False Positive ?

Mike Kercher mike at CAMAROSS.NET
Fri Feb 14 22:35:08 GMT 2003 

I'd read up on Sircam:

http://www.sophos.com/virusinfo/analyses/w32sircama.html

Since Sircam has its own SMTP engine, she doesn't even have to be sending
out the email manually.  Sircam, also being network aware, I'd have her
people check their whole network.  The attachment that Sophos is catching is
coming from somewhere.

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Tim Tyler
Sent: Friday, February 14, 2003 4:23 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: False Positive ?


Mailcanner experts,
  We are running mailscanner 2.6 on an aix 4.3 system along with Sophos
engine.  It has been running fine for more than a year without any real
issues.  I just received a complaint from an outside site where the sender
claims that they send very simple messages (no attachments and signature
turned off).  However, she always gets back the following response.
------------------
 MailScanner <root at beloit.edu> wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600
From: "MailScanner"
To:
Subject: Warning: E-mail viruses detected
Our virus detector has just been triggered by a message you sent:-
To:
Subject: signature file
Date: Wed Feb 12 15:26:34 2003
Any infected parts of the message have not been delivered.
This message is simply to warn you that your computer system may have a
virus present and should be checked.
The virus detector said this about the message:
Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature
file.doc
.com
--
MailScanner
Email Virus Scanner
------------------------------------------------- end of message.
  
  Currently we have mailscanner configured to simply delete any message that
is determined to have a virus and simply send notification back to the
sender.  So she always gets the above message.  They can't find any viruses
on her computer.  I had her send me a message to a smtp server without any
mailscanner intercept so that I would get the entire message without any
filtering:  Below is the raw message with her name replaced by xxxxx:
>From xxxxx at mail.uca.edu Thu Feb 13 10:43:13 2003
Received: from list.uca.edu (list.uca.edu [161.31.208.98])
        by
www.beloit.edu
(8.11.6/8.11.6) with ESMTP id h1DGhCf22588
        for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:43:12 -0600
Received: from localhost (list.uca.edu [127.0.0.1])
        by list.uca.edu (Postfix) with ESMTP id F2AB049F5
        for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)
Received: from mail.uca.edu (mail.uca.edu [161.31.208.25])
        by list.uca.edu (Postfix) with ESMTP id 415194822
        for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)
Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48);
    13 Feb 03 10:43:18 -0600
Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600
Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48);
    13 Feb 03 10:42:49 -0600
Message-ID: <004d01c2d37e$f14a17a0$6f781fa1 at uca.edu>
From: "xxxx xxx" <xxxxx at mail.uca.edu>
To: <tylert at www.beloit.edu>
Subject: hello
Date: Thu, 13 Feb 2003 10:42:48 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Virus-Scanned: by AMaViS new-20020517
Status: OR
This is a multi-part message in MIME format.
------=_NextPart_000_004A_01C2D34C.A69EDEC0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi tim,=20
here's the message, the funny thing is, all the people I normally email =
everyday aren't having any problems.. just people i've never heard of!!  =
alli=20
------=_NextPart_000_004A_01C2D34C.A69EDEC0
Content-Type: text/html;
        charset="iso-8859-1"
 ------=_NextPart_000_004A_01C2D34C.A69EDEC0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>hi tim, </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>here's the message, the funny thing is, =
all the=20
people I normally email everyday aren't having any problems.. just =
people i've=20
never heard of!!&nbsp; </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>alli </FONT></DIV></BODY></HTML>
------=_NextPart_000_004A_01C2D34C.A69EDEC0--
----------------------------------------------
Is there any reason why the above email message would results in triggering
the former mailscanner response?
Tim Tyler
Network Engineer - Beloit College
tyler at beloit.edu

More information about the MailScanner mailing list