RE: [Declude.Virus] Invalid Zip Vulnerability
I have since determined that this email simply did have corrupted zip files. My problem was NOT that those emails were held – but rather that it referred to an undocumented vulnerability that we weren’t able to intelligent discuss with the client (it’s not on our “list” of vulnerability explanations). I also heard back from Declude that they will research that vulnerability check in the source code to learn more about it, and hopefully they will then add whatever information they’ll learn into the documentation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Thursday, March 06, 2008 10:54 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Invalid Zip Vulnerability No name, just the extenesion? John T eServices For You -Original Message- From: "Andy Schmidt" <[EMAIL PROTECTED]> Sent 3/3/2008 9:30:59 AM To: [EMAIL PROTECTED] Cc: declude.virus@declude.com Subject: [Declude.Virus] Invalid Zip Vulnerability Hi, I checked your KB – and it doesn’t document that vulnerability: http://support.declude.com/Customer/KBArticle.aspx?articleid=25 <http://support.declude.com/Customer/KBArticle.aspx?articleid=25&KBSearchID=11699> &KBSearchID=11699 I checked your manual – and it doesn’t document that vulnerability: http://www.declude.com/searchresults.asp?Cat=124 However, I do have a message that fails the vulnerability: File: "[.ZIP file]" Result: Found[Invalid ZIP Vulnerability] So now I need to determine, why this ZIP file is being rejected. Thanks, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Invalid Zip Vulnerability
No name, just the extenesion?John T eServices For You -Original Message- From: "Andy Schmidt" <[EMAIL PROTECTED]> Sent 3/3/2008 9:30:59 AM To: [EMAIL PROTECTED] Cc: declude.virus@declude.com Subject: [Declude.Virus] Invalid Zip VulnerabilityHi, I checked your KB – and it doesn’t document that vulnerability:http://support.declude.com/Customer/KBArticle.aspx?articleid=25&KBSearchID=11699 I checked your manual – and it doesn’t document that vulnerability:http://www.declude.com/searchresults.asp?Cat=124 However, I do have a message that fails the vulnerability: File: "[.ZIP file]" Result: Found[Invalid ZIP Vulnerability] So now I need to determine, why this ZIP file is being rejected. Thanks,Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Hi,
Now all Declude needs to do, at least it would be nice if they did, is find
a way to make these subjects
Date: 01 Aug 2007 09:57:25
Subject:
=?ISO-2022-JP?B?GyRCQ084NSROJSolUCU1JXMkckp6JC0kPyQkJEckOSQrISklbCVZGyhC?=
Spool File: D3cde019e9042.smd
Remote IP: 58.236.15.183
readable in those notification messages. I understand what is going on but
stilll it's unreadable for most people.
Anyone at Declude want to comment on this? Is this something that can be fixed
easily or will it take some heavy programming because of all the different
possible charsets?
Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer
tio hogeschool hotelmanagement en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED] / www.tio.nl
- Original Message -
From: Darin Cox
To: declude.virus@declude.com
Sent: Wednesday, August 01, 2007 12:33 AM
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml
-- Begin vulnerability.eml
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
From: [EMAIL PROTECTED]
To: %ALLRECIPS%
Subject: Suspected malicious email blocked
Delivery blocked: %LOCALRECIPS%
The mail server for %LOCALHOST% scans each e-mail for Viruses,
junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities
are those which can allow a virus or other malicious content to
hide from virus scanners and junk mail filters.)
We caught an e-mail addressed to you that is formatted with
%VIRUSNAME%, and have quarantined it for your protection.
If you recognize the below information as a valid email that
you want or should have received, please click on the link below
to have the message released for delivery. Otherwise, the e-mail
will be deleted automatically after seven days.
http://www.example.com/requeue.asp?msgid=%QUEUENAME%
Please note that the email could contain dangerous content. Use at
your own risk.
