Author Topic: More on 'Potential Infections'  (Read 26042 times)

0 Members and 1 Guest are viewing this topic.

Offline brdman3

  • Newbie
  • *
  • Posts: 9
More on 'Potential Infections'
« on: May 04, 2007, 06:09:15 PM »
As others have posted. I am having a BIG problem with what has been described as ‘false positives’ in emails which Avast (Home Edition 4.7) is scanning. Emails with attachments (as a general rule these are .JPGs) are having the attachments stripped from them before the messages is allowed to proceed into Outlook Express. Below are the particulars and work arounds I have tried.

-   OS is Windows XP Home edition (Updated automatically)
-   Email program is Outlook Express
-   Processor is 1.8 Ghz Pentium
-   Memory is 512 M
-   Antivirus Program is Avast Home Edition 4.7 (Updated automatically)
-   Other security programs include:
-   Spybot Search and Destroy, Hijack This, AdAware SE, Spyware Blaster
-   ISP is Bellsouth.net DSL

Having read several posts describing the same problem here on the forum, I decided to try a few experiments to isolate the problem. First I downloaded and installed Mozilla’s Thunderbird email program (an alternative to Outlook Express). Then, using a Yahoo ID and Yahoo Email, sent myself a test message with a .JPG attachment. After sending this I logged on to my ISP email USING THUNDERBIRD and Avast immediately popped up the same Virus warning as had appeared in Outlook Express. The only options Avast offers is ‘Delete’ or ‘Continue’. Obviously clicking on Delete would delete the entire message so I clicked on ‘Continue’. The message was then downloaded to my inbox, but MINUS THE ATTACHMENT.

I logged off of Thunderbird and logged back in to my ISP email using Outlook Express. Next, I sent the same message (from Yahoo mail, and with the same attachment) to myself again. Avast immediately threw up another virus warning as it had on my first attempt. Instead of clicking on anything in the warning window, THIS time I logged on to BellSouth’s web based email. At this point It is important to note messages remain on the ISP’s mail server until Outlook Express accesses the server and transfers the messages there into the subscriber’s PC. Since I had not yet taken any option on Avast’s virus warning message, the original message I had sent myself was still intact on the ISP’s web based email server. I was able to read the message on the web based server AND view the attachment. Having proven that the message and the attachment were actually there, I logged OFF of the web based server and clicked on ‘Continue’ in Avast’s warning message. The message itself was downloaded, but the attachment had been  stripped off.

Since this more or less proves that the problem is NOT within Outlook Express, it seems to isolate the problem to be in one of two places - It’s either within Avast, or within BellSouth’s services. I am curious as to what others who are experiencing the same problem have found out about it, and what they have been advised is being done to remedy this error.

Rick F

  • Guest
Re: More on 'Potential Infections'
« Reply #1 on: May 04, 2007, 06:30:47 PM »
Well if we can believe tech support @ BellSouth (which is located in India  ;D ), they say nothing has changed as far as the headers go.

The fact that I can send the same message FROM BellSouth (using OE) with the SAME attachment... and it gets through ok, tells me it's not a BellSouth problem. I get the message AND the attachment.

See this link for that test:
http://forum.avast.com/index.php?topic=28144.msg230027#msg230027


Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: More on 'Potential Infections'
« Reply #2 on: May 04, 2007, 06:42:11 PM »
I know you asked for further input from those experiencing the problem but ...

It is worth noting that not all folks using avast and receiving mail from Yahoo (in Thunderbird or Outlook Express) are using BellSouth and we are not seeing error reports from them. 

I has conducted some tests with my Yahoo account and receiving those messages through my ISP (Comcast) on both Thunderbird and Outlook Express.  None provoke the warning from avast. 

BellSouth users have reported receiving the warnings on messages from services other than Yahoo.

It is interesting (but not surprising) that BellSouth users only report the errors on messages originating from Outside BellSouth. Messages BellSouth users send to themselves almost certainly do not go through the same antispam checking and updating as message originating from outside.   

The avast Internet Mail provider does not know which mail client is being used, it just knows that port 110 is being used to receive email and it scans it.  As far, as avast is concerned there is no difference between the mail clients.

The only common factor that is appears here is that all the warnings are occurring on emails received through the BellSouth email service.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: More on 'Potential Infections'
« Reply #3 on: May 04, 2007, 06:51:25 PM »
I wonder if the Alwil team might have some useful input, in the way of tests if nothing else.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: More on 'Potential Infections'
« Reply #4 on: May 04, 2007, 06:58:34 PM »
I doubt that the Alwil team has access to BellSouth accounts.

I have recommended a simple test to nail it in the other thread. 

