RE: [Declude.Virus] Swen not tagged as forging?
SWEN is not known to be forging. Every one that I have seen came from the sender that was indeed infected. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, March 07, 2004 6:27 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Swen not tagged as forging? I just had a client ask me to turn off all virus notifications, and the message that they sent back was for Swen.A. Date: 03/07/2004 17:37:53 Subject: Abort Notice Host: cybermatsa.com.mx [148.233.93.6] Attachment: enqofe.exe Virus: W32/[EMAIL PROTECTED] Is it possible that this isn't in the forging database, or could this have been a failed lookup, or is it possible that this is a bug in the version of Declude Virus that I am running. I'm on 1.78i14 currently. I'm thinking that maybe the combination of the 'MIME Header' vulnerability along with the virus being detected might have caused the SKIPIFFORGING to be bypassed: 03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: [text/html][quoted-printable; Length=228 Checksum=17379] 03/07/2004 17:37:53 Qa43c661500982fd2 Outlook 'MIME Header' Vulnerability: type=audio/x-wav, name=enqofe.exe. 03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: enqofe.exe [base64; Length=106496 Checksum=9384207] 03/07/2004 17:37:53 Qa43c661500982fd2 Banning file with EXE extension [audio/x-wav]. 03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 1: Virus=W32/[EMAIL PROTECTED] Attachment=enqofe.exe [1] O 03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 2: Virus=I-Worm/Swen.A Attachment=enqofe.exe [1] O 03/07/2004 17:37:53 Qa43c661500982fd2 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 6] 03/07/2004 17:37:53 Qa43c661500982fd2 Deleting file with virus 03/07/2004 17:37:53 Qa43c661500982fd2 Deleting E-mail with virus! 03/07/2004 17:37:53 Qa43c661500982fd2 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 106748] 03/07/2004 17:37:53 Qa43c661500982fd2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 148.233.93.6] 03/07/2004 17:37:53 Qa43c661500982fd2 Subject: Abort Notice Thanks, Matt -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
CBL:Re: [Declude.Virus] Swen not tagged as forging?
Swen does forge. Sometimes it sends a fake bounce message to spread which is different from the primary payload. The message also will forge the From address while using the Mail From of the infected computer. I'm thinking this is more so the difference between what we consider forging, and why we individually use SKIPIFFORGING. My only reason for sending virus notifications to my own clients right now is to show them when something like an infected document was intercepted from a real sender, and anything that forges whatsoever would be considered something to skip. For instance, I used to have a form for one client where people could upload resumes, and my server would forward these resumes to them in E-mail, but they were regularly infected with macro viruses and it would be nice to drop them a note in that case instead of just making the message and attachment totally disappear. Seems like SKIPIFFORGING was really intended to handle bounces to the sender and not to the receiver by the way it is being applied. Matt John Tolmachoff (Lists) wrote: SWEN is not known to be forging. Every one that I have seen came from the sender that was indeed infected. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Sunday, March 07, 2004 6:27 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Swen not tagged as forging? I just had a client ask me to turn off all virus notifications, and the message that they sent back was for Swen.A. Date: 03/07/2004 17:37:53 Subject: Abort Notice Host: cybermatsa.com.mx [148.233.93.6] Attachment: enqofe.exe Virus: W32/[EMAIL PROTECTED] Is it possible that this isn't in the forging database, or could this have been a failed lookup, or is it possible that this is a bug in the version of Declude Virus that I am running. I'm on 1.78i14 currently. I'm thinking that maybe the combination of the 'MIME Header' vulnerability along with the virus being detected might have caused the SKIPIFFORGING to be bypassed: 03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: [text/html][quoted-printable; Length=228 Checksum=17379] 03/07/2004 17:37:53 Qa43c661500982fd2 Outlook 'MIME Header' Vulnerability: type=audio/x-wav, name=enqofe.exe. 03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: enqofe.exe [base64; Length=106496 Checksum=9384207] 03/07/2004 17:37:53 Qa43c661500982fd2 Banning file with EXE extension [audio/x-wav]. 03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 1: Virus=W32/[EMAIL PROTECTED] Attachment=enqofe.exe [1] O 03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 2: Virus=I-Worm/Swen.A Attachment=enqofe.exe [1] O 03/07/2004 17:37:53 Qa43c661500982fd2 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 6] 03/07/2004 17:37:53 Qa43c661500982fd2 Deleting file with virus 03/07/2004 17:37:53 Qa43c661500982fd2 Deleting E-mail with virus! 03/07/2004 17:37:53 Qa43c661500982fd2 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 106748] 03/07/2004 17:37:53 Qa43c661500982fd2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 148.233.93.6] 03/07/2004 17:37:53 Qa43c661500982fd2 Subject: Abort Notice Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Swen not tagged as forging?