Original message information follows
FROM: %MAILFROM%
TO: %ALLRECIPS%
SUBJECT: %SUBJECT%
DATE: %DATE% @ %TIME%
%HEADERS%
-- End vulnerability.eml
You'll want to replace the link in the email with one appropriate for you.
and the following requeue.asp script.
-- Begin REQUEUE.ASP
<[EMAIL PROTECTED]>
<%
// ---
// requires IUSR permissions to the following directories
// ---
var virusdir="c:\\imail\\spool\\virus\\";
var spooldir="c:\\imail\\spool\\";
var file=""+Request.QueryString("msgid");
file=file.substr(1);
fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists(virusdir+"D"+file))
{
fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file);
fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file);
Response.Write("Please check your e-mail in a few minutes for the message
you requested.");
}
else
{
Response.Write("Message does not exist, or has already been released for
normal delivery.");
}
%>
-- End REQUEUE.ASP
You'll need to change the path to the path for your IMail spool directory.
This inserts the message back into the queue for the next queue run. Others
have gone a step further to call SMTP32.exe with the queue file name to
delivery it immediately.
Hope this helps,
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:02 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a
script to re-queue the message for delivery"? I'd be interested in that.
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 4:23 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it
past
spam filtering (we run AVAFTERJM ON). So I'd second that recommendation
to
NOT turn it off. If you're concerned about delivery, set up an email
notification to let the intended recipient know the message was held,
and
include a link to a script to requeue the message for delivery.
Darin.
- O
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Then you're looking for ONLYSENDIFVIRUSNAMEHAS
Take a look at the EVA manual... about 3/4 of the way down in the section
labeled Email Notifications.
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 8:02 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Darin,
Thanks for your help. Guess I was hoping there was something along the
lines of and INCLUDEIFVIRUSNAMEHAS to only include the message for
specific vulnerabilities and to not have to list all of the ones I
didn't want to send for. Is there a list of all of the vulnerabilities,
or is this specific to which scanner(s) I am using?
Thanks
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 6:40 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml
file to specify the vulnerability you don't want to notify on.
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:49 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Thanks. That's great! I've not blocked these before because of a large
number of legitimate emails needing to get through that would have been
blocked. This lets me block them if I want, but still let the legits get
through. I'm a newbie when in comes to Declude configs. I've pretty much
left a lot of defaults, but can this (the customized vulnerability.eml)
be limited to only be sent for certain vulnerabilities? I don't want
this sent for all blocked vulnerabilities and have the users get
notifications for things they don't need to.
Thanks!
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 5:34 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml
-- Begin vulnerability.eml
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
From: [EMAIL PROTECTED]
To: %ALLRECIPS%
Subject: Suspected malicious email blocked
Delivery blocked: %LOCALRECIPS%
The mail server for %LOCALHOST% scans each e-mail for Viruses,
junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities
are those which can allow a virus or other malicious content to
hide from virus scanners and junk mail filters.)
We caught an e-mail addressed to you that is formatted with
%VIRUSNAME%, and have quarantined it for your protection.
If you recognize the below information as a valid email that
you want or should have received, please click on the link below
to have the message released for delivery. Otherwise, the e-mail
will be deleted automatically after seven days.
http://www.example.com/requeue.asp?msgid=%QUEUENAME%
Please note that the email could contain dangerous content. Use at
your own risk.
Original message information follows
FROM: %MAILFROM%
TO: %ALLRECIPS%
SUBJECT: %SUBJECT%
DATE: %DATE% @ %TIME%
%HEADERS%
-- End vulnerability.eml
You'll want to replace the link in the email with one appropriate for
you.
and the following requeue.asp script.
-- Begin REQUEUE.ASP
<[EMAIL PROTECTED]>
<%
// ---
// requires IUSR permissions to the following directories
// ---
var virusdir="c:\\imail\\spool\\virus\\";
var spooldir="c:\\imail\\spool\\";
var file=""+Request.QueryString("msgid");
file=file.substr(1);
fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists(virusdir+"D"+file))
{
fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file);
fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file);
Response.Write("Please check your e-mail in a few minutes for the
message
you requested.");
}
else
{
Response.Write("Message does not exist, or has already been released
for
normal delivery.");
}
%>
-- End REQUEUE.ASP
You'll need to change the path to the path for your IMail spool
directory.
