Re: [Declude.Virus] Forging Virus

2003-10-31 Thread R. Scott Perry 

I'm running Declude v1.76i14, and it is my understanding that this version 
will lookup the virus name via DNS to see if it's forging or not.
Correct.

It appears that the below virus is forging, but I believe my logs show it 
trying to send a notification to the sender.
We've updated our server to include all trojans as forging viruses (since 
trojans normally appear in intentionally sent E-mail, and there is no need 
to notify the sender in that case).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] FORGING VIRUS

2003-07-06 Thread Serge 
that i know
but if we had a skipifforgingvirus, we will only worry about updating
virus.cfg, instead of also having to change the emls when a new forging
virus appears
the freedom is not lost  since you are not obligated to use
skipifforgingvirus, and still can do it the old way
but i don't like the fact to have to maintain all the emls where you may
forget one of the forging viruses, it can always be a source of errors

BTW Kami or others, how to use the skipifvirusnamedoesnothave ?
can we have many of those in the same eml ?
any examples ?

- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, July 05, 2003 11:29 PM
Subject: RE: [Declude.Virus] FORGING VIRUS


 Hi;

 Just in case Scott is taking a day off...

 The way we do this is by first adding:

 FORGINGVIRUS Braid
 FORGINGVIRUS Bridex
 FORGINGVIRUS Bugbear
 FORGINGVIRUS Hybris
 FORGINGVIRUS Lentin
 FORGINGVIRUS Klez
 FORGINGVIRUS Magistr
 FORGINGVIRUS Sobig
 FORGINGVIRUS Vulnerability
 FORGINGVIRUS Yaha
 FORGINGVIRUS Fizzer
 FORGINGVIRUS Palyh

 To the virus.cfg

 This will define which are forged therefore the email address of the
sender
 is replaced by [forged] in the alert.

 Then in the sender.eml and otherpostmaster.eml we have:

 SKIPIFVIRUSNAMEHAS Yaha
 SKIPIFVIRUSNAMEHAS Lentin
 SKIPIFVIRUSNAMEHAS Magistr
 SKIPIFVIRUSNAMEHAS Klez
 SKIPIFVIRUSNAMEHAS Vulnerability
 SKIPIFVIRUSNAMEHAS Bugbear
 SKIPIFVIRUSNAMEHAS Bridex
 SKIPIFVIRUSNAMEHAS Braid
 SKIPIFVIRUSNAMEHAS Sobig
 SKIPIFVIRUSNAMEHAS Palyh

 So in essence I think what this does is it first replaces the forged email
 and then if it is to send the alert it will skip it if it sees it.

 Of course it would be more efficient if both actions where done by one
 listing but I guess this way it gives you more freedom.

 Regards,
 Kami

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Serge
 Sent: Saturday, July 05, 2003 6:21 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.Virus] FORGING VIRUS


 sorry if this is a trivial question, but is there a
 skipifforgingvirus option ?



 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just
 send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] forging virus

2002-06-22 Thread R. Scott Perry 


the from adress still shows in the header
is is the forged adress?
is there a way to eliminate this?

No, that can not be changed (Declude never modifies any of the E-mail 
headers).  One option would be to remove the %HEADERS% variable to 
eliminate the headers from the notifications.

I have customers fighting each other because of declude notifications!

If they can see the From [Forged] in the main part of the E-mail and not 
realize that the address is forged...
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .