Re: [Declude.Virus] BANnotify.eml
>If the attachment has a banned extension and a virus, which email >notification will be sent? Thanks. Good question! In that case, the virus notifications will go out, and the ban notification will not go out. For example, if you have "BANEXT com", and send the eicar.com file, the virus notifications will be sent as usual, but the ban notification will not be sent. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.Virus] BANnotify.EML
>Does BANnotify.EML get sent to the intended recipients or to the sender. The default one will get sent to the sender. But, you can change that if you like. >The example of BANnotify.EML doesn't show a from or to address. Are these >addresses configurable, like with the other templates? If it doesn't show a "To:" and "From:" before the first blank line, the IE bug probably altered the file -- you can try downloading it again, but instead of clicking on the link, you can right-click it and choose "Save Target As". -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.Virus] BANnotify.eml
Is it possible to have banned attachment notifications sent to the recipient as well as the sender? If so, how do you do this? Yes, you can do this, although they must be identical. To do so, you can change the "To: %MAILFROM%" line to "To: %MAILFROM%,%ALLRECIPS%" (with just a comma, and no spaces, between %MAILFROM% and %ALLRECIPS%). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml
go to http://www.declude.com/virus/manual.htm to get the latest update. Cheers Adrian - ToadShow Pty Ltd phone: 07 3004 7900 fax: 07 3846 1220 email: [EMAIL PROTECTED] http://www.toadshow.com.au - - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 26, 2004 3:06 PM Subject: [Declude.Virus] BANnotify.eml > Can someone send me a copy of their Bannotify.eml ... > > David > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml
Can I add a BCC or a CC to forward a copy of the banned extension e-mail to me so I can investigate whether or not this is a valid file? All that you can do in this case is have multiple recipients on the To: line (separated by a single comma, and no spaces), such as: From: [EMAIL PROTECTED] To: %MAILFROM%,[EMAIL PROTECTED] Subject: Mail not delivered to to banned filename -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml
bannotify.eml is the only template used for banned extensions or banned file names. You can customize this file to be sent to anyone that you wish. Note that this will only get sent if a banned extension or banned file name is detected AND Declude virus doesn't detect a vunerability or your virus scanner doesn't detect an infection. The incidence of this being sent should be less than 1% of all Declude Virus blocked messages, and most will be the result of encoded zip files if you are configured for that (currently that can't be turned off). The general thought for this is to bounce back to the %MAILFROM% instead of to the recipient, so you can inform the sender that they have sent a type of file that is not accepted on your server, and give them instructions as to how to send the file in a way that passes your system (such as zipping up executables). If it wasn't for banned file names and encrypted archives being bounced, there would hardly be any of these sent out, and I expect that resolving that is high on Scott's list of enhancements, so the condition is hopefully temporary. If you send these notices to local users, you might run the risk of having them tell you to turn them off for their account, in which case they might not realize that a legitimate message was blocked. Maybe that all makes sense? Matt Goran Jovanovic wrote: Hi, The documentation shows that the bannotify.eml file send mail back to %MAILFROM%. Can I just modify this to send mail to %ALLRECIPS% instead or is there another .eml file that I should be using to inform the recipient that a banned attachment was dropped? Thanx Goran Jovanovic The LAN Shoppe -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] BANnotify.eml
Yes this all make sense. Now I think that what I would do is to send to both recipient and sender to inform them of the situation. So I would need to do something like this in the bannotify.eml To: %MAILFROM%,%ALLRECIPS% Can I send to multiple like this? Is the delimiter a ","? Thanx Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, May 26, 2004 12:13 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BANnotify.eml bannotify.eml is the only template used for banned extensions or banned file names. You can customize this file to be sent to anyone that you wish. Note that this will only get sent if a banned extension or banned file name is detected AND Declude virus doesn't detect a vunerability or your virus scanner doesn't detect an infection. The incidence of this being sent should be less than 1% of all Declude Virus blocked messages, and most will be the result of encoded zip files if you are configured for that (currently that can't