This inserts the message back into the queue for the next queue run.
Others
have gone a step further to call SMTP32.exe with the queue file name to
delivery it immediately.
Hope this helps,
Darin.
- Original Message -
From: "Jared Pickerell&qu
RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Darin,
Thanks for your help. Guess I was hoping there was something along the
lines of and INCLUDEIFVIRUSNAMEHAS to only include the message for
specific vulnerabilities and to not have to list all of the ones I
didn't want to send for. Is there a list of all of the vulnerabilities,
or is this specific to which scanner(s) I am using?
Thanks
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 6:40 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml
file to specify the vulnerability you don't want to notify on.
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:49 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Thanks. That's great! I've not blocked these before because of a large
number of legitimate emails needing to get through that would have been
blocked. This lets me block them if I want, but still let the legits get
through. I'm a newbie when in comes to Declude configs. I've pretty much
left a lot of defaults, but can this (the customized vulnerability.eml)
be limited to only be sent for certain vulnerabilities? I don't want
this sent for all blocked vulnerabilities and have the users get
notifications for things they don't need to.
Thanks!
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 5:34 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml
-- Begin vulnerability.eml
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
From: [EMAIL PROTECTED]
To: %ALLRECIPS%
Subject: Suspected malicious email blocked
Delivery blocked: %LOCALRECIPS%
The mail server for %LOCALHOST% scans each e-mail for Viruses,
junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities
are those which can allow a virus or other malicious content to
hide from virus scanners and junk mail filters.)
We caught an e-mail addressed to you that is formatted with
%VIRUSNAME%, and have quarantined it for your protection.
If you recognize the below information as a valid email that
you want or should have received, please click on the link below
to have the message released for delivery. Otherwise, the e-mail
will be deleted automatically after seven days.
http://www.example.com/requeue.asp?msgid=%QUEUENAME%
Please note that the email could contain dangerous content. Use at
your own risk.
Original message information follows
FROM: %MAILFROM%
TO: %ALLRECIPS%
SUBJECT: %SUBJECT%
DATE: %DATE% @ %TIME%
%HEADERS%
-- End vulnerability.eml
You'll want to replace the link in the email with one appropriate for
you.
and the following requeue.asp script.
-- Begin REQUEUE.ASP
<[EMAIL PROTECTED]>
<%
// ---
// requires IUSR permissions to the following directories
// ---
var virusdir="c:\\imail\\spool\\virus\\";
var spooldir="c:\\imail\\spool\\";
var file=""+Request.QueryString("msgid");
file=file.substr(1);
fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists(virusdir+"D"+file))
{
fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file);
fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file);
Response.Write("Please check your e-mail in a few minutes for the
message
you requested.");
}
else
{
Response.Write("Message does not exist, or has already been released
for
normal delivery.");
}
%>
-- End REQUEUE.ASP
You'll need to change the path to the path for your IMail spool
directory.
This inserts the message back into the queue for the next queue run.
Others
have gone a step further to call SMTP32.exe with the queue file name to
delivery it immediately.
Hope this helps,
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:02 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a
script to re-queue the message for delivery"? I'd be interested in that.
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml
file to specify the vulnerability you don't want to notify on.
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:49 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Thanks. That's great! I've not blocked these before because of a large
number of legitimate emails needing to get through that would have been
blocked. This lets me block them if I want, but still let the legits get
through. I'm a newbie when in comes to Declude configs. I've pretty much
left a lot of defaults, but can this (the customized vulnerability.eml)
be limited to only be sent for certain vulnerabilities? I don't want
this sent for all blocked vulnerabilities and have the users get
notifications for things they don't need to.
Thanks!
