Author Topic: "Potential Infection" Messages - Too frequent!  (Read 24242 times)

0 Members and 1 Guest are viewing this topic.

Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #15 on: May 03, 2007, 09:55:48 PM »
Is there a message that is not too personal to you where you could review the source of the message in your mail client, capture it, obscure any personal details and then post the results here?  I know, not a small task, but it would help.

Things have changed since your reply; I'm receiving an email message from Avast (instead of the warning message with flashing and voice, etc) and not receiving the email  messages in my Inbox which I had been able to do.

Comodo is catching most of the forwards and when I bring them in they are incomplete and I don't have one available at this time.

Here is an example of the message and header from Avast:Multiple Content-Type header - HIGH DANGER!


Sender:  wanda mccorkle <ninimccorkle@xxxxxxxxxxxxxx
Recipient:  Clyde Arnold <xxxxxxxxxxxxx>, Frances Arnold <frances71862@xxxx>, Jalyn Barba-------
Need help:  I honestly don't understand if you are talking about sending you the information from the HTML SOURCE (coding, etc) or do you mean in File/Properties  if I should get a chance to get what you requested.
Need help on this to provide.

Thanks for your interest in helping me.

Barbara T.
« Last Edit: May 03, 2007, 11:41:51 PM by Barbara T. »

Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #16 on: May 03, 2007, 10:05:44 PM »
:)  Hi all, especially the 3 BellSouth Users :

     With 3 of you receiving the same "messages", sounds likely BellSouth is the
     "culprit" ; however, there is a small possibility that a "SpamBot" has
     gotten into your computer or one of your friends, stolen the addresses
     from an Address Book, and is sending "Messages" !?
     None of you 3 have mentioned IF you have any antiSPYWARE/antiTROJAN
     program(s) on your computer(s), which are most effective in fighting
     "them", the best probably being the "trial" version of AVG Antispyware,
      most easily downloaded from www.ewido.net !? At least it would be wise
     to run the Online Scanner available at the ewido site .
     Even Barbara's 1st post mentioned "Windows Firewall : On" ; a bad sign
     since that firewall is not very good .



I do have Spybot Search and Destroy and Windows Defender; Comodo anti-spam; Avast Home edition.  All were highly  recommended by a computer tech who tests and recommends programs.

 Another common thread I have noticed is that most of the messages were from Yahoo users.  They were all caught by my anti-spam + the message from Avast.   Only one received today wasn't a Yahoo user.
That was sbcglobal.

I had another firewall  (Norton) but wasn't working with another of my programs so got rid of it. 

I believe all the messages I'm receiving are legit.  All are from friends who forward me stuff almost
daily.

Barbara


Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #17 on: May 03, 2007, 10:08:54 PM »
Rick,
is your email's you are receiving alert from,
are they being sent from a Yahoo address??
All the ones I receive from Yahoo show a potential virus.


Hummm. Interesting you should say this.   I just read your post   and 5 out of 6 of the ones I received today are from Yahoo users!  sbcglobal was the 6th one.  Today I'm receiving emails from Avast...not the flashing, talking pop up messages I first posted about.  My anti-spam caught all the above mentioned messages today.

Any advise to Yahoo users?

Barbara T.



Offline sandraj

  • Newbie
  • *
  • Posts: 18
Re: "Potential Infection" Messages - Too frequent!
« Reply #18 on: May 03, 2007, 10:13:07 PM »
I too have been in contact with Bell South. they tell me it's a [microsoft] problem.
I have chose to leave my messages on server from inside outlook express. I can at least go there and view them.

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #19 on: May 03, 2007, 10:54:34 PM »
The emails you say you now get from avast are really replacement mssgs for the emails deleted. I don't think they're really emails. I get the same mssg. Here's a copy of that mssg: [note, I've replaced part of the names & addys with xx's so spam bots won't hit these people]
Quote
Multiple Content-Type header - HIGH DANGER!

Sender:  Bob and Jo XXX <bob_XXX@prodigy.net>
Recipient:  Michael xXX<michael.XXX@delta.com>, Nancy XXX<Nancy.L.XXX@usda.gov>, Patricia XXX<patricia.xxxx@dhs.gov>; Marika xxx<marika.XXX@emoryhealthcare.org>, Shawna XXX<PrXXXX@bellsouth.net>
Subject:  Fw: Dam.pdf
________________

I just recv'd a resend of the suspect email and let it thru this time.  I then ran a full scan with avast and everything is clean. The attachment was stripped off though (dam.pdf).  But as I mentioned earlier, I viewed the pdf attachment thru web earlier (downloaded it, scanned it... it was fine).  Here's a copy of that email followed by its properties..... again, I've changed the names to xx's.

Quote
Hi Rick,
 
Here's a repeat of the "dam" message.
 
Hope all is well.