be turned off). The general thought for this is to bounce back to the %MAILFROM% instead of to the recipient, so you can inform the sender that they have sent a type of file that is not accepted on your server, and give them instructions as to how to send the file in a way that passes your system (such as zipping up executables). If it wasn't for banned file names and encrypted archives being bounced, there would hardly be any of these sent out, and I expect that resolving that is high on Scott's list of enhancements, so the condition is hopefully temporary. If you send these notices to local users, you might run the risk of having them tell you to turn them off for their account, in which case they might not realize that a legitimate message was blocked. Maybe that all makes sense? Matt Goran Jovanovic wrote: Hi, The documentation shows that the bannotify.eml file send mail back to %MAILFROM%. Can I just modify this to send mail to %ALLRECIPS% instead or is there another .eml file that I should be using to inform the recipient that a banned attachment was dropped? Thanx Goran Jovanovic The LAN Shoppe -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml
Without the attachments. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Robert Perez writes: I know this is a rookie question but anyway: Does BANnotify.eml file send the email with or without the attachment/s? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml questions
>I have a question concerning the BANnotify.eml file . I have placed this >file in with my other notify files in the Declude folder. I have entered in >the BANEXT SCR entry (plus all the other extensions I will be blocking as >separate entries.) in my virus.cfg file. Now when I receive an email from >my outside web mail account ( Hotmail )with an attachment of a blocked >extension. It is placed in the quarantine folder, as it should. But no >notification is sent. Are you using a recent version of Declude? The BANnotify.eml file was added in v1.29, so earlier versions will not send it out. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] bannotify.eml question
>Is there a way in the BANnotify.eml file to add the body of the offending >message to this eml file? No, because if the original E-mail contains a virus, you would end up spreading it further. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] bannotify.eml question
Isn't the bannotify only for exception extensions, not necessarily viruses? Also, just looking for getting the main text, not any attachments. If you forwarded, or in my case returned to the sender, the original text of the message it would let them know which message to resend... On Wednesday, February 20, 2002 3:33 PM, R. Scott Perry <[EMAIL PROTECTED]> wrote: > >>Is there a way in the BANnotify.eml file to add the body of the offending >>message to this eml file? > >No, because if the original E-mail contains a virus, you would end up >spreading it further. :) >-Scott > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". You can E-mail >[EMAIL PROTECTED] for assistance. You can visit our web >site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] bannotify.eml question
>Isn't the bannotify only for exception extensions, not necessarily viruses? Yes, but the reason that the banned file extensions were added to Declude Virus was to help prevent the spread of viruses. So it is assumed that if a file is banned because of the extension, there's a decent chance that it contains a virus. >Also, just looking for getting the main text, not any attachments. If you >forwarded, or in my case returned to the sender, the original text of the >message it would let them know which message to resend... The subject should be enough to know for sure. But we do want to add a variable that will allow you to insert the text portion of the E-mail, which sounds like what you are looking for. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] bannotify.eml question
As usual, thanks for the info Scott!!! I like the sounds of a %MESSAGETEXT% variable... On Wednesday, February 20, 2002 4:15 PM, R. Scott Perry <[EMAIL PROTECTED]> wrote: > >>Isn't the bannotify only for exception extensions, not >necessarily viruses? > >Yes, but the reason that the banned file extensions were added to Declude >Virus was to help prevent the spread of viruses. So it is assumed that if >a file is banned because of the extension, there's a decent chance that it >contains a virus. > >>Also, just looking for getting the main text, not any attachments. If you >>forwarded, or in my case returned to the sender, the original text of the >>message it would let them know which message to resend... > >The subject should be enough to know for sure. But we do want to add a >variable that will allow you to insert the text portion of the E-mail, >which sounds like what you are looking for. >-Scott > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". You can E-mail >[EMAIL PROTECTED] for assistance. You can visit our web >site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Bannotify.eml skipifsender forged
