Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Barbara T. on May 03, 2007, 12:12:00 AM

Title: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 12:12:00 AM
I had been using Avast Home Edition quite successfully since 2/1/06. 

About 1 week ago (or less) Avast began labeling 95% (OR MORE!)  of the email I receive as
"MULTI CONTENT TYPE HEADER HIGH DANGER."  VOICE: "Caution; potential infection was detected"
A big yellow round thing flashes.

It is happening both on forwards to groups of people that include me;
and messages from one person to me.  Actually the only common thing is
the message I get.


Op Sys:  Windows XP
Avast version:  4.7 Home Edition  4.7.0 0
VPS file:  Compilation date 4/13/07
               File version:  000733-1
Basic Hardware Config: "Intel Pentium D Processor 830 Computer"
Connection:  BellSouth DSL
Windows Firewall:  On


TIA for any help you can give me.  I did uninstall,  get a fresh download, installed it, and nothing is different.


Barbara T.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: RejZoR on May 03, 2007, 01:49:35 AM
Thats controlled by Internet Mail provider. And you certanly are getting highly suspicious emails, otherwise avast! wouldn't warn you about it.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Lisandro on May 03, 2007, 03:06:59 AM
Are there more info to help us to guess what is happening?
Like the time of the email (txt or html), your Internet Mail Provider settings for Heuristic and Heuristic (Advanced) tab of settings - maybe you can post a screenshot of them.
Do these messages have attachments? Which kind?
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: BorderCollie on May 03, 2007, 03:12:41 AM
I have just recently started getting the exact same warnings. My ISP is also Bellsouth DSL. I wonder if that is somehow related. At first I thought it was related to the content-type because all of the messages that caused the warnings had the following type:

Content-Type: multipart/alternative;

But when I received my registration message for this forum, it had the same type.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 05:26:06 AM
Are there more info to help us to guess what is happening?
Like the time of the email (txt or html), your Internet Mail Provider settings for Heuristic and Heuristic (Advanced) tab of settings - maybe you can post a screenshot of them.
Do these messages have attachments? Which kind?
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: alanrf on May 03, 2007, 05:34:40 AM
Is there a message that is not too personal to you where you could review the source of the message in your mail client, capture it, obscure any personal details and then post the results here?  I know, not a small task, but it would help.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 03, 2007, 07:45:48 PM
I too have got the same problem. MY ISP is also Bellsouth.
We have recently gotten DSL in my area. A friend has a different virus protection and is having the same problem.I"m wondering if Bell South is doing something to try to encourage us to use their virus protection.

Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 07:55:00 PM
Thats controlled by Internet Mail provider. And you certanly are getting highly suspicious emails, otherwise avast! wouldn't warn you about it.

I talked to BellSouth techs last night and they say the mail is spam, but it is the same type messages I have always gotten from the same friends and NOT my description of spam which is from unwanted, unknown users.   I get none of that if my programs are on.

My anti-spam Comodo catches small fraction of the sames messages that Avast warns about.  BS Techs said I could contact the mfg. of my spam program.  In other words they deny responsibility.

BellSouth techs advised me to try BellSouth Web Mail and see if it happens there; it doesn't.  The messages that were giving me the warning that I let through had the attachments (usually forwards in HTML,  but sometimes jpeg attachments) still in tact in Bell S. webmail.  Does this tell you anything reliable?

When I allow these messages to come through anyway, most times the attachments are ripped and of course if they are suspicious I want that.  But why suddenly do all my friends (probably 10 different ones) send suspicious mail?

Here's what I have done other than talk to BellSouth techs:  uninstalled and reinstalled a clean download of 4.7 Home Edition of Avast; ran a thorough scan with Avast and nothing was found.  

I plan to capture what the other responders have requested and post them as additional information.

I appreciate so much your working with me further to resolve this problem.  

Barbara T.


Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 03, 2007, 08:16:18 PM
I also started getting these alerts yesterday for an email from one individual. He's sent me 3 emails in the past 2 days, and all three I got this alert...