Bob and Jo xxx<bob_xxx@prodigy.net> wrote:
Date: Thu, 3 May 2007 08:11:58 -0700 (PDT)
From: Bob and Jo xxx<bob_xxx@prodigy.net>
Subject: Fw: Dam.pdf
To: Michael xxx<michael.xxx@delta.com>,
Nancy xxx<Nancy.L.xxx@usda.gov>,
Patricia xxx<patricia.xxx@dhs.gov>
CC: Marika xxx<marika.xxx@emoryhealthcare.org>,
Shawna xxxx<xxxx@bellsouth.net>



From: Max xxx<xxxx@mail.sdsu.edu>
Subject:  Dam.pdf

Don't dump this one - it's a panic!
_______________

Here's the property of that email.... (x's in place of names and addys)


Quote
X-x: TimeOut
Return-Path: <bob_xxx@prodigy.net>
Received: from mxm17aec.corp.bellsouth.net ([205.152.59.244])
          by imf06aec.mail.bellsouth.net with ESMTP
          id <20070503200708.KSFW13572.imf06aec.mail.bellsouth.net@mxm17aec.corp.bellsouth.net>
          for <xxxx@bellsouth.net>; Thu, 3 May 2007 16:07:08 -0400
Received: from unknown [192.168.16.137] (EHLO ibm27aec.bellsouth.net)
   by mxm17aec.corp.bellsouth.net (mxl_mta-3.0.2-03)
   with ESMTP id be04a364.1491323824.3816961.00-043.mxm17aec (envelope-from <bob_xxx@prodigy.net>);
   Thu, 03 May 2007 16:07:07 -0400 (EDT)
Received: from web80204.mail.mud.yahoo.com ([68.142.201.109])
          by ibm27aec.bellsouth.net with SMTP
          id <20070503200706.OWID6935.ibm27aec.bellsouth.net@web80204.mail.mud.yahoo.com>
          for <xxxx@bellsouth.net>; Thu, 3 May 2007 16:07:06 -0400
Received: (qmail 26728 invoked by uid 60001); 3 May 2007 20:07:05 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=prodigy.net;
  h=X-YMail-OSG:Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=2pu90d1SYEkvGKswU4r+C2zucwlFHUM9TV7zDI9uFMfqHbSmmHyWo0cPNW+r2mmtC7A7/p1F1mcbzow3Db0skxGYazEOcSqXkWv3zwJYaZChU6aozQX4uCOu5Hj5kUQgxXBJZFIOXhzhEkezs70bTTWo1Ea/B7Ow55NveoQaL/Q=;
X-YMail-OSG: 28Bq1aMVM1lmNfmiLsBMVqinrpt_nQ45zx7Sm5pGt8n3wMpSP_UAdChYK1GViDhWeDzCqXNrVw--
Received: from [12.78.4.112] by web80204.mail.mud.yahoo.com via HTTP; Thu, 03 May 2007 13:07:05 PDT
Date: Thu, 3 May 2007 13:07:05 -0700 (PDT)
From: Bob and Jo xxx<bob_xxx@prodigy.net>
Reply-To: bob_xxx@prodigy.net
Subject: Fwd: Fw: Dam.pdf
To: Rick xxxx <xxx@bellsouth.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1211422853-1178222825=:25032"
Content-Transfer-Encoding: 8bit
Message-ID: <880664.25032.qm@web80204.mail.mud.yahoo.com>
X-Spam: [F=0.0001150200; S=0.010(2007050201); MH=0.500(2007050339); R=0.011(s6/n553)]
X-MAIL-FROM: <bob_xxx@prodigy.net>
X-SOURCE-IP: [192.168.16.137]
--0-1211422853-1178222825=: 25032
Content-Type: multipart/alternative; boundary="0-1434452073-1178222825=:25032"
X-Antivirus: avast! (VPS 000738-1, 05/03/2007), Inbound message
X-Antivirus-Status: Clean
Note... the stamp at the bottom says, "avast status Clean"  ???

Hope this helps. Not sure what the problem is.



« Last Edit: May 03, 2007, 11:02:55 PM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83768
  • No support PMs thanks
Re: "Potential Infection" Messages - Too frequent!
« Reply #20 on: May 03, 2007, 11:18:03 PM »
Guys, lets not forget that these forums are publicly available and the email addresses that are displayed could possibly be harvested by a spambot and these innocent bystanders could find their addresses added to spam lists.

@ Barbara T.
If you could modify your post, either crop the email addresses or edit them as Rick F has "(x's in place of names and addys)"
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #21 on: May 03, 2007, 11:23:23 PM »
Guys, lets not forget that these forums are publicly available and the email addresses that are displayed could possibly be harvested by a spambot and these innocent bystanders could find their addresses added to spam lists.

