False Positive ?

Tim Tyler tyler at BELOIT.EDU
Fri Feb 14 22:55:09 GMT 2003 

Mike, Others,
    Yes, but two things make me think otherwise.  1. She does send to us
manually and it triggers that response back to her.  2. I had her send to
us at another smtp server where we don't have mailscanner.  Naturually, she
doesn't get a mailscanner reponse, but I also can't find any virus within
it.  It looks clean to me.  Her content is below for examination.  I
suspect  that something is triggering a warning response.  Its also
peculiar, because we configured mailscanner to drop any messages with
viruses and only notify the sender.  Her messages always get through.  she
just gets a warning response as described below.  Do warnings get treated
differently?   There really isn't that much to her message.  No attachments
that I can see.
  Tim

At 04:35 PM 2/14/2003 -0600, you wrote:
>I'd read up on Sircam:
>
>http://www.sophos.com/virusinfo/analyses/w32sircama.html
>
>Since Sircam has its own SMTP engine, she doesn't even have to be sending
>out the email manually.  Sircam, also being network aware, I'd have her
>people check their whole network.  The attachment that Sophos is catching is
>coming from somewhere.
>
>Mike
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of Tim Tyler
>Sent: Friday, February 14, 2003 4:23 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: False Positive ?
>
>
>Mailcanner experts,
>   We are running mailscanner 2.6 on an aix 4.3 system along with Sophos
>engine.  It has been running fine for more than a year without any real
>issues.  I just received a complaint from an outside site where the sender
>claims that they send very simple messages (no attachments and signature
>turned off).  However, she always gets back the following response.
>------------------
>  MailScanner <root at beloit.edu> wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600
>From: "MailScanner"
>To:
>Subject: Warning: E-mail viruses detected
>Our virus detector has just been triggered by a message you sent:-
>To:
>Subject: signature file
>Date: Wed Feb 12 15:26:34 2003
>Any infected parts of the message have not been delivered.
>This message is simply to warn you that your computer system may have a
>virus present and should be checked.
>The virus detector said this about the message:
>Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature
>file.doc
>.com
>--
>MailScanner
>Email Virus Scanner
>------------------------------------------------- end of message.
>
>   Currently we have mailscanner configured to simply delete any message that
>is determined to have a virus and simply send notification back to the
>sender.  So she always gets the above message.  They can't find any viruses
>on her computer.  I had her send me a message to a smtp server without any
>mailscanner intercept so that I would get the entire message without any
>filtering:  Below is the raw message with her name replaced by xxxxx:
> >From xxxxx at mail.uca.edu Thu Feb 13 10:43:13 2003
>Received: from list.uca.edu (list.uca.edu [161.31.208.98])
>         by
>www.beloit.edu
>(8.11.6/8.11.6) with ESMTP id h1DGhCf22588
>         for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:43:12 -0600
>Received: from localhost (list.uca.edu [127.0.0.1])
>         by list.uca.edu (Postfix) with ESMTP id F2AB049F5
>         for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)
>Received: from mail.uca.edu (mail.uca.edu [161.31.208.25])
>         by list.uca.edu (Postfix) with ESMTP id 415194822
>         for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)
>Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48);
>     13 Feb 03 10:43:18 -0600
>Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600
>Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48);
>     13 Feb 03 10:42:49 -0600
>Message-ID: <004d01c2d37e$f14a17a0$6f781fa1 at uca.edu>
>From: "xxxx xxx" <xxxxx at mail.uca.edu>
>To: <tylert at www.beloit.edu>
>Subject: hello
>Date: Thu, 13 Feb 2003 10:42:48 -0600
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0"
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>X-Virus-Scanned: by AMaViS new-20020517
>Status: OR
>This is a multi-part message in MIME format.
>------=_NextPart_000_004A_01C2D34C.A69EDEC0
>Content-Type: text/plain;
>         charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>hi tim,=20
>here's the message, the funny thing is, all the people I normally email =
>everyday aren't having any problems.. just people i've never heard of!!  =
>alli=20
>------=_NextPart_000_004A_01C2D34C.A69EDEC0
>Content-Type: text/html;
>         charset="iso-8859-1"
>  ------=_NextPart_000_004A_01C2D34C.A69EDEC0
>Content-Type: text/html;
>         charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
>hi tim,
>here's the message, the funny thing is, = all the=20 people I normally
>email everyday aren't having any problems.. just = people i've=20 never
>heard of!!
>alli
>------=_NextPart_000_004A_01C2D34C.A69EDEC0--
>----------------------------------------------
>Is there any reason why the above email message would results in triggering
>the former mailscanner response?
>Tim Tyler
>Network Engineer - Beloit College
>tyler at beloit.edu

Tim Tyler
Network Engineer - Beloit College
tyler at beloit.edu

More information about the MailScanner mailing list