Today I checked my mail via the web first (Bellsouth) and read the mail, deleted some spam, but there was an attachment there from this friend that I wanted to view. Since it was from the same person I got this alert from yesterday, I downloaded the file to desktop -- scanned it with avast to be sure it was clean -- then opened and read it. Later, when I checked my email with OE-6, I got the same alert, "Multiple Content-Type header - HIGH DANGER!" on that email from my friend that should have been clean.  The choices offered were only 'ignore' or 'delete'... no send to vault.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 03, 2007, 08:21:05 PM
My friend has AVG virus potection. She is having the same problem. She is also with Bell South.
My opinion is that Bell South is wanting us to purchase a virus protection program.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Spiritsongs on May 03, 2007, 08:33:26 PM
 :)  Hi all, especially the 3 BellSouth Users :

     With 3 of you receiving the same "messages", sounds likely BellSouth is the
     "culprit" ; however, there is a small possibility that a "SpamBot" has
     gotten into your computer or one of your friends, stolen the addresses
     from an Address Book, and is sending "Messages" !?
     None of you 3 have mentioned IF you have any antiSPYWARE/antiTROJAN
     program(s) on your computer(s), which are most effective in fighting
     "them", the best probably being the "trial" version of AVG Antispyware,
      most easily downloaded from www.ewido.net !? At least it would be wise
     to run the Online Scanner available at the ewido site .
     Even Barbara's 1st post mentioned "Windows Firewall : On" ; a bad sign
     since that firewall is not very good .
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 03, 2007, 08:42:14 PM
I've got Ad-Aware SE, SpyBot S+D, AVG Anti Spyware, ZoneAlarm FW.  Just ran scans with Ad-Aware and SpyBot yesterday... nothing found.

BUT, these alerts are for 'incoming' emails from other people... not ones being sent out. My first thought yesterday was my friend (who uses Prodigy) had an infected computer because all other emails from other people came thru fine.  Then today I got 2 more alarms from that same person.

I've asked my friend to resend his email that got deleted so I can look at the header.  In the meantime, I've changed my OE-6 to leave mail on the server so I can look at there as well.

BTW... I'm still on Avast 4.7.942 in case you're wondering
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 03, 2007, 08:53:58 PM
Rick,
is your email's you are receiving alert from,
are they being sent from a Yahoo address??
All the ones I receive from Yahoo show a potential virus.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 03, 2007, 09:21:00 PM
Rick,
is your email's you are receiving alert from,
are they being sent from a Yahoo address??
<snip>


No, they're from a Prodigy server.  I've had 3 of these alerts... all coming from the same person. Other emails come thru fine.

I still have an email from this friend from about 3 days ago. I just forwarded it to myself and it comes thru just fine... no alarms.  So either BellSouth has changed something in the past 2 days (of their hearders maybe?), or it's something else.  ???
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 09:38:18 PM
Are there more info to help us to guess what is happening?
Like the time of the email (txt or html), your Internet Mail Provider settings for Heuristic and Heuristic (Advanced) tab of settings - maybe you can post a screenshot of them.
Do these messages have attachments? Which kind?

The situation has changed somewhat but still a problem.

The emal is usually  html.

Today, unlike at first, Comodo (anti spam)  is catching  all these message; I'm also receiving an email from Avast but not the message I was getting when I first described my post.  Comodo was catching some but not all when I first posted.


Example of the type message I receive from Avast in e-mail today (5/3/07)Multiple Content-Type header - HIGH DANGER!


Sender:  Harry Halleck <yahoo.com>
Recipient:  Barbara & Travis Burke >, Jack & Marva Bushong <Bob & Virginia Cash <xxxxxxx>, Crayton& joyce Fisher <>, Hal & Joyce Magner




Subject:  Fwd: Fw: dancing horse


Most of these emails have attachments; i.e. HTML forwards, they are lost when I bring them in despite the message.  One I recall had three attached photos in jpg format.  I bring them in anyway this has
been a sudden problem with probably 10 different friends and I am dubious that many friends who don't necessarily
communicate with each other have a virus/worm, etc.  

NOTE:  I ran Avast after accepting these emails despite the warning message a couple days and checked out clear of problems.

The Avast (home version) heuristic settings:  Sensitivity is "low" and the Silent Mode is checked with "Delete/Deny" checked.

Did you notice that there are now three of us in this thread who are having this problem and all have the same ISP:  BellSouth.  BellSouth denied responsibility and told me to contact the spam manufacturer.  My mail in BellSouth Web Mail has no problem; it was their suggestion I test it there. The attachments were there so I was able to get from webmail.

Please explain how I can find the ISP's Heuristic settings so that I can provide them as you requested.


Barbara T.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 09:55:48 PM
Is there a message that is not too personal to you where you could review the source of the message in your mail client, capture it, obscure any personal details and then post the results here?  I know, not a small task, but it would help.

Things have changed since your reply; I'm receiving an email message from Avast (instead of the warning message with flashing and voice, etc) and not receiving the email  messages in my Inbox which I had been able to do.

Comodo is catching most of the forwards and when I bring them in they are incomplete and I don't have one available at this time.