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 5:34 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml
-- Begin vulnerability.eml
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
From: [EMAIL PROTECTED]
To: %ALLRECIPS%
Subject: Suspected malicious email blocked
Delivery blocked: %LOCALRECIPS%
The mail server for %LOCALHOST% scans each e-mail for Viruses,
junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities
are those which can allow a virus or other malicious content to
hide from virus scanners and junk mail filters.)
We caught an e-mail addressed to you that is formatted with
%VIRUSNAME%, and have quarantined it for your protection.
If you recognize the below information as a valid email that
you want or should have received, please click on the link below
to have the message released for delivery. Otherwise, the e-mail
will be deleted automatically after seven days.
http://www.example.com/requeue.asp?msgid=%QUEUENAME%
Please note that the email could contain dangerous content. Use at
your own risk.
Original message information follows
FROM: %MAILFROM%
TO: %ALLRECIPS%
SUBJECT: %SUBJECT%
DATE: %DATE% @ %TIME%
%HEADERS%
-- End vulnerability.eml
You'll want to replace the link in the email with one appropriate for
you.
and the following requeue.asp script.
-- Begin REQUEUE.ASP
<[EMAIL PROTECTED]>
<%
// ---
// requires IUSR permissions to the following directories
// ---
var virusdir="c:\\imail\\spool\\virus\\";
var spooldir="c:\\imail\\spool\\";
var file=""+Request.QueryString("msgid");
file=file.substr(1);
fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists(virusdir+"D"+file))
{
fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file);
fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file);
Response.Write("Please check your e-mail in a few minutes for the
message
you requested.");
}
else
{
Response.Write("Message does not exist, or has already been released
for
normal delivery.");
}
%>
-- End REQUEUE.ASP
You'll need to change the path to the path for your IMail spool
directory.
This inserts the message back into the queue for the next queue run.
Others
have gone a step further to call SMTP32.exe with the queue file name to
delivery it immediately.
Hope this helps,
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:02 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a
script to re-queue the message for delivery"? I'd be interested in that.
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 4:23 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it
past
spam filtering (we run AVAFTERJM ON). So I'd second that recommendation
to
NOT turn it off. If you're concerned about delivery, set up an email
notification to let the intended recipient know the message was held,
and
include a link to a script to requeue the message for delivery.
Darin.
- Original Message -
From: &q
RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Thanks. That's great! I've not blocked these before because of a large
number of legitimate emails needing to get through that would have been
blocked. This lets me block them if I want, but still let the legits get
through. I'm a newbie when in comes to Declude configs. I've pretty much
left a lot of defaults, but can this (the customized vulnerability.eml)
be limited to only be sent for certain vulnerabilities? I don't want
this sent for all blocked vulnerabilities and have the users get
notifications for things they don't need to.
Thanks!
Jared
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 5:34 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml
-- Begin vulnerability.eml
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
From: [EMAIL PROTECTED]
To: %ALLRECIPS%
Subject: Suspected malicious email blocked
Delivery blocked: %LOCALRECIPS%
The mail server for %LOCALHOST% scans each e-mail for Viruses,
junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities
are those which can allow a virus or other malicious content to
hide from virus scanners and junk mail filters.)
We caught an e-mail addressed to you that is formatted with
%VIRUSNAME%, and have quarantined it for your protection.
If you recognize the below information as a valid email that
you want or should have received, please click on the link below
to have the message released for delivery. Otherwise, the e-mail
will be deleted automatically after seven days.
http://www.example.com/requeue.asp?msgid=%QUEUENAME%
Please note that the email could contain dangerous content. Use at
your own risk.
Original message information follows
FROM: %MAILFROM%
TO: %ALLRECIPS%
SUBJECT: %SUBJECT%
DATE: %DATE% @ %TIME%
%HEADERS%
-- End vulnerability.eml
You'll want to replace the link in the email with one appropriate for
you.
and the following requeue.asp script.
