVIRUSES Not working.
It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Opteron Server spec??
I am running a dual 2.4HT 533 xeon with 1gig 2100 and 73 gig 10k sata drives. We process about 200k messages a day and I am starting to get complaints about slow delivery. As well we are running around 85% to 100% CPU util across the board now on Win2003. One quick thing to check is to make sure that you have a line PRESCAN ON in your \IMail\Declude\virus.cfg file. That enables the pre-scanning in Declude Virus Pro, which cuts down significantly on CPU time. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot/Declude Problem
I also put the eicar.com in the in every drive and in any Imail directory to see if it would delete it and 12 hours later it is still there and no pop windows have shown up. That's the information we were waiting on. That means that there is almost certainly no on-access scanner running, which would indicate a configuration issue. For example, if F-Prot doesn't save the report.txt file (but you tell Declude that it is), then Declude Virus will see one less file than there should be, and assume that it was deleted. I may have found the problem -- I would recommend changing the following line in your \IMail\Declude\virus.cfg file from: SCANFILEC:\FSI\F-Prot\fpcmd.exe /SLIENT /DUMB /NOBEEP /NOMEM /NOBOOT /Archive=5 /REPORT=report.txt to: SCANFILEC:\FSI\F-Prot\fpcmd.exe /SILENT /DUMB /NOBEEP /NOMEM /NOBOOT /Archive=5 /REPORT=report.txt changing to /SILENT. It seems that F-Prot is not reporting an error with the command line, but is in fact skipping the virus scanning. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot/Declude Problem
Typing to fast I guess. I did make the change but it didn't help. To get a better idea of what is happening, you can use the Declude debug mode. To do this, change the LOGLEVEL LOW line in \IMail\Declude\virus.cfg to LOGLEVEL DEBUG. Then, send the test eicar.com file through (using our Test Virus Sender at http://www.declude.com/tools ), and then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send us the \IMail\spool\vir.log file (as an attachment to [EMAIL PROTECTED], NOT sent from web messaging), and we can take a look at it to see what the problem may be. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Couldn't find console/Error starting deccon.exe
Since switching to version 1.80 and subsequently 1.81, I get the following messages in my virMMDD.log file: That's due to the \IMail\Declude\hijack.cfg file -- it looks like a bug in the install program caused the Declude Hijack config file to be installed whether or not you run Declude Hijack. You can just delete that file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS.Downloader.Trojan
Now this morning, we get a W32.Netsky.P.dam virus via a data.zip file. I've submitted everything to F-Prot, but I'm surprised that it didn't catch these things. UGH! The .dam means damaged, another term for a corrupt, non-viable variant. Since these are harmless, many AV programs do not detect them (but some -- usually Norton -- do). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Installing new Declude
Will the new version of Declude install by running the declude_setup.exe properly or do we update the old fashion way? You can update either by running the install program (.exe) or the old fashioned way (copying the Declude.exe file to the \IMail directory). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Something Strange.....
I got the following notice from Everyones Internet (ev1.net)[I listed the headers also]. Now I know that the mydoom virus spoofs the sender email address. But why would I get a notice from them about an email that is being sent to one of my customers at PepperLink.net. Little confused here. It like one of their users sent the virus (therefore, they were authorized to relay), from an address on your domain to an address on your domain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] V1.81?
I never installed 1.80 after reading some of the jpeg issues on this list. Now, I see 1.81 is out. Have the false positive issues been resolved? Yes. There have been no reports of false positives in the 4 days the new code has been available, nor do we expect that there will be any. I'm assuming there is no need to upgrade to 1.80 first before installing 1.81. Correct? That is correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Autoforge question misc.
The autoforge option in declude virus, what port does it comunicate on? Need to make sure it's open. It uses DNS packets (in an almost identical way to spam database lookups), so no port changes need to be made. Also, our to declude programmer guys...I don't know about the feasibility, how about an idea for the future? Phishing. Have some sort of online db. Many on this list report phishing to the list and I'm sure computerized horizons recieves it's share. Have some sort of online db that declude junkmail or virus checks. We're investiaging a number of ways to deal with phishing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] new interim version
How do I install an interim version of Declude? Just replace the declude.exe file? That is correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot 3.15b break Declude Virus?