Here is an example of the message and header from Avast:Multiple Content-Type header - HIGH DANGER!


Sender:  wanda mccorkle <ninimccorkle@xxxxxxxxxxxxxx
Recipient:  Clyde Arnold <xxxxxxxxxxxxx>, Frances Arnold <frances71862@xxxx>, Jalyn Barba-------
Need help:  I honestly don't understand if you are talking about sending you the information from the HTML SOURCE (coding, etc) or do you mean in File/Properties  if I should get a chance to get what you requested.
Need help on this to provide.

Thanks for your interest in helping me.

Barbara T.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 10:05:44 PM
:)  Hi all, especially the 3 BellSouth Users :

     With 3 of you receiving the same "messages", sounds likely BellSouth is the
     "culprit" ; however, there is a small possibility that a "SpamBot" has
     gotten into your computer or one of your friends, stolen the addresses
     from an Address Book, and is sending "Messages" !?
     None of you 3 have mentioned IF you have any antiSPYWARE/antiTROJAN
     program(s) on your computer(s), which are most effective in fighting
     "them", the best probably being the "trial" version of AVG Antispyware,
      most easily downloaded from www.ewido.net !? At least it would be wise
     to run the Online Scanner available at the ewido site .
     Even Barbara's 1st post mentioned "Windows Firewall : On" ; a bad sign
     since that firewall is not very good .



I do have Spybot Search and Destroy and Windows Defender; Comodo anti-spam; Avast Home edition.  All were highly  recommended by a computer tech who tests and recommends programs.

 Another common thread I have noticed is that most of the messages were from Yahoo users.  They were all caught by my anti-spam + the message from Avast.   Only one received today wasn't a Yahoo user.
That was sbcglobal.

I had another firewall  (Norton) but wasn't working with another of my programs so got rid of it. 

I believe all the messages I'm receiving are legit.  All are from friends who forward me stuff almost
daily.

Barbara

Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 10:08:54 PM
Rick,
is your email's you are receiving alert from,
are they being sent from a Yahoo address??
All the ones I receive from Yahoo show a potential virus.


Hummm. Interesting you should say this.   I just read your post   and 5 out of 6 of the ones I received today are from Yahoo users!  sbcglobal was the 6th one.  Today I'm receiving emails from Avast...not the flashing, talking pop up messages I first posted about.  My anti-spam caught all the above mentioned messages today.

Any advise to Yahoo users?

Barbara T.


Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 03, 2007, 10:13:07 PM
I too have been in contact with Bell South. they tell me it's a [microsoft] problem.
I have chose to leave my messages on server from inside outlook express. I can at least go there and view them.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 03, 2007, 10:54:34 PM
The emails you say you now get from avast are really replacement mssgs for the emails deleted. I don't think they're really emails. I get the same mssg. Here's a copy of that mssg: [note, I've replaced part of the names & addys with xx's so spam bots won't hit these people]
Quote
Multiple Content-Type header - HIGH DANGER!

Sender:  Bob and Jo XXX <bob_XXX@prodigy.net>
Recipient:  Michael xXX<michael.XXX@delta.com>, Nancy XXX<Nancy.L.XXX@usda.gov>, Patricia XXX<patricia.xxxx@dhs.gov>; Marika xxx<marika.XXX@emoryhealthcare.org>, Shawna XXX<PrXXXX@bellsouth.net>
Subject:  Fw: Dam.pdf
________________

I just recv'd a resend of the suspect email and let it thru this time.  I then ran a full scan with avast and everything is clean. The attachment was stripped off though (dam.pdf).  But as I mentioned earlier, I viewed the pdf attachment thru web earlier (downloaded it, scanned it... it was fine).  Here's a copy of that email followed by its properties..... again, I've changed the names to xx's.

Quote
Hi Rick,
 
Here's a repeat of the "dam" message.
 
Hope all is well.

Bob and Jo xxx<bob_xxx@prodigy.net> wrote:
Date: Thu, 3 May 2007 08:11:58 -0700 (PDT)
From: Bob and Jo xxx<bob_xxx@prodigy.net>
Subject: Fw: Dam.pdf
To: Michael xxx<michael.xxx@delta.com>,
Nancy xxx<Nancy.L.xxx@usda.gov>,
Patricia xxx<patricia.xxx@dhs.gov>
CC: Marika xxx<marika.xxx@emoryhealthcare.org>,
Shawna xxxx<xxxx@bellsouth.net>



From: Max xxx<xxxx@mail.sdsu.edu>
Subject:  Dam.pdf

Don't dump this one - it's a panic!
_______________

Here's the property of that email.... (x's in place of names and addys)