Would it work to put SKIPIFSENDER [Forged] in the top of the bannotify.eml file? No. If a virus is detected, the bannotify.eml file won't be sent out (virus scanning takes priority over banned file extensions). Without knowing the name of a virus, it is not possible to determine if it is a forging virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bannotify.eml skipifsender forged
> No. If a virus is detected, the bannotify.eml file won't be > sent out (virus scanning takes priority over banned file > extensions). Without knowing the name of a virus, it is not > possible to determine if it is a forging virus. Ok, I understand. Today I've had the following NDR in the postmaster mailbox: = Unknown user: [EMAIL PROTECTED] Original message follows. Date: Mon, 23 Feb 2004 09:23:35 +0100 Message-Id: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable From: "Postmaster" <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Delivery Failed X-Mailer: Sender: [EMAIL PROTECTED] Recipient: [EMAIL PROTECTED] Extension: pif = I the logfile I can see the following 3 lines for the message causing the bannotify message above: 02/23/2004 09:23:35 Qb88600530094b521 Scanned: Banned file extension. [MIME: 2 41] 02/23/2004 09:23:35 Qb88600530094b521 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 02/23/2004 09:23:35 Qb88600530094b521 Subject: hello There is no "Virus free" above this two lines. As it was this single NDR I've received it seems nothing very important. Only to understand why... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bannotify.eml skipifsender forged
I the logfile I can see the following 3 lines for the message causing the bannotify message above: 02/23/2004 09:23:35 Qb88600530094b521 Scanned: Banned file extension. [MIME: 2 41] 02/23/2004 09:23:35 Qb88600530094b521 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 02/23/2004 09:23:35 Qb88600530094b521 Subject: hello There is no "Virus free" above this two lines. That is correct. Because you have chosen to block the file extension, it is assumed to be dangerous, and therefore even though the virus scanner does not detect a virus, the "Virus free" line is removed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bannotify.eml missing extension.
I just received a notification message that said: The mail server for continentaloffice.com does not accept E-mail with attachments that contain the extension. --pbgivjxdscnisewbjysa Content-Type: application/octet-stream; name="Readme.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Readme.zip" This is definitely helpful. I have the D-file, and I have the log extract What does the log file say? Which version of Declude Virus are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bannotify.eml missing extension.
Good morning. Here's a new twist. I got one this morning that read: The mail server for continentaloffice.com does not accept E-mail with attachments that contain the readme.zip extension. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Thursday, March 04, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Bannotify.eml missing extension. I saw this in the flood of messages today [or was it yesterday] and I can't find it to chime in with a [forgive me] "me too". I have this line in my bannotify.eml: The mail server for %LOCALHOST% does not accept E-mail with attachments that contain the %BANEXT% extension. I just received a notification message that said: The mail server for continentaloffice.com does not accept E-mail with attachments that contain the extension. I dug out the D-file for that message and here's the relevant hunk out of the MIME headers: --pbgivjxdscnisewbjysa Content-Type: application/octet-stream; name="Readme.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Readme.zip" I have the D-file, and I have the log extract. This only happens intermittently, but we've gotten so many over the last few days that I've noticed them more than I would have otherwise. This was an encrypted ZIP attachment, with an EXE inside. I'm doing BANZIPEXTSON and BANEZIPEXTS ON, but not BANEXT ZIP or its ezip cousin. And finally, I am getting other notifications with "ZIP-scr" or "ZIP-exe" in the %BANEXT% spot. Having said all that: is this further evidence of a glitch or not? [I'm almost totally befuddled at this point, and I hate being a "me too". Sorry.] -- John Shacklett [EMAIL PROTECTED] [EMAIL PROTECTED] www.continentaloffice.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bannotify.eml missing extension.
Good morning. Here's a new twist. I got one this morning that read: The mail server for continentaloffice.com does not accept E-mail with attachments that contain the readme.zip extension. That's how the new change works to prevent it from saying "... contain the . extension", until a better solution can be found. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.