@ Barbara T.
If you could modify your post, either crop the email addresses or edit them as Rick F has "(x's in place of names and addys)"

Thanks, David, I believe I have taken care of the headers I posted but haven't been able to get it off my profile and in response to clicking the envelope icon; maybe the fix "don't show to public" isn't retroactive.  BTW,  Forums are totally new to me and I feel like one of the 3 blind mice right now.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83768
  • No support PMs thanks
Re: "Potential Infection" Messages - Too frequent!
« Reply #22 on: May 03, 2007, 11:31:36 PM »
It is off your profile, this is something I had a whinge about some time ago, you can see it but others can't, damn confusing, you check don't show yet there it is 'in your face.'
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: "Potential Infection" Messages - Too frequent!
« Reply #23 on: May 03, 2007, 11:42:09 PM »
The old memory cells fired up.

We had exactly this same error message for perfectly innocuous messages back in Nov 2005.

http://forum.avast.com/index.php?topic=17549.0

avast then stopped the error messages - seems they have brought them back.

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #24 on: May 04, 2007, 01:20:45 AM »
Wow Alan! How do you remember that from 2005? I'm impressed. I don't remember what I had for dinner last night even (lol).

I read the thread but didn't see what the cause or fix was. I've recently recv'd two more emails... but not from that friend who uses Prodigy. These didn't sound the alarm of Heuristic detection (mine is set to medium) "Multiple Content-Type header - HIGH DANGER!"

Again, I'm still on version 4.7.942 but with latest VPS 000738-1.
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: "Potential Infection" Messages - Too frequent!
« Reply #25 on: May 04, 2007, 04:49:07 AM »
The avast team made the change to stop the errors last time around.

I'll have to take a look to see if I still have the email explaining what they were doing from pavels at the time.
« Last Edit: May 04, 2007, 04:56:42 AM by alanrf »

Offline sandraj

  • Newbie
  • *
  • Posts: 18
Re: "Potential Infection" Messages - Too frequent!
« Reply #26 on: May 04, 2007, 05:15:50 AM »
I turned AVAST completely off. Then sent an email from a Yahoo address.
It stays on the webserver. but if you try to view with Outlook express it strips the attachment. Even with AVST turned off.
Bellsouth says it is a Microsoft Outlook Express problem....???
No one wants to try to help find the fix....


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83768
  • No support PMs thanks
Re: "Potential Infection" Messages - Too frequent!
« Reply #27 on: May 04, 2007, 02:19:17 PM »
One you shouldn't turn it completely off, but only the provider that scans the email, the Internet Mail provider, otherwise you are more vulnerable at these times.

What was the attachment ?
OE won't strip the attachment, it may stop you from opening it if it is one it considers could be harmful and by that it means the file is possible to infect not that it is infected. Tools, Options, Security, 'Do not allow attachments to be saved or opened that could potentially be a virus.' You would be surprised what files it considers potentially harmful.

Multi-part emails on occasion are flagged as having an attachment, when in fact no attachment exists. If you dig into the message source (right click the email, properties, Details, Message Source) you may see if there was an attachment and what its name was or if it was just a multi-part email.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #28 on: May 04, 2007, 03:56:55 PM »
More testing...

I went to my Yahoo acct and sent a test email to my main identity (Bellsouth ISP). It comes thru just fine. Then I sent another test email from my Yahoo acct, added the attachment (dam.pdf - 72K in size), Avast sounded the alarm as it did yesterday.

Next, I turned off 'Internet Mail' provider of avast and sent another email from Yahoo with the same attachment (dam.pdf).  The email came thru, but there was no attachment! I do have "Do not allow attachments to be saved or opened that could potentially be a virus." selected in my OE-6 mail client. But I think the attachment was converted to text because it's included in the email itself and looks like the 'source' file and very long.

I'm sure it's not a false positive by avast because after downloading and scanning it with avast, it comes back clean.  Besides, I had VirusTotal scan the pdf file (Jotti is too backed up) and it comes back clean by all 31 AV tests.

Next, I send another email from Yahoo... attach a different file (Word doc) and I get the same alarm... Heuristic detection, Multiple Content-Type header - HIGH DANGER!.  I click 'continue' and allow the email thru because I know it's safe.  Even the word doc attachment is gone.  Again, it's changed to text.

Not sure what's going on here.  ???
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: "Potential Infection" Messages - Too frequent!
« Reply #29 on: May 04, 2007, 03:59:26 PM »
The avast team made the change to stop the errors last time around.
I'll have to take a look to see if I still have the email explaining what they were doing from pavels at the time.
This is the reason why posting in forum is better.
Alanrf, won't it help if you enable avast and have a log of the Mail provider?

Yahoo acct and sent a test email to my main identity (Bellsouth ISP).
There are other threads saying the guilty is Bellsouth ISP changing the headers of the emails.
I'm not sure if this is not the same case as posted recently elsewhere...
The best things in life are free.