Quote
X-x: TimeOut
Return-Path: <bob_xxx@prodigy.net>
Received: from mxm17aec.corp.bellsouth.net ([205.152.59.244])
          by imf06aec.mail.bellsouth.net with ESMTP
          id <20070503200708.KSFW13572.imf06aec.mail.bellsouth.net@mxm17aec.corp.bellsouth.net>
          for <xxxx@bellsouth.net>; Thu, 3 May 2007 16:07:08 -0400
Received: from unknown [192.168.16.137] (EHLO ibm27aec.bellsouth.net)
   by mxm17aec.corp.bellsouth.net (mxl_mta-3.0.2-03)
   with ESMTP id be04a364.1491323824.3816961.00-043.mxm17aec (envelope-from <bob_xxx@prodigy.net>);
   Thu, 03 May 2007 16:07:07 -0400 (EDT)
Received: from web80204.mail.mud.yahoo.com ([68.142.201.109])
          by ibm27aec.bellsouth.net with SMTP
          id <20070503200706.OWID6935.ibm27aec.bellsouth.net@web80204.mail.mud.yahoo.com>
          for <xxxx@bellsouth.net>; Thu, 3 May 2007 16:07:06 -0400
Received: (qmail 26728 invoked by uid 60001); 3 May 2007 20:07:05 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=prodigy.net;
  h=X-YMail-OSG:Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=2pu90d1SYEkvGKswU4r+C2zucwlFHUM9TV7zDI9uFMfqHbSmmHyWo0cPNW+r2mmtC7A7/p1F1mcbzow3Db0skxGYazEOcSqXkWv3zwJYaZChU6aozQX4uCOu5Hj5kUQgxXBJZFIOXhzhEkezs70bTTWo1Ea/B7Ow55NveoQaL/Q=;
X-YMail-OSG: 28Bq1aMVM1lmNfmiLsBMVqinrpt_nQ45zx7Sm5pGt8n3wMpSP_UAdChYK1GViDhWeDzCqXNrVw--
Received: from [12.78.4.112] by web80204.mail.mud.yahoo.com via HTTP; Thu, 03 May 2007 13:07:05 PDT
Date: Thu, 3 May 2007 13:07:05 -0700 (PDT)
From: Bob and Jo xxx<bob_xxx@prodigy.net>
Reply-To: bob_xxx@prodigy.net
Subject: Fwd: Fw: Dam.pdf
To: Rick xxxx <xxx@bellsouth.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1211422853-1178222825=:25032"
Content-Transfer-Encoding: 8bit
Message-ID: <880664.25032.qm@web80204.mail.mud.yahoo.com>
X-Spam: [F=0.0001150200; S=0.010(2007050201); MH=0.500(2007050339); R=0.011(s6/n553)]
X-MAIL-FROM: <bob_xxx@prodigy.net>
X-SOURCE-IP: [192.168.16.137]
--0-1211422853-1178222825=: 25032
Content-Type: multipart/alternative; boundary="0-1434452073-1178222825=:25032"
X-Antivirus: avast! (VPS 000738-1, 05/03/2007), Inbound message
X-Antivirus-Status: Clean
Note... the stamp at the bottom says, "avast status Clean"  ???

Hope this helps. Not sure what the problem is.



Title: Re: "Potential Infection" Messages - Too frequent!
Post by: DavidR on May 03, 2007, 11:18:03 PM
Guys, lets not forget that these forums are publicly available and the email addresses that are displayed could possibly be harvested by a spambot and these innocent bystanders could find their addresses added to spam lists.

@ Barbara T.
If you could modify your post, either crop the email addresses or edit them as Rick F has "(x's in place of names and addys)"
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 03, 2007, 11:23:23 PM
Guys, lets not forget that these forums are publicly available and the email addresses that are displayed could possibly be harvested by a spambot and these innocent bystanders could find their addresses added to spam lists.

@ Barbara T.
If you could modify your post, either crop the email addresses or edit them as Rick F has "(x's in place of names and addys)"

Thanks, David, I believe I have taken care of the headers I posted but haven't been able to get it off my profile and in response to clicking the envelope icon; maybe the fix "don't show to public" isn't retroactive.  BTW,  Forums are totally new to me and I feel like one of the 3 blind mice right now.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: DavidR on May 03, 2007, 11:31:36 PM
It is off your profile, this is something I had a whinge about some time ago, you can see it but others can't, damn confusing, you check don't show yet there it is 'in your face.'
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: alanrf on May 03, 2007, 11:42:09 PM
The old memory cells fired up.

