Author Topic: "Potential Infection" Messages - Too frequent!  (Read 24263 times)

0 Members and 1 Guest are viewing this topic.

Offline sandraj

  • Newbie
  • *
  • Posts: 18
Re: "Potential Infection" Messages - Too frequent!
« Reply #30 on: May 04, 2007, 04:03:08 PM »
That's what I was saying. That by turning off Avast totally, just for a moment to test, OE-6 still totally deleted the attachment. Therefore I think it's in OE-6, but then again, why does it do that only to bellsouth customers??
However I doesn't convert the file to text right now, how I have my setting. I get nothing but a blank email with no attachment.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: "Potential Infection" Messages - Too frequent!
« Reply #31 on: May 04, 2007, 04:09:40 PM »
why does it do that only to bellsouth customers??
Search the board for bellsouth and you'll find...
The best things in life are free.

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #32 on: May 04, 2007, 04:22:12 PM »
I just talked with BellSouth (now the new AT&T).  Unfortunately, the tech support folks are in India and hard to understand.  ::)

He did say that they've been hearing about problems with Yahoo accts and attachments... that any (or many) emails from Yahoo with attachments are sounding AV alarms. He also said the attachments are gone and only garbage is displayed (which is what I was seeing). He had me do the following test...

I used OE and sent the same test email to myself thru my BellSouth acct.  The email came thru fine with the pdf attachment (Dam.pdf).  No alarm sounded.

While doing that test, I got a short email from my friend from Prodigy. WITH NOT ATTACHMENT.  It was a short message saying, "Glag to help out" (resent his email yesterday with attachment.)  Well this short message caused the same alarm!!! Multiple Content-Type header - HIGH DANGER!. 

So I don't think it's BellSouth unless something in the header gets changed when coming from Yahoo or Prodigy.

Here's a copy of that short email that caused the alarm (xx'd out all last names in email addys)....

Quote
Hi Rick,
   
  Glad to help out.  Viruses are a big problem for all of us.
   
  Bob

Rick Floyd <xxx@bellsouth.net> wrote:
          Hi Bob,
   
  Thanks for resending that email.  I hope the avast folks can figure out what's wrong with that header in that email.  I posted the info on their forum but changed all the names and addresses (where names were) to xx's to protect the innocent. 8^)
   
  Rick


   
---------------------------------
    avast! Antivirus: Outbound message clean.   Virus Database (VPS): 000738-1, 05/03/2007
Tested on: 5/3/2007 5:09:35 PM
avast! - copyright (c) 1988-2007 ALWIL Software.
 


--0-1719296184-1178287377=:62209
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<div>Hi Rick,</div>  <div>&nbsp;</div>  <div>Glad to help out.&nbsp; Viruses are a big problem for all of us.</div>  <div>&nbsp;</div>  <div>Bob<BR><BR><B><I>Rick Floyd &lt;rnsnfloyd@bellsouth.net&gt;</I></B> wrote:</div>  <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">  <META content="MSHTML 6.00.2900.3059" name=GENERATOR>  <STYLE></STYLE>    <DIV><FONT face=Arial>Hi Bob,</FONT></DIV>  <DIV><FONT face=Arial></FONT>&nbsp;</DIV>  <DIV><FONT face=Arial>Thanks for resending that email.&nbsp; I hope the avast folks&nbsp;can figure out what's wrong with that header in that email.&nbsp; I posted the info on their forum but changed all the names and addresses (where names were) to xx's to protect the innocent. 8^)</FONT></DIV>  <DIV><FONT face=Arial></FONT>&nbsp;</DIV>  <DIV><FONT face=Arial>Rick</FONT></DIV><BR><BR>  <TABLE width=400>  <HR>    <div style="FONT: 9pt/11pt verdana"><A href="http://www.avast.com/">avast!
 Antivirus</A>: Outbound message clean.   <div style="FONT: 8pt/11pt verdana">Virus Database (VPS): 000738-1, 05/03/2007<BR>Tested on: 5/3/2007 5:09:35 PM<BR><FONT color=gray>avast! - copyright (c) 1988-2007 ALWIL Software.</FONT></div>  <TBODY></TBODY></TABLE><BR></BLOCKQUOTE><BR>
--0-1719296184-1178287377=:62209--

There sure is a bunch of garbage at the bottom of that email. Maybe that's causing a problem?
« Last Edit: May 04, 2007, 04:34:49 PM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: "Potential Infection" Messages - Too frequent!
« Reply #33 on: May 04, 2007, 06:49:36 PM »
Rick F.

what would be most useful and would probably nail this ....

