RE: [Declude.Virus] Another virus to skip notify
Thanks For the great product and A++ support!!! ~Paul~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, April 25, 2002 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Another virus to skip notify >Would the notification emails be something like this: > >SKIPIFVIRUSNAMEHAS Magistr >SKIPIFVIRUSNAMEHAS Kelz Like this -- although I'd use "Klez" instead. :) >SKIPIFVIRUSNAMEHAS W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B This way will not work. This will look for a virus that has "W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B" in the name, which won't occur. >Also would you need the whole name of the virus? No, you do not. If there is a partial match, the notification will not get sent out. So "Klez" will cover all the Klez variants. That way, you don't have to worry about having to add a line for future variants. -Scott --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Another virus to skip notify
>Would the notification emails be something like this: > >SKIPIFVIRUSNAMEHAS Magistr >SKIPIFVIRUSNAMEHAS Kelz Like this -- although I'd use "Klez" instead. :) >SKIPIFVIRUSNAMEHAS W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B This way will not work. This will look for a virus that has "W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B" in the name, which won't occur. >Also would you need the whole name of the virus? No, you do not. If there is a partial match, the notification will not get sent out. So "Klez" will cover all the Klez variants. That way, you don't have to worry about having to add a line for future variants. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Another virus to skip notify
Would the notification emails be something like this: SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Kelz ONLYSENDIFREMOTESENDER From: postmaster@%LOCALHOST% To: postmaster@%SENDERHOST% Subject: Your mail server sent us a virus Or SKIPIFVIRUSNAMEHAS W32/Magistr.b@MM; W32/Klez.h@MM; W32/Hybris.worm.B ONLYSENDIFREMOTESENDER From: postmaster@%LOCALHOST% To: postmaster@%SENDERHOST% Subject: Your mail server sent us a virus Also would you need the whole name of the virus? I ask this because of the different variants either of the viruses itself or the way the AV reports the name. Would this list be good or if some one has a better one please post it. I have about 20 flaming emails from postmasters that say they are not infected. I would like to keep the email from going out to the wrong person. W32/Klez.h@MM W32/Klez.H@mm W32/Klez.gen@MM W32/Magistr.32768@mm W32/Magistr.b@MM W32/Magistr.28672@mm W32/Magistr.a@MM W32/Klez.E@mm W32/Klez.e@MM W32/Hybris.worm.B W32/Hybris.gen@MM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, April 25, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another virus to skip notify >Now I don't know which address (nmiller or mmiller) Declude sends it's "you >sent a virus" message to. Maybe Scott can answer that, but if it is the >wrong address then sending that message to the sender could be skipped. Declude Virus sends to the return address (from the SMTP envelope), which in the case of Magistr is the altered address. So skipping the sender notification (adding "SKIPIFVIRUSNAMEHAS Magistr" to the sender.eml file) would be a good idea. -Scott --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Another virus to skip notify
I thought on the magistr virus every 5th address was possibly not altered? Are all the return addresses bad? I have chosen not to skip this one to the sender as 20% of the time it reaches the infected sender. Maybe not exactly 20% but some success anyway... On Thursday, April 25, 2002 7:18 AM, R. Scott Perry <[EMAIL PROTECTED]> wrote: > >>Now I don't know which address (nmiller or mmiller) Declude sends it's "you >>sent a virus" message to. Maybe Scott can answer that, but if it is the >>wrong address then sending that message to the sender could be >skipped. > >Declude Virus sends to the return address (from the SMTP envelope), which >in the case of Magistr is the altered address. So skipping the sender >notification (adding "SKIPIFVIRUSNAMEHAS Magistr" to the sender.eml file) >would be a good idea. > -Scott > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". You can E-mail >[EMAIL PROTECTED] for assistance. You can visit our web >site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Another virus to skip notify
>Now I don't know which address (nmiller or mmiller) Declude sends it's "you >sent a virus" message to. Maybe Scott can answer that, but if it is the >wrong address then sending that message to the sender could be skipped. Declude Virus sends to the return address (from the SMTP envelope), which in the case of Magistr is the altered address. So skipping the sender notification (adding "SKIPIFVIRUSNAMEHAS Magistr" to the sender.eml file) would be a good idea. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