We had exactly this same error message for perfectly innocuous messages back in Nov 2005.

http://forum.avast.com/index.php?topic=17549.0

avast then stopped the error messages - seems they have brought them back.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 04, 2007, 01:20:45 AM
Wow Alan! How do you remember that from 2005? I'm impressed. I don't remember what I had for dinner last night even (lol).

I read the thread but didn't see what the cause or fix was. I've recently recv'd two more emails... but not from that friend who uses Prodigy. These didn't sound the alarm of Heuristic detection (mine is set to medium) "Multiple Content-Type header - HIGH DANGER!"

Again, I'm still on version 4.7.942 but with latest VPS 000738-1.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: alanrf on May 04, 2007, 04:49:07 AM
The avast team made the change to stop the errors last time around.

I'll have to take a look to see if I still have the email explaining what they were doing from pavels at the time.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 04, 2007, 05:15:50 AM
I turned AVAST completely off. Then sent an email from a Yahoo address.
It stays on the webserver. but if you try to view with Outlook express it strips the attachment. Even with AVST turned off.
Bellsouth says it is a Microsoft Outlook Express problem....???
No one wants to try to help find the fix....

Title: Re: "Potential Infection" Messages - Too frequent!
Post by: DavidR on May 04, 2007, 02:19:17 PM
One you shouldn't turn it completely off, but only the provider that scans the email, the Internet Mail provider, otherwise you are more vulnerable at these times.

What was the attachment ?
OE won't strip the attachment, it may stop you from opening it if it is one it considers could be harmful and by that it means the file is possible to infect not that it is infected. Tools, Options, Security, 'Do not allow attachments to be saved or opened that could potentially be a virus.' You would be surprised what files it considers potentially harmful.

Multi-part emails on occasion are flagged as having an attachment, when in fact no attachment exists. If you dig into the message source (right click the email, properties, Details, Message Source) you may see if there was an attachment and what its name was or if it was just a multi-part email.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 04, 2007, 03:56:55 PM
More testing...

I went to my Yahoo acct and sent a test email to my main identity (Bellsouth ISP). It comes thru just fine. Then I sent another test email from my Yahoo acct, added the attachment (dam.pdf - 72K in size), Avast sounded the alarm as it did yesterday.

Next, I turned off 'Internet Mail' provider of avast and sent another email from Yahoo with the same attachment (dam.pdf).  The email came thru, but there was no attachment! I do have "Do not allow attachments to be saved or opened that could potentially be a virus." selected in my OE-6 mail client. But I think the attachment was converted to text because it's included in the email itself and looks like the 'source' file and very long.

I'm sure it's not a false positive by avast because after downloading and scanning it with avast, it comes back clean.  Besides, I had VirusTotal scan the pdf file (Jotti is too backed up) and it comes back clean by all 31 AV tests.

Next, I send another email from Yahoo... attach a different file (Word doc) and I get the same alarm... Heuristic detection, Multiple Content-Type header - HIGH DANGER!.  I click 'continue' and allow the email thru because I know it's safe.  Even the word doc attachment is gone.  Again, it's changed to text.

Not sure what's going on here.  ???
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Lisandro on May 04, 2007, 03:59:26 PM
The avast team made the change to stop the errors last time around.
I'll have to take a look to see if I still have the email explaining what they were doing from pavels at the time.
This is the reason why posting in forum is better.
Alanrf, won't it help if you enable avast and have a log of the Mail provider?

Yahoo acct and sent a test email to my main identity (Bellsouth ISP).
There are other threads saying the guilty is Bellsouth ISP changing the headers of the emails.
I'm not sure if this is not the same case as posted recently elsewhere...
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 04, 2007, 04:03:08 PM
That's what I was saying. That by turning off Avast totally, just for a moment to test, OE-6 still totally deleted the attachment. Therefore I think it's in OE-6, but then again, why does it do that only to bellsouth customers??
However I doesn't convert the file to text right now, how I have my setting. I get nothing but a blank email with no attachment.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Lisandro on May 04, 2007, 04:09:40 PM
why does it do that only to bellsouth customers??
Search the board for bellsouth and you'll find...
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 04, 2007, 04:22:12 PM
I just talked with BellSouth (now the new AT&T).  Unfortunately, the tech support folks are in India and hard to understand.  ::)

He did say that they've been hearing about problems with Yahoo accts and attachments... that any (or many) emails from Yahoo with attachments are sounding AV alarms. He also said the attachments are gone and only garbage is displayed (which is what I was seeing). He had me do the following test...

I used OE and sent the same test email to myself thru my BellSouth acct.  The email came thru fine with the pdf attachment (Dam.pdf).  No alarm sounded.

