Avast WEBforum

Other => General Topics => Topic started by: bob3160 on November 22, 2005, 12:41:29 AM

Title: Suspicious
Post by: bob3160 on November 22, 2005, 12:41:29 AM
I tried sending an email to Sasha today and when I hit the send button,
I was greeted with the following:
(http://img.photobucket.com/albums/v190/bob3160/Suspicious.jpg)

This email contained no attachments.
Since when is a plain email considered suspicious just because it doesn't
contain a subject?  ???
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 01:19:03 AM
It has been like that within the avast Heuristic checking, emails without a subject can be trying to hide the intent or use social programming to get people to open it to find out what it is about. So it is possible an email without a subject line would be suspicious.

I know if I ever receive one (when viewed via mailwasher my first instint is to view it with suspicion. Just my heuristic brain or suspicious nature ;D

Hell, even OE prompts for a subject if you have left it blank when you click send.
Title: Re: Suspicious
Post by: bob3160 on November 22, 2005, 01:25:45 AM
Quote
Hell, even OE prompts for a subject if you have left it blank when you click send
Which is fine it's a reminder and gives me an option to either fill it in or leave it out.
But I don't need a pop-up from avast! telling me that what I'm sending is suspicious just because
nothing is filled in the subject section.
Remember, I'm sending this email not receiving it.
Title: Re: Suspicious
Post by: Lisandro on November 22, 2005, 01:34:44 AM
Remember, I'm sending this email not receiving it.
Bob, maybe it's to avoid your email account spreading virus but, I think that the scanner does not make difference on inbound and outbound mail, scanning with the same options... who knows...?
Title: Re: Suspicious
Post by: bob3160 on November 22, 2005, 01:41:59 AM
Quote
Bob, maybe it's to avoid your email account spreading virus
I don't know of any text messages that contain viruses. Do you?
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 01:42:59 AM
Quote
Hell, even OE prompts for a subject if you have left it blank when you click send
Which is fine it's a reminder and gives me an option to either fill it in or leave it out.
But I don't need a pop-up from avast! telling me that what I'm sending is suspicious just because
nothing is filled in the subject section.
Remember, I'm sending this email not receiving it.
avast doesn't know who is sending the message, just that one is being send and the subject line is blank and possibly suspicious.

Perhaps switching off the subject checks within the Heuristics Tabs, but that would apply permanently, it is probably easier to just put something in the subject.
Title: Re: Suspicious
Post by: Lisandro on November 22, 2005, 01:44:20 AM
Quote
Bob, maybe it's to avoid your email account spreading virus
I don't know of any text messages that contain viruses. Do you?
No... just the eicar text into the message body...
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 01:46:18 AM
Quote
Bob, maybe it's to avoid your email account spreading virus
I don't know of any text messages that contain viruses. Do you?
Whist I'm not aware of any viruses in text emails doing the rounds, however, it is feasibly possible for text based emails to contain viruses also.
Title: Re: Suspicious
Post by: bob3160 on November 22, 2005, 01:50:10 AM
I don't understand something.
Why is it my fault that avast! deems a perfectly harmless e-mail as suspicious?
Remember, I paid for my copy of avast and should be able to find out why this is happening
without being told that it's easier to put something in the subject portion of an e-mail.
There are times when avast! could be improved. It's not always perfect.
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 01:54:21 AM
No one is saying it is anyones fault, if you don't like the warning do something about it, improve it and remove the check.

I've tried to explain why I would consider an email might be considered suspicious because it doesn't have a subject line (I can't speak for avasts logic in thinking it suspicious), not apportion blame.