Can you get your friend with the Prodigy account to send the same short email but this time multi-addressed to you and to another user on a different ISP. 

I am willing to offer up an address of mine on Comcast for this test if agreeable to you. Since I do not want it harvested from here automatically it is ******* at comcast.net.

I use avast to scan my Comcast mail.  If it comes into Comcast and is scanned by avast without the error and into BellSouth with the error we will just need to compare the raw messages sources to see what is happening and, if it does, then we will know it it is BellSouth.

Up to you (and your friend) if you want to do the test.

Edit:  I will be removing my address from the message later today.
« Last Edit: May 04, 2007, 08:35:15 PM by alanrf »

Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #34 on: May 04, 2007, 06:53:59 PM »
One you shouldn't turn it completely off, but only the provider that scans the email, the Internet Mail provider, otherwise you are more vulnerable at these times.

What was the attachment ?
OE won't strip the attachment, it may stop you from opening it if it is one it considers could be harmful and by that it means the file is possible to infect not that it is infected. Tools, Options, Security, 'Do not allow attachments to be saved or opened that could potentially be a virus.' You would be surprised what files it considers potentially harmful.

Multi-part emails on occasion are flagged as having an attachment, when in fact no attachment exists. If you dig into the message source (right click the email, properties, Details, Message Source) you may see if there was an attachment and what its name was or if it was just a multi-part email.

The attachments have been mostly "Forwards," but I recall specifically one with jpegs (photos).  They are from probably 10 different senders; some TO a list of receivers; others just to me only.    

How to I turn off the "provider who scans the mail"   Do you mean my ISP BellSouth?  

I never thought OE was ripping the attachments; I assumed Avast or Comodo was doing their job. All I know is most times when I let one through  the attachments are gone or very garbled.  This things change almost daily!

The last forward  I received was caught by Comodo (anti-spam) and when I let it through ONLY the header was visible with this warning:  

Multiple Content-Type header - HIGH DANGER!
Sender:  Harry Halleck <yahoo.com>
Recipient:  xxxx@bellsouth.net
Subject:  Re: Comodo AntiSpam Alert from Barbara

Yes, most  (but not all) are from Yahoo  users.  Many were forwards to multiple people.

Changes from my original post:
I'm not getting the same warning as at first which was a text and voice message with flashing yellow circle and AVAST  message.
No more red Avast messages in my Inbox for 2 days.
Comodo is still catching some.  Mostly from Yahoo.
Number of "stopped" messages has drastically reduced. ;D

Thanks to all who have helped.  I consider this still an open topic as not totally solved for me and others.

Barbara T.




Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #35 on: May 04, 2007, 07:49:04 PM »
Alan,

Go ahead and remove that email addy.  I got it copied.  I'll see if my friend will help with this test.

*** edit ***

I've asked my friend is he will be willing to do this test.
___________

Barbara asked,
Quote
"How to I turn off the "provider who scans the mail"   Do you mean my ISP BellSouth? "

Open avast by double clicking on it. Click on 'details' if not already displayed that way. You should see an icon for each service down the left hand side.  If it's active, it will be in color.  Click once on the "Internet Mail", then on the right side, click 'pause'.  This just stops your email from being scanned but you will still be protected by the other services.
« Last Edit: May 04, 2007, 08:04:14 PM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #36 on: May 04, 2007, 08:01:12 PM »
oops. deleted duplicate post
« Last Edit: May 04, 2007, 08:04:46 PM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83802
  • No support PMs thanks
Re: "Potential Infection" Messages - Too frequent!
« Reply #37 on: May 04, 2007, 08:03:40 PM »
@ Barbara T.
1. That looks like the ongoing saga of bellsouth in this and another topic.
2a. right click the avast icon, select On-Access Protection Control.
2b. Select the Internet Mail provider icon, and click Pause or Terminate, if you can't see the icon click Details. Note this would leave you vulnerable to genuinely infected emails.