-- Begin REQUEUE.ASP
<[EMAIL PROTECTED]>
<%
// ---
// requires IUSR permissions to the following directories
// ---
var virusdir="c:\\imail\\spool\\virus\\";
var spooldir="c:\\imail\\spool\\";
var file=""+Request.QueryString("msgid");
file=file.substr(1);
fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists(virusdir+"D"+file))
{
fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file);
fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file);
Response.Write("Please check your e-mail in a few minutes for the
message
you requested.");
}
else
{
Response.Write("Message does not exist, or has already been released
for
normal delivery.");
}
%>
-- End REQUEUE.ASP
You'll need to change the path to the path for your IMail spool
directory.
This inserts the message back into the queue for the next queue run.
Others
have gone a step further to call SMTP32.exe with the queue file name to
delivery it immediately.
Hope this helps,
Darin.
- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:02 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a
script to re-queue the message for delivery"? I'd be interested in that.
Jared
-----Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 4:23 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it
past
spam filtering (we run AVAFTERJM ON). So I'd second that recommendation
to
NOT turn it off. If you're concerned about delivery, set up an email
notification to let the intended recipient know the message was held,
and
include a link to a script to requeue the message for delivery.
Darin.
- Original Message -
From: "Shayne Embry" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 5:09 PM
Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability]
Not too sure you'd want to turn that off. We've been getting hit by a
wave
of messages the last two days, all with the same vulnerability. I've
been
too busy to spen
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We use this vulnerability.eml
-- Begin vulnerability.eml
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
From: [EMAIL PROTECTED]
To: %ALLRECIPS%
Subject: Suspected malicious email blocked
Delivery blocked: %LOCALRECIPS%
The mail server for %LOCALHOST% scans each e-mail for Viruses,
junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities
are those which can allow a virus or other malicious content to
hide from virus scanners and junk mail filters.)
We caught an e-mail addressed to you that is formatted with
%VIRUSNAME%, and have quarantined it for your protection.
If you recognize the below information as a valid email that
you want or should have received, please click on the link below
to have the message released for delivery. Otherwise, the e-mail
will be deleted automatically after seven days.
http://www.example.com/requeue.asp?msgid=%QUEUENAME%
Please note that the email could contain dangerous content. Use at
your own risk.
Original message information follows
FROM: %MAILFROM%
TO: %ALLRECIPS%
SUBJECT: %SUBJECT%
DATE: %DATE% @ %TIME%
%HEADERS%
-- End vulnerability.eml
You'll want to replace the link in the email with one appropriate for you.
and the following requeue.asp script.
-- Begin REQUEUE.ASP
<[EMAIL PROTECTED]>
<%
// ---
// requires IUSR permissions to the following directories
// ---
var virusdir="c:\\imail\\spool\\virus\\";
var spooldir="c:\\imail\\spool\\";
var file=""+Request.QueryString("msgid");
file=file.substr(1);
fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists(virusdir+"D"+file))
{
fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file);
fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file);
Response.Write("Please check your e-mail in a few minutes for the message
you requested.");
}
else
{
Response.Write("Message does not exist, or has already been released for
normal delivery.");
}
%>
-- End REQUEUE.ASP
You'll need to change the path to the path for your IMail spool directory.
This inserts the message back into the queue for the next queue run. Others
have gone a step further to call SMTP32.exe with the queue file name to
delivery it immediately.
Hope this helps,
Darin.
----- Original Message -
From: "Jared Pickerell" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 6:02 PM
Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a
script to re-queue the message for delivery"? I'd be interested in that.
Jared
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin Cox
Sent: Tuesday, July 31, 2007 4:23 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it
past
spam filtering (we run AVAFTERJM ON). So I'd second that recommendation
to
NOT turn it off. If you're concerned about delivery, set up an email
notification to let the intended recipient know the message was held,
and
include a link to a script to requeue the message for delivery.
Darin.