Edit: and by putting something in the subject line the recipient if they also use avast won't get the shock of their life upon receipt.
Title: Re: Suspicious
Post by: bob3160 on November 22, 2005, 02:00:17 AM
Quote
Edit: and by putting something in the subject line the recipient if they also use avast won't get the shock of their life upon receipt.
Just for your information, the recipient of this email didn't get a suspicious warning on his end even though it didn't contain a subject .
Title: Re: Suspicious
Post by: Lisandro on November 22, 2005, 02:09:29 AM
There are times when avast! could be improved. It's not always perfect.
This is one of them  8)

Just for your information, the recipient of this email didn't get a suspicious warning on his end even though it didn't contain a subject .
Strange... Isn't Heuristic module of Sasha turned on?
Title: Re: Suspicious
Post by: szc on November 22, 2005, 01:31:03 PM
Not a single word from avast! Internet Mail provider when I received Bob's simple e-mail without any attachments, although it was without the subject line...

Yes, my settings are set to high, and you can see that e-mails should be checked by their subjects or lack of subject lines.

(http://img486.imageshack.us/img486/2629/untitleda8rt.jpg)
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 03:35:08 PM
It may be that the other 'Check Subject' in Advanced Heuristics (requires Huristic setting of High or Custom) is the troublesome one, see image. You do need to set it to Custom to access the settings in the Heuristics Advanced Tab.
Title: Re: Suspicious
Post by: szc on November 22, 2005, 04:32:29 PM
No I don't believe it's that... it's already checked by default, it's just, under HIGH those settings are greyed out (but still enabled).

(http://img498.imageshack.us/img498/9515/untitleda2xl.jpg)

And this is when settings are on MEDIUM (greyed out and disabled):

(http://img486.imageshack.us/img486/3894/untitleda7lr.jpg)

If you set it to Custom you'll get this (you'll just be able to edit them):

(http://img479.imageshack.us/img479/3316/untitleda9gl.jpg)
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 04:55:02 PM
I've spotted the relevant words 'outbound messages' in the Note section, so it would only effect the sender and not the recipient, which to me doesn't make sense.
If it is suspicious when it is sent, it should still be suspicious when it is received ???
Title: Re: Suspicious
Post by: szc on November 22, 2005, 05:06:05 PM
Exactly, and that's exactly what I'm thinking... but regardless of those settings, and what the line up there (NOTE) says, if avast! is checking the subject of those messages when they are leaving your outbox, IMHO it should also check them before they arrive in your inbox, right ?
Title: Re: Suspicious
Post by: szc on November 22, 2005, 05:08:56 PM
And guess what... I just sent one message without a subject line to myself... no warning when sending, nor when I received that same message... I see avast! is checking the message (blue bar down there by the taskbar) and every single message is signed by avast!
Title: Re: Suspicious
Post by: Lisandro on November 22, 2005, 05:32:31 PM
Exactly, and that's exactly what I'm thinking... but regardless of those settings, and what the line up there (NOTE) says, if avast! is checking the subject of those messages when they are leaving your outbox, IMHO it should also check them before they arrive in your inbox, right ?
Can't Vojtech or Forejt say something about this?

And guess what... I just sent one message without a subject line to myself... no warning when sending, nor when I received that same message... I see avast! is checking the message (blue bar down there by the taskbar) and every single message is signed by avast!
This is even stranger  ::) ???
Title: Re: Suspicious
Post by: bob3160 on November 22, 2005, 07:31:26 PM
Quote
This is even stranger 
We are now well into page 2 and still no word from Alwil that's what's strange.....
Title: Re: Suspicious
Post by: DavidR on November 22, 2005, 07:47:53 PM
And guess what... I just sent one message without a subject line to myself... no warning when sending, nor when I received that same message... I see avast! is checking the message (blue bar down there by the taskbar) and every single message is signed by avast!
Snap, just done the same sent email with no subject with Internet Mail on High and no Suspicious message and obviously no inbound warning. Weird.
Title: Re: Suspicious
Post by: szc on November 22, 2005, 08:53:36 PM
I told you, I'm not making it up  ;D  ;D  ;D

It looks like Bob is the only one who ever saw that message... actually I saw it as well when he sent me screenshot in following e-mail.

Ghosts maybe ? ...or this time little goblins ?  ;D
Title: Re: Suspicious
Post by: Vlk on November 23, 2005, 06:01:15 AM
Depends on the heuristics level. On High, it does warn for these kinds of things. On normal, it should not.