All I need is one willing BellSouth participant.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: More on 'Potential Infections'
« Reply #5 on: May 04, 2007, 07:02:03 PM »
Here's my comments:

1. as opposed to alanrf I don't still there have been ANY changes in the mail scanner, regarding the multiple-mime-header type of thing (not even back in 2005). Such emails ARE suspicious, and there's no plan to remove this check a.t.m. Maybe alanrf was refering to the iFrame check? (which indeed changed)

2. I absolutely refuse to believe that avast strips any attachments from the email (unless it reports a virus and you tell it to "Delete", "Move to Chest" etc). That is, if you can't access an attachment e.g. in Outlook Express (and avast is either disabled or doesn't ptoduce an alarm) it's more likely the "security" feature of OE that's blocking the attachment - OR someone/something EN ROUTE has crippled your message (e.g. your ISP, i.e. Bellsouth). The fact that (as someone here already wrote) the attachments come as inline text in the message body really suggests that the messages are getting somehow corrupted (and this can then trigger the avast heuristic alert) BUT this is not done by avast itself, the messages are already coming like this from your ISP.

3. Could someone (who's using Outlook Express) please do Save As on such a message, save it in the EML format, then ZIP it and send it to may email address for inspection?


Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

Rick F

  • Guest
Re: More on 'Potential Infections'
« Reply #6 on: May 04, 2007, 07:33:55 PM »
Vlk,

I use OE, I have an email that did not have an attachment and still sounded the alarm.  (I posted a copy in the other thread but changed last names in email addys).

-- edit --

I sent you a zipped copy of an email.
« Last Edit: May 04, 2007, 07:38:17 PM by Rick F »

Rick F

  • Guest
Re: More on 'Potential Infections'
« Reply #7 on: May 04, 2007, 08:19:28 PM »
I sent an email to tech support for BellSouth.  Not sure it will do any good, but can't hurt.

Quote
Dear Sir or Madam,

I use Avast AV (anti-virus).  There are number of Avast users who are having trouble with false alarms on emails. It's only with BellSouth customers. We've been testing for 2 days trying to nail this down.  An email from another Bellsouth customer comes thru fine with no alarm.  But emails from Yahoo or Prodigy (and possibly more) are alarming under a heuristic detection with the message, "Multiple Content-Type header - HIGH DANGER!." If it has an attachment (and this is only for ISP's other than BellSouth) it is stripped or changed to garbage or text and placed within the body of the email.

Have there been any changes to the way email is handled when coming from other ISP's?  Is the anti-spam filter possibly changing or adding something?

Thank you for your response in this matter.
Rick Floyd

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: More on 'Potential Infections'
« Reply #8 on: May 04, 2007, 08:27:25 PM »
Got the file, thanks.

Indeed, the email is malformed. Namely, the end of the message header block lacks the blank line (as is dictated by RFC 822).

The last line of the message header is

X-SOURCE-IP: [192.168.16.145]

After this line, there should have been a blank line (separating the header from the message body) - but there isn't one. That's also why the message is not rendered correctly.

To me, it seems that Bellsouth has some kind of mail filter installed on their mail server, and this filter corrupts all emails by stripping the blank line from the end of the header section.

Here's the whole thing (I tried to remove any personal info):
Return-Path: <xxxxxx@prodigy.net>
Received: from mxm19aec.corp.bellsouth.net ([205.152.59.244])
          by imf11aec.mail.bellsouth.net with ESMTP
          id <20070504140259.JYGQ17393.imf11aec.mail.bellsouth.net@mxm19aec.corp.bellsouth.net>
          for <xxxxxx@bellsouth.net>; Fri, 4 May 2007 10:02:59 -0400
Received: from unknown [192.168.16.145] (EHLO ibm35aec.bellsouth.net)
   by mxm19aec.corp.bellsouth.net (mxl_mta-3.0.2-03)
   with ESMTP id 21d3b364.1277832112.6558044.00-174.mxm19aec (envelope-from <xxxxxxx@prodigy.net>);
   Fri, 04 May 2007 10:02:58 -0400 (EDT)
Received: from web80202.mail.mud.yahoo.com ([68.142.201.107])
          by ibm35aec.bellsouth.net with SMTP
          id <20070504140257.QFEN25972.ibm35aec.bellsouth.net@web80202.mail.mud.yahoo.com>
          for <xxxxxx@bellsouth.net>; Fri, 4 May 2007 10:02:57 -0400
Received: (qmail 62600 invoked by uid 60001); 4 May 2007 14:02:57 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=prodigy.net;
  h=X-YMail-OSG:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=kg3UnpzyBWoaTPbjapuCaiZQt4cR35LMzFl0ZGVVwdpH4ffx1mKaCZR9EM4nv3m+XIOtW8huy2FWYlt5KTi/UP9rHljQaDv79dsMfLpRYwzJ299u/LlW6eU69twfbvxY8QXGWJ5siRsO00nb31pPQHQPIh73KFHIvDP4gJG8qZk=;
X-YMail-OSG: y2m3.vgVM1kaUPWcZ5a1v_dgDc7g62xh6NseAhadIv1_.8Tw4Gt7L6DBfaRNMhPX54TYW5pHiedxYwX7OjCAHzgGOrhJA14jNbD5pYEMvUSPJczo7Xg-
Received: from [xxxxxxxx] by web80202.mail.mud.yahoo.com via HTTP; Fri, 04 May 2007 07:02:57 PDT
Date: Fri, 4 May 2007 07:02:57 -0700 (PDT)
From: Xxxxxxxxx <xxxxxxx@prodigy.net>
Reply-To: xxxxxxx@prodigy.net
Subject: Re: Thanks
To: Xxxxxx <xxxxx@bellsouth.net>
In-Reply-To: <002b01c78dc7$59ec1180$6101a8c0@rick8803d6ef66>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1719296184-1178287377=:62209"
Content-Transfer-Encoding: 8bit
Message-ID: <275121.62209.qm@web80202.mail.mud.yahoo.com>
X-Spam: [F=0.0001323180; S=0.010(2007050201); MH=0.500(2007050417); R=0.012(s7/n557)]
X-MAIL-FROM: <xxxxxxx@prodigy.net>
X-SOURCE-IP: [192.168.16.145]                     Blank line missing after this line!!!!
--0-1719296184-1178287377=: 62209               
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Antivirus: avast! (VPS 000738-2, 05/04/2007), Inbound message
X-Antivirus-Status: Clean