As Alan mention this seems to occur for email originating out side of bellsouth. I suggest you take part in his proposed test in the post above yours.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #38 on: May 04, 2007, 09:14:42 PM »
For those of you following the ongoing saga of 'BellSouth' emails, see this post by Vlk:

http://forum.avast.com/index.php?topic=28183.msg230076#msg230076

Hopefully BellSouth will admit to changing something and correct it.
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #39 on: May 05, 2007, 12:28:09 AM »
@ Barbara T.
1. That looks like the ongoing saga of bellsouth in this and another topic.
2a. right click the avast icon, select On-Access Protection Control.
2b. Select the Internet Mail provider icon, and click Pause or Terminate, if you can't see the icon click Details. Note this would leave you vulnerable to genuinely infected emails.

As Alan mention this seems to occur for email originating out side of bellsouth. I suggest you take part in his proposed test in the post above yours.

Thanks.  The mail that is causing me problems is 99% yahoo + sbcglobal.  It is now being caught in my anti-spam "Comodo."  There is NO information in it when I bring it in yet I can read it in BellSouth webmail.  Hope that gives someone who knows technically the route of mail more details.

I'll go check out the "proposed test" in the post above mine.  I'd be happy to help if I can.

Barbara T.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: "Potential Infection" Messages - Too frequent!
« Reply #40 on: May 05, 2007, 12:35:17 AM »
Barbara,

if you were referring to the proposed test that I made then the piece that I have since asterisked out is alanrf3.

We need a message that is strongly suspected will show up with a problem in BellSouth to be sent to the the BellSouth address and to an address (I offered mine - since I am on Comcast - ie a different ISP - and I have my mail scanned by avast).   

We then compare the message source of that same message as it got delivered through the two differing ISPs and (hopefully) the difference will identify the problem.  It will, I think, confirm the issue already observed by Vlk and reported earlier.

Offline Barbara T.

  • Newbie
  • *
  • Posts: 14
Re: "Potential Infection" Messages - Too frequent!
« Reply #41 on: May 05, 2007, 02:53:49 PM »
Barbara,

if you were referring to the proposed test that I made then the piece that I have since asterisked out is alanrf3.

We need a message that is strongly suspected will show up with a problem in BellSouth to be sent to the the BellSouth address and to an address (I offered mine - since I am on Comcast - ie a different ISP - and I have my mail scanned by avast).   

We then compare the message source of that same message as it got delivered through the two differing ISPs and (hopefully) the difference will identify the problem.  It will, I think, confirm the issue already observed by Vlk and reported earlier.


I need detailed instructions on how to find the "asterisked out" thread -   "alanrf3"   A link (if possible) would be appreciated.


Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83802
  • No support PMs thanks
Re: "Potential Infection" Messages - Too frequent!
« Reply #42 on: May 05, 2007, 03:35:46 PM »
It is on this page, reply #33
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: "Potential Infection" Messages - Too frequent!
« Reply #43 on: May 05, 2007, 04:12:01 PM »
It is on this page, reply #33
Or... here's the direct link to Alan's post:

http://forum.avast.com/index.php?topic=28144.msg230049#msg230049

You'll see the asterisks in Alan's post.  Just replace the astericks with alanrf3 and change the at to the circle 'a'.  We do this to protect against getting hit with 'SpamBots' that surf the web. :)
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline sandraj

  • Newbie
  • *
  • Posts: 18
Re: "Potential Infection" Messages - Too frequent!
« Reply #44 on: May 05, 2007, 05:40:44 PM »
I have sent a test message to alanrf from a yahoo addres and also to my bellsouth address.
I spoke with a bellsouth agent last night- They denied any problem with outlook but here's a comment he made -BellSouth eAgent > We are experiencing email latency issues at this time that we are currently working on.
However, he told me the OE and missing attachments was a microsoft issue. I spoke with microsoft (However they wanted me to open a case and pay them $59.00, but I didn't) They told me that bellsouth was an authorized agent of OE and that they should be able to deal with the problem..
Anyway. It seems like we are all geting nowhere.