While doing that test, I got a short email from my friend from Prodigy. WITH NOT ATTACHMENT.  It was a short message saying, "Glag to help out" (resent his email yesterday with attachment.)  Well this short message caused the same alarm!!! Multiple Content-Type header - HIGH DANGER!.   

So I don't think it's BellSouth unless something in the header gets changed when coming from Yahoo or Prodigy.

Here's a copy of that short email that caused the alarm (xx'd out all last names in email addys)....

Quote
Hi Rick,
   
  Glad to help out.  Viruses are a big problem for all of us.
   
  Bob

Rick Floyd <xxx@bellsouth.net> wrote:
          Hi Bob,
   
  Thanks for resending that email.  I hope the avast folks can figure out what's wrong with that header in that email.  I posted the info on their forum but changed all the names and addresses (where names were) to xx's to protect the innocent. 8^)
   
  Rick


   
---------------------------------
    avast! Antivirus: Outbound message clean.   Virus Database (VPS): 000738-1, 05/03/2007
Tested on: 5/3/2007 5:09:35 PM
avast! - copyright (c) 1988-2007 ALWIL Software.
 


--0-1719296184-1178287377=:62209
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<div>Hi Rick,</div>  <div>&nbsp;</div>  <div>Glad to help out.&nbsp; Viruses are a big problem for all of us.</div>  <div>&nbsp;</div>  <div>Bob<BR><BR><B><I>Rick Floyd &lt;rnsnfloyd@bellsouth.net&gt;</I></B> wrote:</div>  <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">  <META content="MSHTML 6.00.2900.3059" name=GENERATOR>  <STYLE></STYLE>    <DIV><FONT face=Arial>Hi Bob,</FONT></DIV>  <DIV><FONT face=Arial></FONT>&nbsp;</DIV>  <DIV><FONT face=Arial>Thanks for resending that email.&nbsp; I hope the avast folks&nbsp;can figure out what's wrong with that header in that email.&nbsp; I posted the info on their forum but changed all the names and addresses (where names were) to xx's to protect the innocent. 8^)</FONT></DIV>  <DIV><FONT face=Arial></FONT>&nbsp;</DIV>  <DIV><FONT face=Arial>Rick</FONT></DIV><BR><BR>  <TABLE width=400>  <HR>    <div style="FONT: 9pt/11pt verdana"><A href="http://www.avast.com/">avast!
 Antivirus</A>: Outbound message clean.   <div style="FONT: 8pt/11pt verdana">Virus Database (VPS): 000738-1, 05/03/2007<BR>Tested on: 5/3/2007 5:09:35 PM<BR><FONT color=gray>avast! - copyright (c) 1988-2007 ALWIL Software.</FONT></div>  <TBODY></TBODY></TABLE><BR></BLOCKQUOTE><BR>
--0-1719296184-1178287377=:62209--

There sure is a bunch of garbage at the bottom of that email. Maybe that's causing a problem?
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: alanrf on May 04, 2007, 06:49:36 PM
Rick F.

what would be most useful and would probably nail this ....

Can you get your friend with the Prodigy account to send the same short email but this time multi-addressed to you and to another user on a different ISP. 

I am willing to offer up an address of mine on Comcast for this test if agreeable to you. Since I do not want it harvested from here automatically it is ******* at comcast.net.

I use avast to scan my Comcast mail.  If it comes into Comcast and is scanned by avast without the error and into BellSouth with the error we will just need to compare the raw messages sources to see what is happening and, if it does, then we will know it it is BellSouth.

Up to you (and your friend) if you want to do the test.

Edit:  I will be removing my address from the message later today.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 04, 2007, 06:53:59 PM
One you shouldn't turn it completely off, but only the provider that scans the email, the Internet Mail provider, otherwise you are more vulnerable at these times.

What was the attachment ?
OE won't strip the attachment, it may stop you from opening it if it is one it considers could be harmful and by that it means the file is possible to infect not that it is infected. Tools, Options, Security, 'Do not allow attachments to be saved or opened that could potentially be a virus.' You would be surprised what files it considers potentially harmful.

Multi-part emails on occasion are flagged as having an attachment, when in fact no attachment exists. If you dig into the message source (right click the email, properties, Details, Message Source) you may see if there was an attachment and what its name was or if it was just a multi-part email.

The attachments have been mostly "Forwards," but I recall specifically one with jpegs (photos).  They are from probably 10 different senders; some TO a list of receivers; others just to me only.    

How to I turn off the "provider who scans the mail"   Do you mean my ISP BellSouth?  