Anyway, the "       Me        " sender address is also sort of weird, isn't it? Why the white spaces? Do you know that some worms use this technique to hide the actual value (by relying on the fact that the text will be too long and Outlook [or other mail client] will clip it)?


Thanks
Vlk
Title: Re: Suspicious
Post by: bob3160 on November 23, 2005, 06:09:49 AM
Depends on the heuristics level. On High, it does warn for these kinds of things. On normal, it should not.

Anyway, the "       Me        " sender address is also sort of weird, isn't it? Why the white spaces? Do you know that some worms use this technique to hide the actual value (by relying on the fact that the text will be too long and Outlook [or other mail client] will clip it)?


Thanks
Vlk

Vlk
It's not suspicious, it's a screen shot in which I deleted and edited certain personal information. Just as it doesn't show the actual e-mail addresses used.
Also, My settings aren't set to high as you can see from the screen shot.
Title: Re: Suspicious
Post by: szc on November 23, 2005, 12:34:09 PM
...
...
...
Anyway, the "       Me        " sender address is also sort of weird, isn't it? Why the white spaces? Do you know that some worms use this technique to hide the actual value (by relying on the fact that the text will be too long and Outlook [or other mail client] will clip it)?
Thanks
Vlk

@Vlk - Yes, just as Bob already mentioned "      Me      " is just added (retouched) part of the screenshot. He just erased original information not wanting to make his e-mail address and sender's name public. See those white lines, he actually removed original information and added some non-existing info, just to fill up the space.

@Bob - you didn't have to add "    Me   " or anything for that matter, you could just simply bloor all those original information to avoid confusion.

Depends on the heuristics level. On High, it does warn for these kinds of things. On normal, it should not.

Well, that's really weird in this case... Bob's settings are set to NORMAL and still he gets those missing subject line warnings... DavidR and I, both have set our heuristics level to HIGH or CUSTOM (with high-like settings) and neither one of us is getting those messages... whether we try to send e-mails without the subject line, or we try to receive them...  :o

Regards

P.S. Vlk, I hope you guys had some nice time in Microsoft, Seattle. Any productive news for public maybe or those are little business secrets  ;D ?
Title: Re: Suspicious
Post by: sedina on November 24, 2005, 06:49:37 PM
Hi guys, there are two similar "subject check" fields in heuristic, but with different meaning. First one is "Subject structure check" and is located on Customize dialog. This check enables/disables warning for empty subject (for all heuristic level it's disabled, you must turn on manually). In "summary" window it's noticed as "* Message structure check".

Second "subject check" is located on Heuristics - Advanced page. In "summary" window it's noticed as " - Check according to subject". If this option is enabled, avast! will warn you when there are emails (defined count) with identical subject sent from your computer in defined time (you can also make recognition not only according to subject, but also according to name of attachment - it's check-box "Check attachments"). This functionality is called "Outbound messages - Time period check". It's enabled for HIGH level (you cannot change values) and for CUSTOM (you can change everything). Hope this helps...
Title: Re: Suspicious
Post by: bob3160 on November 24, 2005, 07:36:55 PM
Thank Pavel
But mine is set to normal and when I looked at the settings, the one for check subject is NOT ckecked by default.
Was this just a fluke???
Title: Re: Suspicious
Post by: sedina on November 25, 2005, 10:44:39 AM
Hi, so you have set Internet Mail sensitivity to "Normal" (it means that Heuristic sensitivity is Medium) and you are warn by avast! when sending e-mail with empty subject? thanks for info...
Title: Re: Suspicious
Post by: bob3160 on November 25, 2005, 04:36:54 PM
pavels
It happened that one time as you can see from the screen shot.
I just sent an e-mail to one of my other addresses  again without a subject but this time I didn't get the
suspicious warning. I haven't touched any settings so I really don't know what's going on.
Maybe like Sasha said..... goblins... ???