I read the thread about this, but I didn't determine the final conclusion. Does F-Prot 3.15b break Declude virus? I'm not aware of it breaking Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More CPL Vulnerabilities
Since upgrading to 1.80 I am seeing many more Invalid CPL Vulnerabilities. Is this just timing or is there something different for these vulnerabilities? The interesting thing about these is that they are coming from spoofed senders multiple deliveries at a time. The Invalid CPL Vulnerability detection was added to v1.80 (it was in 1.79iXX interims as well). I do not believe any changes were made from when it was first implemented. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More CPL Vulnerabilities
I wonder though: I added a vulnerability.eml and have ONLYSENDIFVIRUSNAMEHAS JPEG Vulnerability I assumed that the virusname would have to have JPEG Vulnerability, both words, is this the case? Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Lines in the virus.cfg file
Now that 1.81 is released what is the recommendation by DECLUDE (SCOTT) regarding the config file.?? IE do we allow the AV software to scan jpegs by removing the line SKIPEXT JPG or do we allow Declude to take care of it completely . That's up to you. In theory, it shouldn't be necessary to remove the SKIPEXT JPG line, as Declude Virus should detect any .JPG file with the vulnerability. But if you are looking to be extra-cautious, you can remove that line. From what I understand (and I know ugotz) the infected jpegs are more likely to be in Web Pages then in emails. I can't say one way or the other. Web pages have the disadvantage that it is nearly impossible to intercept the JPEG files in transit (whereas E-mail can be scanned easily), but then again it is much easier to send a lot of E-mails than to get a lot of people to go to a website. I am assuming from the threads here that people are catching infected jpegs. Or is it tests only?? Tests and false positives with the Microsoft algorithm (from 1.80). The 1.81 version shouldn't have any false positives. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Another easy one
I'm getting an error in my vXXX.log file: 10/01/2004 13:46:27 Qc22200bc00b6e28c Couldn't find console; starting... (2). 10/01/2004 13:46:27 Qc22200bc00b6e28c Error starting deccon.exe: 2 This one is because you have a line CONSOLE ON in the virus.cfg file, which tells Declude to run the \IMail\Deccon.exe file (which displays a console showing recent E-mails that arrived, that is required for Declude Hijack). However, that file doesn't appear. So you can either copy the deccon.exe file to the \IMail directory, or you can remove the CONSOLE ON line. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Another easy one
I didn't have anything after the LOGFILE and LOGLEVEL (no mention of CONSOLE at all). So I've added a CONSOLE OFF line after that. I don't have Hijack, so I assume this is the way to get around the error? Do you have a CONSOLE ON line in your global.cfg file? It's possible that that could cause the error message, too. If there is no CONSOLE ON line, it defaults to CONSOLE OFF, so I'm guessing the message will still appear. Note that the message doesn't affect how Declude functions (except that the console won't appear, but that isn't something you were expecting). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
Can we advise anyone sending pictures from a MAC to zip them? Change the extension? Would either solution bypass the scanning? Changing the extension or zipping them would bypass the scanning. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
When you release next fix, can you add the ability to disable this test from inside of declude and rely on the AV software? We probably will, but there should be no legitimate reason for JPEGs to contain the exploit. The issue is that Microsoft's algorithm for detecting them was bad. Our algorithm should be perfect. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ERR 005
I upgraded Declude to 1.80 two days ago. Today IMail has been logging the following error: 09:30 14:46 SMTP-(0714) ERR 005 - Send message thread exception handled I wonder if that error could be related to Declude new version. That shouldn't have anything to do with Declude. However, to be safe, I would suggest posting the lines with 0714 that occur before that one, which should help indicate if there are any errors that could indeed be caused by Declude. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
How about adding per domain too.. for the pro.. DOMAIN FILEX.CFG and in x.cfg have the standard: Skipext, Banext, Prescan, Ban Options, Footer, Delivererrors,Delete options, which overwrite the standard settings in virus.cfg just for that domain. We do have enhanced per-user/per-domain options in the suggestion database. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Problem with 1.80 and Vulnerabilities
I thought it might be because of these errors in the Declude Virus logs - the first line occurs 25 times or so, then the Time Out - log snip ERROR: Could not move virus-infected E-mail! Code: 3 0 Are there other numbers on that line? That line indicates a Windows Path not found error, which would suggest that your VIRDIR option is not set correctly (in the \IMail\Declude\virus.cfg file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
And not to upset anyone, how long does it take it to make it to production or beta? I noticed this has been in the Suggestion Database for almost two years. It is important to realize that the suggestion database is not a list of features for the next release. It is as the name implies -- a database of suggestions that have been reported by customers. So saying that it is already in the suggestion database simply means that it has been requested in the past, and will be considered for future releases. Whether or not it makes it to a future release depends on many factors -- the amount of development time allotted to the new release, how many customers will benefit from it, how long it would take to add the feature, etc. In this case, it is a feature that would likely require a lot of work. On the other hand, it is something that a number of customers have requested. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ERR 005
09:30 11:15 SMTP-(07DC2889) processing d:\IMAIL\spool\Q22f30bf500ec93c4.SMD 09:30 11:15 SMTP-(07DC2889) ERR 005 - Send message thread exception handled I would recommend letting Ipswitch know about this (assuming you are running the latest version of IMail) -- it appears to be an issue with IMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ERR 005
After troubleshooting I find that there is just one particular email with an special format that makes the queue manager crash. First time I have seen that happens in our server. will you be willing to take a look at these files (header file and Queue file) to see if there is something special with those files? I could send them to you off list. Sure -- if you could send them to [EMAIL PROTECTED] (in a .ZIP file, preferably), we'll take a look at them and see what we can find out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. User-Agent: Microsoft-Entourage/10.1.0.2006 Does he need to update his version? Or is it something else? The problem is that Microsoft decided not to give out any information on how to detect the exploit. The person that discovered the exploit, however, provided details on how the exploit could be detected. There was, unfortunately, a flaw in the detection method, causing occasional false positives (in our tests, about 1 in 1,000 legitimate JPEG files was getting caught as a result). We are planning to change the detection code to use our own (more complex) method. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JPEG Vulnerability
Could someone please explain what this Microsoft GDIPlus.DLL JPEG Vulnerability is? It is the most serious exploit ever discovered that viruses can use. Specifically, it allows viruses to spread in JPEG files, something nobody previously thought possible. Fortunately, it only can work on unpatched computers. But most computers are unpatched, and patching them can range from easy to difficult to impossible, depending on the circumstances. Are all JPEG's vulnerable or just some with a bad format? Only JPEG files that are created maliciously are a problem. But there have already been some sent out. The company I work for does a lot of graphics work and people email jpegs around. A few have been caught and I'm trying to understand why. I'm assuming (yes I shouldn't do that) that more are sent then are caught. That's because Microsoft screwed up, and gave out an algorithm for detecting the exploit that has false positives. We plan to have full JPEG analysis soon, to work around this (with absolutely no code from Microsoft in it G). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JPEG Vulnerability
It seems to me that if the PC is infected, that every jpg they send by email also contains the vulnerability - correct? It isn't yet known what viruses using this exploit may do. It might send out E-mails directly, attach itself as JPEG files to E-mails being sent out manually, etc. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Which one is considered the latest. Unless otherwise specified, latest refers to a beta or release. In this case, it is specifically the v1.80 release. Is that the mysterious latest interim 20 that end-users have announced on this list? There's nothing mysterious about interims. We do not announce interims, but have a URL where people can get them. Someone found that there was a new interim, posted about it, and asked questions about it. There was nothing mysterious about it -- we needed to come out with a new interim, did, and made it available for the person who needed it. Yes, I know there are people who want interims that are more like betas (announced and/or documented somehow), but if people want to bring that up, they should do so in another thread. And yes, I know that you know how interims work, and that you know there is nothing mysterious about this one (in that it was handled exactly the same as interims have been handled for several years now). Or is that the Version 1.80 that end-users have announced on this list. (If I somehow got unsubscribed form the announcement list then I apologize for wasting bandwidth.) It hasn't been announced on the lists yet. It was decided to have the release announced on the website before notifying customers via E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mysterious
Yes Scott, thank you for updating Declude as well. I would prefer to have notifications of new releases go out ASAP to the lists, so that we as customers can decide if they are a priority to get installed... I agree. :) If I had been the one deciding, I would likely have notified the lists first, then the website, then individual customers. ... especially with all these new potential dangerous JPG's floating around (BTW, how common are these, has anyone been picking them up with declude?) I'm not aware of any being picked up with Declude Virus yet. But there was a report earlier today of a trojan horse spreading in Usenet newsgroups using this exploit. Also it would have been nice to know about your change to how new versions were downloaded and installed on your website. If I was downloading a new version for an emergency use having to register to download the new version, even though we have been a customer for many years, then having to read documentation to figure out which version (automated, or manual), would be preferred to download (what about providing a 3rd old school exe only version. The ideas of requiring people to register and the install program are new, so there may be some ways that they can be improved for future releases. We'll be listening to any issues people report. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mysterious
I used the label mysterious because people (like me) had been highly anticipating the JPEG detection feature - and today we learn purely by accident that there are new interim and release releases. FYI, there was no new interim. Someone went to the URL to get an interim, saw that it wasn't what they expected (I have no idea what they expected), and posted about it. The only new release today is 1.80, which as expected, had the GDIPlus.dll Exploit detection. Mystery is an appropriate word, since I (the customer) know of no way to determine the changes in the interim releases - e.g., if it may contain the JPEG detection feature. I am monitoring this list and I don't believe it saw any prior discussion on -i20 that would have lifted the mystery. IIRC, the 1.79i20 that someone posted about was released last week. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
Would it be possible for these vulnerabilities to have a notification email associated with them, like banned files? Correct me if I'm wrong, but I don't believe there are any notification possibilities with these currently. Actually, they are treated the same as viruses, as far as notifications go (except that by default vulnerabilities are not sent out, due to AUTOFORGE ON or SKIPIFVIRUSNAMEHAS Vulnerability). So you could create a new .eml file with ONLYSENDIFVIRUSNAMEHAS Vulnerability. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
It would be nice to have more granular control over this, though...to perhaps only send for particular hosts, IPs, or email addresses in response to the existing criteria for virus name and vulnerability. There are many such options -- for example, ONLYSENDIFRECIP, ONLYSENDIFSENDER, ONLYSENDIFIP... -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot/GDI+ FYI
Without blocking all .JPG files, nothing. The problem is that there is a lack of information on how to detect such .JPG's. You can find details about the exploit at http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Thanks for the URL -- although good 'ole Microsoft does specify how to detect them there, a Google search on the E-mail address of the person they thanked for discovering the vulnerability led me to the details. I expect we'll have a new version on Monday to take care of this (unless some start spreading before then, in which case we would have a new version ready ASAP). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.