I never thought OE was ripping the attachments; I assumed Avast or Comodo was doing their job. All I know is most times when I let one through  the attachments are gone or very garbled.  This things change almost daily!

The last forward  I received was caught by Comodo (anti-spam) and when I let it through ONLY the header was visible with this warning:  

Multiple Content-Type header - HIGH DANGER!
Sender:  Harry Halleck <yahoo.com>
Recipient:  xxxx@bellsouth.net
Subject:  Re: Comodo AntiSpam Alert from Barbara

Yes, most  (but not all) are from Yahoo  users.  Many were forwards to multiple people.

Changes from my original post:
I'm not getting the same warning as at first which was a text and voice message with flashing yellow circle and AVAST  message.
No more red Avast messages in my Inbox for 2 days.
Comodo is still catching some.  Mostly from Yahoo.
Number of "stopped" messages has drastically reduced. ;D

Thanks to all who have helped.  I consider this still an open topic as not totally solved for me and others.

Barbara T.



Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 04, 2007, 07:49:04 PM
Alan,

Go ahead and remove that email addy.  I got it copied.  I'll see if my friend will help with this test.

*** edit ***

I've asked my friend is he will be willing to do this test.
___________

Barbara asked,
Quote
"How to I turn off the "provider who scans the mail"   Do you mean my ISP BellSouth? "

Open avast by double clicking on it. Click on 'details' if not already displayed that way. You should see an icon for each service down the left hand side.  If it's active, it will be in color.  Click once on the "Internet Mail", then on the right side, click 'pause'.  This just stops your email from being scanned but you will still be protected by the other services.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 04, 2007, 08:01:12 PM
oops. deleted duplicate post
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: DavidR on May 04, 2007, 08:03:40 PM
@ Barbara T.
1. That looks like the ongoing saga of bellsouth in this and another topic.
2a. right click the avast icon, select On-Access Protection Control.
2b. Select the Internet Mail provider icon, and click Pause or Terminate, if you can't see the icon click Details. Note this would leave you vulnerable to genuinely infected emails.

As Alan mention this seems to occur for email originating out side of bellsouth. I suggest you take part in his proposed test in the post above yours.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 04, 2007, 09:14:42 PM
For those of you following the ongoing saga of 'BellSouth' emails, see this post by Vlk:

http://forum.avast.com/index.php?topic=28183.msg230076#msg230076

Hopefully BellSouth will admit to changing something and correct it.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 05, 2007, 12:28:09 AM
@ Barbara T.
1. That looks like the ongoing saga of bellsouth in this and another topic.
2a. right click the avast icon, select On-Access Protection Control.
2b. Select the Internet Mail provider icon, and click Pause or Terminate, if you can't see the icon click Details. Note this would leave you vulnerable to genuinely infected emails.

As Alan mention this seems to occur for email originating out side of bellsouth. I suggest you take part in his proposed test in the post above yours.

Thanks.  The mail that is causing me problems is 99% yahoo + sbcglobal.  It is now being caught in my anti-spam "Comodo."  There is NO information in it when I bring it in yet I can read it in BellSouth webmail.  Hope that gives someone who knows technically the route of mail more details.

I'll go check out the "proposed test" in the post above mine.  I'd be happy to help if I can.

Barbara T.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: alanrf on May 05, 2007, 12:35:17 AM
Barbara,

if you were referring to the proposed test that I made then the piece that I have since asterisked out is alanrf3.

We need a message that is strongly suspected will show up with a problem in BellSouth to be sent to the the BellSouth address and to an address (I offered mine - since I am on Comcast - ie a different ISP - and I have my mail scanned by avast).   

We then compare the message source of that same message as it got delivered through the two differing ISPs and (hopefully) the difference will identify the problem.  It will, I think, confirm the issue already observed by Vlk and reported earlier.
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Barbara T. on May 05, 2007, 02:53:49 PM
Barbara,

if you were referring to the proposed test that I made then the piece that I have since asterisked out is alanrf3.

We need a message that is strongly suspected will show up with a problem in BellSouth to be sent to the the BellSouth address and to an address (I offered mine - since I am on Comcast - ie a different ISP - and I have my mail scanned by avast).   

We then compare the message source of that same message as it got delivered through the two differing ISPs and (hopefully) the difference will identify the problem.  It will, I think, confirm the issue already observed by Vlk and reported earlier.


I need detailed instructions on how to find the "asterisked out" thread -   "alanrf3"   A link (if possible) would be appreciated.