Yes, Swen forges. I don't send any auto-notice to sender or recipient on forging viruses. You don't know who the "real" sender is and it does nothing useful for the recipient to hear "an unknown PC Sent you a virus, but it was blocked by the server". For most of the Macro viruses (and some of the other non-forging) you do want both to get a notice. Greg Little This is from F-Secures site http://www.f-secure.com/v-descs/swen.shtml The attachment name, subject and part of the infected message is randomly composed from text strings hardcoded in the worm's body. The fake sender's address is selected from the following parts: MS Microsoft Corporation Program Internet Network Security Division Section Department Center Technical Public Customer Bulletin Services Assistance Support The domain name for these e-mails is selected from the following parts: news bulletin confidence advisor updates technet support newsletters The domain suffix for these e-mails is selected from the following parts: ms msn msdn microsoft followed by one of the following: .com .net John Tolmachoff (Lists) wrote: SWEN is not known to be forging. Every one that I have seen came from the sender that was indeed infected. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Swen not tagged as forging?
Yes, Swen forges. FWIW, we haven't yet seen a single copy of Swen that forges. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Swen not tagged as forging?
Just to clarify. Swen forges the From address, but not the Mail From address. I'm reevaluating my choice to only send recipient notices. I may just change to sender notifications only with SKIPIFFORGING. Matt R. Scott Perry wrote: Yes, Swen forges. FWIW, we haven't yet seen a single copy of Swen that forges. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Swen not tagged as forging?
I'm not seeing both a From and a Mail from listed in the headers that come back from Declude. So, it must be in some detail that not in %headers%. I take it that Declude will send it to the Mail from. Looks like I'll be testing with Swen Not forging. You'll see the return address in the X-Declude-Sender: header. That's the only one that Declude Virus will use (for notifications, for example), and is not forged. As others have pointed out, the From: header may be forged (but Declude Virus does not use that header). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Swen not tagged as forging?
I just had a client ask me to turn off all virus notifications, and the message that they sent back was for Swen.A. Date: 03/07/2004 17:37:53 Subject: Abort Notice Host: cybermatsa.com.mx [148.233.93.6] Attachment: enqofe.exe Virus: W32/[EMAIL PROTECTED] Is it possible that this isn't in the forging database, or could this have been a failed lookup, or is it possible that this is a bug in the version of Declude Virus that I am running. I'm on 1.78i14 currently. I'm thinking that maybe the combination of the 'MIME Header' vulnerability along with the virus being detected might have caused the SKIPIFFORGING to be bypassed: 03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: [text/html][quoted-printable; Length=228 Checksum=17379] 03/07/2004 17:37:53 Qa43c661500982fd2 Outlook 'MIME Header' Vulnerability: type=audio/x-wav, name=enqofe.exe. 03/07/2004 17:37:53 Qa43c661500982fd2 MIME file: enqofe.exe [base64; Length=106496 Checksum=9384207] 03/07/2004 17:37:53 Qa43c661500982fd2 Banning file with EXE extension [audio/x-wav]. 03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 1: Virus=W32/[EMAIL PROTECTED] Attachment=enqofe.exe [1] O 03/07/2004 17:37:53 Qa43c661500982fd2 Scanner 2: Virus=I-Worm/Swen.A Attachment=enqofe.exe [1] O 03/07/2004 17:37:53 Qa43c661500982fd2 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 6] 03/07/2004 17:37:53 Qa43c661500982fd2 Deleting file with virus 03/07/2004 17:37:53 Qa43c661500982fd2 Deleting E-mail with virus! 03/07/2004 17:37:53 Qa43c661500982fd2 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 106748] 03/07/2004 17:37:53 Qa43c661500982fd2 From: ariearazi@example.com.mx To: [EMAIL PROTECTED] [outgoing from 148.233.93.6] 03/07/2004 17:37:53 Qa43c661500982fd2 Subject: Abort Notice Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.Virus] Swen... 200+ daily
Title: Swen... 200+ daily Hi.. I have never seen a worst virus I (my email) am receiving 200+ viruses daily. We stopped notifying the receipient but report it to the sender. This is just out of this world I think it is not receiving much attention since it only targets the UseNet users and naturally mostly admins. This started with 10+ daily and now it is at 200+ .. Somehow I think if not fixed this may have the potential to overwhelm the networks.. Since Monday over 2000 viruses are trapped. The biggest ever in our system. Regards, Kami
RE: [Declude.Virus] Swen... 200+ daily ..... is that all?