- Original Message -
From: "Shayne Embry" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, July 31, 2007 5:09 PM
Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability]
Not too sure you'd want to turn that off. We've been getting hit by a
wave
of messages the last two days, all with the same vulnerability. I've
been
too busy to spend any time looking at the payload...but if they're not
viruses they are definitely spam. I'm catching about 40 per hour, widely
distributed among about 550 accounts across 100 domains.
Shayne Embry
Original Message
> From: Heimir Eidskrem <[EMAIL PROTECTED]>
> Sent: Tuesday, July 31, 2007 2:53 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] [Invalid ZIP Vulnerability]
>
> How do I turn this off.
> I am having emails held as virus but they are not.
> They do contain pdfs and doc files.
>
> Could not find it in the manual.
>
>
>
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
The point is you may let some not-yet-detected viruses through, but in any case you can do that with a switch in the virus.cfg. Darin. - Original Message - From: Heimir Eidskrem To: declude.virus@declude.com Sent: Tuesday, July 31, 2007 6:23 PM Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] They are neither virus or spam but legit email. Shayne Embry wrote: Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message From: Heimir Eidskrem <[EMAIL PROTECTED]> Sent: Tuesday, July 31, 2007 2:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] [Invalid ZIP Vulnerability] How do I turn this off. I am having emails held as virus but they are not. They do contain pdfs and doc files. Could not find it in the manual. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
Me too.. H. Jared Pickerell wrote: How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message From: Heimir Eidskrem <[EMAIL PROTECTED]> Sent: Tuesday, July 31, 2007 2:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] [Invalid ZIP Vulnerability] How do I turn this off. I am having emails held as virus but they are not. They do contain pdfs and doc files. Could not find it in the manual. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
They are neither virus or spam but legit email. Shayne Embry wrote: Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message From: Heimir Eidskrem <[EMAIL PROTECTED]> Sent: Tuesday, July 31, 2007 2:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] [Invalid ZIP Vulnerability] How do I turn this off. I am having emails held as virus but they are not. They do contain pdfs and doc files. Could not find it in the manual. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message > From: Heimir Eidskrem <[EMAIL PROTECTED]> > Sent: Tuesday, July 31, 2007 2:53 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] [Invalid ZIP Vulnerability] > > How do I turn this off. > I am having emails held as virus but they are not. > They do contain pdfs and doc files. > > Could not find it in the manual. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Invalid ZIP Vulnerability]
We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message > From: Heimir Eidskrem <[EMAIL PROTECTED]> > Sent: Tuesday, July 31, 2007 2:53 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] [Invalid ZIP Vulnerability] > > How do I turn this off. > I am having emails held as virus but they are not. > They do contain pdfs and doc files. > > Could not find it in the manual. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] [Invalid ZIP Vulnerability]
Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message > From: Heimir Eidskrem <[EMAIL PROTECTED]> > Sent: Tuesday, July 31, 2007 2:53 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] [Invalid ZIP Vulnerability] > > How do I turn this off. > I am having emails held as virus but they are not. > They do contain pdfs and doc files. > > Could not find it in the manual. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Invalid ZIP Vulnerability
This vulnerability is triggered if the file format diverges from the official ZIP format specification. David Franco-Rocha Declude Technical Support - Original Message - From: "Paul Navarre" <[EMAIL PROTECTED]> To: Sent: Friday, May 27, 2005 1:54 AM Subject: [Declude.Virus] Invalid ZIP Vulnerability What exactly triggers the Invalid ZIP Vulnerability? I am a small ISP, and one of my client keeps getting expected zips from a graphics company caught by this. Thanks, Paul --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Invalid ZIP Vulnerability
I've seen it here rarely also. Not positive here but here is a theory: The zip file may gave been created on a Mac and contain some Mac specific size 0 files? - Original Message - From: "Paul Navarre" <[EMAIL PROTECTED]> To: Sent: Friday, May 27, 2005 12:54 AM Subject: [Declude.Virus] Invalid ZIP Vulnerability What exactly triggers the Invalid ZIP Vulnerability? I am a small ISP, and one of my client keeps getting expected zips from a graphics company caught by this. Thanks, Paul --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