Title: Re: "Potential Infection" Messages - Too frequent!
Post by: DavidR on May 05, 2007, 03:35:46 PM
It is on this page, reply #33
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 05, 2007, 04:12:01 PM
It is on this page, reply #33
Or... here's the direct link to Alan's post:

http://forum.avast.com/index.php?topic=28144.msg230049#msg230049

You'll see the asterisks in Alan's post.  Just replace the astericks with alanrf3 and change the at to the circle 'a'.  We do this to protect against getting hit with 'SpamBots' that surf the web. :)
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: sandraj on May 05, 2007, 05:40:44 PM
I have sent a test message to alanrf from a yahoo addres and also to my bellsouth address.
I spoke with a bellsouth agent last night- They denied any problem with outlook but here's a comment he made -BellSouth eAgent > We are experiencing email latency issues at this time that we are currently working on.
However, he told me the OE and missing attachments was a microsoft issue. I spoke with microsoft (However they wanted me to open a case and pay them $59.00, but I didn't) They told me that bellsouth was an authorized agent of OE and that they should be able to deal with the problem..
Anyway. It seems like we are all geting nowhere.


Title: Re: "Potential Infection" Messages - Too frequent!
Post by: alanrf on May 05, 2007, 09:58:39 PM
I have received a message from Rick F's friend using Prodigy.net, the message was also addressed to Rick at his Bellsouth address. 

We will have to await input from Rick to know if it provoked a warning when it was received by him. 

As I have mentioned, I am a user of Comcast so this message was received by me on a different ISP, otherwise the message is identical for both of us. 

However the message sent is sufficiently similar to the message (whose contents were posted here) yesterday to confirm the conclusion reached by Vlk.

Here is the relevant part of the message we saw, as delivered by Bellsouth yesterday (with Vlk's comment in red):

Quote
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1719296184-1178287377=:62209"
Content-Transfer-Encoding: 8bit
Message-ID: <275121.62209.qm@web80202.mail.mud.yahoo.com>
X-Spam: [F=0.0001323180; S=0.010(2007050201); MH=0.500(2007050417); R=0.012(s7/n557)]
X-MAIL-FROM: <xxxxxxx@prodigy.net>
X-SOURCE-IP: [192.168.16.145]
                     Blank line missing after this line!!!!
--0-1719296184-1178287377=: 62209               
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Antivirus: avast! (VPS 000738-2, 05/04/2007), Inbound message
X-Antivirus-Status: Clean

Hi Rick,
   
  Glad to help out.  Viruses are a big problem for all of us.
   
  Bob

Here is the relevant part of the similar message as delivered today by Comcast to me:

Quote
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-872796670-1178390399=:40583"
Content-Transfer-Encoding: 8bit
Message-ID: <955345.40583.qm@web80214.mail.mud.yahoo.com>
X-Antivirus: avast! (VPS 000738-3, 05/05/2007), Inbound message
X-Antivirus-Status: Clean

--0-872796670-1178390399=:40583
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Alan & Rick,
   
  Here is the test message you asked for.
  I hope it provides information that may be helpful to this virus alert problem.
   
  Bob


The thing to notice is the three lines colored blue (by me) in the Bellsouth delivered message above.  These lines are being added by the spam filtering component of the Bellsouth mail system.  As Vlk commented they have obliterated the blank line that must precede the message boundary line (starting --) that denotes the start of a new section of the message.  You will also note that avast can properly place the X-Antivirus headers in the message as received on Comcast because the message has not been damaged by the Comcast mail service. 
Title: Re: "Potential Infection" Messages - Too frequent!
Post by: Rick F on May 06, 2007, 06:24:35 PM
Thanks Alan,

Yes, avast sounded the alarm on Bob's test message where you got it OK. This pretty much verifies that it's a BellSouth problem and not a problem with Yahoo, SBCglobal or Prodigy.

Sorry it's been so long before I got back to the forum. We had a formal concert last night (I'm a musician), then church this morning.

I also got a response from BellSouth last night.  It says they know they have a problem.  YEA!!

Here's their message...

Quote
Dear BellSouth Internet Service Customer,

Thank you for taking the time to contact BellSouth Internet Service. We appreciate the opportunity to address your concerns because it is our goal to provide the highest quality Internet service available.

We are having issues with the email servers. The issues are currently under investigation. Unfortunately, there is no ETR (estimated time of repair) for this issue to be resolved. Again, thank you for this opportunity to address your concerns.


One encouraging thing to note... I received another message from my friend (Prodigy customer) some hours later where it came through ok -- no avast alarm.  Maybe BellSouth has fixed it or part of the problem.  We'll see.

Thanks to all who have helped out on this issue.  This is why a forum like this is so valuable.  ;D