Title: Swen... 200+ daily Lucky you. Only 200 a day. My tech admin has to date received around 14,000 of them. You are apparently not active enough on newsgroups. :-) Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Thursday, October 9, 2003 04:09To: Virus ListSubject: [Declude.Virus] Swen... 200+ daily Hi.. I have never seen a worst virus I (my email) am receiving 200+ viruses daily. We stopped notifying the receipient but report it to the sender. This is just out of this world I think it is not receiving much attention since it only targets the UseNet users and naturally mostly admins. This started with 10+ daily and now it is at 200+ .. Somehow I think if not fixed this may have the potential to overwhelm the networks.. Since Monday over 2000 viruses are trapped. The biggest ever in our system. Regards, Kami
[Declude.Virus] Swen
Is Swen a forged virus? I tried to get to the .eml links on the manual page but it didn't go. Need to see if I need to update my notification templates. Thanks, Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Swen
Is Swen a forged virus? No (as far as Declude is concerned). The From: header is forged, but the return address (the one that Declude uses) is not forged. It will normally come from an address that the recipient does not recognize, however (since it mostly seems to get addresses from web pages and Usenet newsgroups). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Swen... Incredible..
Title: Swen... Incredible.. Hi; I am just amazed as to how this Swen is working. In the last 10 days I have received over 500 Swen viruses. An analysis of all viruses.. Incredibly no 2 viruses have come from the same IP. In other words these 500 viruses have come from 500 different IP's. Not a single person in the domains hosted on our server has received a single incident. Just incredible Regards, Kami
RE: [Declude.Virus] Swen... Incredible..
Title: Message Not a single person in the domains hosted on our server has received a single incident. Kami, If it makes you feel any better, I am getting approximately 40 to 50 of these a day, while the rest of my users, combined, have received no more than 20. Sharyn
RE: [Declude.Virus] Swen... Incredible..
Title: Message -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn SchmidtSent: 29. september 2003 13:35To: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] Swen... Incredible.. Not a single person in the domains hosted on our server has received a single incident. Kami, If it makes you feel any better, I am getting approximately 40 to 50 of these a day, while the rest of my users, combined, have received no more than 20. Sharyn That has a natural explanation the virus are looking in newsgroups and mailinglists for adresses to send to... most people dont use that Benny
RE: [Declude.Virus] Swen... Incredible..
Not a single person in the domains hosted on our server has received a single incident. I am getting approximately 40 to 50 of these a day, while the rest of my users, combined, have received no more than 20. From begin of this month on we've disabled recipient virus warnings because A.) they create unnecessary traffic during worm waves B.) we've seen that the distribution of incoming virus (and also spam) is all other then balanced to our customers mailboxes. C.) over 99% of all incoming infected messages have no interesting content for the recipient because it's autogenerated from a self spreading worm. So our customers - if target of a worm attach - are happy to see that our virus filter works. But after the xx warning on the same day they are not more so happy. The solution for us: We've in use also declude junkmail. So we can add a custom mail header containing the final recipient mailbox name to every incoming message. Now we've written a short vb-script that goes trough our /spam/hold and /virus/hold folders parses the recipient mailbox name from every D*.SMD file and increment the counter in a Database. (Note: it works only because we keep all hold virus/spam messages and delete the after 14 days) Now we are able to send out a weekly report to our users who has received at least 5 spams or 1 virus in the last 7 days. As you can see in the attached diagram only ~1/3 of our mailboxes receive at least 1 virus from 09/01/2003 on. (The spam-diagramm has nearly the same distribution) Markus attachment: virus_distribution.gif
[Declude.Virus] Swen Virus Help
I can't catch emails with the virus "SWEN", I have the last definitions in my antivirus (virus scan command line), any solution??? Thx!
Re: [Declude.Virus] Swen Virus Help
I can't catch emails with the virus SWEN, I have the last definitions in my antivirus (virus scan command line), any solution??? Are you running the latest version (.exe file) of your virus scanner? Some virus scanners required an upgrade to the .exe file to catch Swen. Does the SCANFILE line in your \IMail\Declude\virus.cfg file have a switch to enable searching through archives (such as /ARCHIVE or /UNZIP)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
