iframe tag from expedia.ca

[Inavastin]

I made a purchase through expedia.ca The confirmation email was flagged by Avast as suspicious. Possible. I placed the url in the heuristics tab. And yet when I forward the email, I still get the warning. : <iframe> tag found, it may be dangerous
Any ideas on what I should do to a) verify the suspicion b) allow the email to be forwarded without the warning? Thanks!

[Lisandro]

I think you would be able to send it if it is in text mode (not html).
Can you post the full url being blocked by avast? Maybe the site was hijacked.
Please, edit the live link to hxxp:// for instance (to not make it live).

[Inavastin]

Thanks.
purchase made on hxxp://www.expedia.ca
email came from:
support@service.expedia.ca
And yes you are correct formatting to plain text sends and receives with no avast discovery

[DavidR]

It is just suspicious as the iframe tag is very powerful tool not so frequently used in emails (more so in web pages) and can be used by malicious emails to run executable files. The latest malware on web sites relates to the injection of iframe tags into pages to run malicious code located on another site.

If it is coming from a known good source you have less to worry about as they frequently use it to deliver adverts. This one is likely to be OK, but it is wise to be cautious.

[Inavastin]

Thanks for this!
And now I should be able to go to the heuristics tab and type in the url.
Will I still get the alarm and the warning?
Hasn't worked for me. Still get awarning on forwarding. I may be entering the url improperly.
And if I forward to other Avast users, I presume they will get the alarm and the warning?

[DavidR]

It depends if the remote location of the iframe is the expedia.ca url you posted, e.g. in the iframe code there would be a url and it is that on which is the remote url.

Once the correct remote url is entered then you shouldn't get the alert.

So it would appear you haven't entered the correct url, when you open the email and edit it, you should be able to see the source, you then need to find the iframe (wrapped in these < > ) and copy the domain name url including the  http :// www . bit.

[Inavastin]

Right. Thanks. So I opened the email message. Right clicked to edit message. Right click to view source and see the code. I unfortunately don't see any other url mentioned than expedia, with one exception, an hxxp://www.rsac.org. I have scanned through the whole code looking for <hxxp://www......... and can't see it. Can you give me a hint of exactly what I should see? Appreciate your help.  And, in the email message itself, what am I looking for that may be the "iframe"? Thanks!

[Inavastin]

SOLVED!!  Thanks for your guidance. Tinkering and found with right click to edit the message and right click to view the source and search for "iframe" found the code for the "iframe" . Calculated where it should be in the email. And then it hit me, back on the page opened for editing, was this blank box with nothing in it, no border, and marked visibility hidden in the code. So a simple cut, save and the email now passes through no problem. Still not sure where it was pointing. Looks as if a piece of code was missing. e.g. several other places in the code were notations like this src="hxxp://www.expedia.ca/eta/btn_sec.gif" YET the one in question looks like this
src="/eta/spaceit.gif" . Anyway, thanks again for your guidance. Inavastin

[DavidR]

It is hard to give an example not wanting to trigger any iframe check in this topic but you are looking for an iframe tag, between the opening and closing tags there will be a url, this is where the data is imported into your email and is the remote location and what you pute in the Permitted URLs location.

The examples you gave are for importing images into the email and the url would look like this, but the only one we are interested in is the one in the iframe.

Code: [Select]

Opening tag looks like <iframe> closing tag looks like </iframe>
so whatever is between these would contain a URL and it is that url you need.

<iframe>http://example.domain.com/advert/1234/ad.cgi</iframe>

Notice that there is a lot more than just the domain name domain.com,
but you only need everything before the .com up to and including the http.
You don't need the bits after the .com, the http://example.domain.com


[Inavastin]

Ah, so DavidR, you are suggesting that I may not have really found the culprit, even by cutting the borderless blank spaced box?
Yet the email is easily forwarded now and received without Avast warnings.............

[DavidR]

I was only giving advice based on your previous reply #6 that basically indicated you were still getting alerts. Also in reply #7 where you couldn't find the iframe to confirm the correct remote URL.

So if you aren't getting alerts then you have fortunately hit on the remote URL.

[Inavastin]

Thanks DavidR. I appreciate your guidance on this. I feel I have learned a bit about what is under the surface. Thanks!!

[DavidR]

You're welcome.