Hi Rick,
   
  Glad to help out.  Viruses are a big problem for all of us.
   
  Bob


   
---------------------------------
    avast! Antivirus: Outbound message clean.   Virus Database (VPS): 000738-1, 05/03/2007
Tested on: 5/3/2007 5:09:35 PM
avast! - copyright (c) 1988-2007 ALWIL Software.
 


--0-1719296184-1178287377=:62209
Content-Type: text/html; charset=iso-8859-1

....



Thanks
Vlk
« Last Edit: May 04, 2007, 08:35:09 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: More on 'Potential Infections'
« Reply #9 on: May 04, 2007, 08:37:03 PM »
Of course, you're free to report my previous post to Bellsouth support. It should contain all the information necessary to find and fix the issue.
If at first you don't succeed, then skydiving's not for you.

Rick F

  • Guest
Re: More on 'Potential Infections'
« Reply #10 on: May 04, 2007, 09:08:02 PM »
Thanks Vlk,

I've copied your post and included it in an email to BellSouth.  I hope they will do something about it. My first response from them was to contact Tech support at their 800 number... the folks in India.  I told them I've already talked to them about it and they knew nothing about it.  ::)

sandraj

  • Guest
Re: More on 'Potential Infections'
« Reply #11 on: May 04, 2007, 10:01:20 PM »
I have told my system to "leave messages on the server". I look in OE and the attachments are not there. I go to Bellsouth server and you can view the attachments. It's got to be in the way Bellsouth transfers to Outlook express. Funny I forwarded a email from a yahoo user with an attachment to myself. I went to OE and there it was with complete attachment. It is just something with the Yahoo and a few other 's like Prodigy.

Barbara T.

  • Guest
Re: More on 'Potential Infections'
« Reply #12 on: May 05, 2007, 12:00:34 AM »
I have told my system to "leave messages on the server". I look in OE and the attachments are not there. I go to Bellsouth server and you can view the attachments. It's got to be in the way Bellsouth transfers to Outlook express. Funny I forwarded a email from a yahoo user with an attachment to myself. I went to OE and there it was with complete attachment. It is just something with the Yahoo and a few other 's like Prodigy.



I just received 5 forwards.  However, this one different from the rest was not a forward yet still when I brought it in there is NO message content.  Again a YAHOO sender yet NOT a forward...just to me alone.  I'm believing more and more that the problem has dwindled down to a Yahoo/BellSouth problem.  I vaguely remember having one before.  Comodo catching them as spam is all that has happened to me for 2 days...none of the flashing, talking message with Avast on its face.

From Source of the one message that was directly to me...not a forward.
 
+OK
From: avast! 4
Subject: [avast! heuristic - WARNING]   

Multiple Content-Type header - HIGH DANGER!


Sender:  Perry Easterling <@yahoo.com>
Recipient:  barbara burke <xxxxxx@bellsouth.net>
Subject:  web

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: More on 'Potential Infections'
« Reply #13 on: May 05, 2007, 12:08:30 AM »
We know this is not just a Yahoo/BellSouth problem - Rick F. has the same errors from a user on Prodigy.net.

I already posted an explanation that this problem will almost certainly not occur when you forward messages to yourself inside BellSouth because it will not be subjected to the same spam filtering that outside mails gets.  I would hazard a guess that it is the spam filtering and the insertion by BellSouth of the spam filter header line into the message that is causing the problem for some domains delivering to BellSouth.


Offline brdman3

  • Newbie
  • *
  • Posts: 9
Re: More on 'Potential Infections'
« Reply #14 on: May 05, 2007, 12:11:22 AM »
Appreciate the info VLK. I've referred this to BellSouth along with a link to the forum here and in particular to your reply. Maybe they'll get serious about trying to fix this if enough of us take similar action.