False Positive ?

Tim Tyler tyler at beloit.edu
Mon Feb 17 15:33:31 GMT 2003


Mike,
  Thanks! Yes, I didn't think about it, but every time she sends a message,
a blind one might be getting sent through the hidden virus smtp.  I will
take that possiblity up with her. -thanks again!
 Tim

>
>>The virus detector said this about the message:
>>Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature
>>file.doc
>
>This is what makes me think that Sircam itself is sending the message and
>not her MUA...signature file.doc
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of Tim Tyler
>Sent: Friday, February 14, 2003 4:55 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: False Positive ?
>
>
>Mike, Others,
>    Yes, but two things make me think otherwise.  1. She does send to us
>manually and it triggers that response back to her.  2. I had her send to
>us at another smtp server where we don't have mailscanner.  Naturually, she
>doesn't get a mailscanner reponse, but I also can't find any virus within
>it.  It looks clean to me.  Her content is below for examination.  I
>suspect  that something is triggering a warning response.  Its also
>peculiar, because we configured mailscanner to drop any messages with
>viruses and only notify the sender.  Her messages always get through.  she
>just gets a warning response as described below.  Do warnings get treated
>differently?   There really isn't that much to her message.  No attachments
>that I can see.
>  Tim
>
>At 04:35 PM 2/14/2003 -0600, you wrote:
>>I'd read up on Sircam:
>>
>>http://www.sophos.com/virusinfo/analyses/w32sircama.html
>>
>>Since Sircam has its own SMTP engine, she doesn't even have to be sending
>>out the email manually.  Sircam, also being network aware, I'd have her
>>people check their whole network.  The attachment that Sophos is catching
>is
>>coming from somewhere.
>>
>>Mike
>>
>>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf
>>Of Tim Tyler
>>Sent: Friday, February 14, 2003 4:23 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: False Positive ?
>>
>>
>>Mailcanner experts,
>>   We are running mailscanner 2.6 on an aix 4.3 system along with Sophos
>>engine.  It has been running fine for more than a year without any real
>>issues.  I just received a complaint from an outside site where the sender
>>claims that they send very simple messages (no attachments and signature
>>turned off).  However, she always gets back the following response.
>>------------------
>>  MailScanner <root at beloit.edu> wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600
>>From: "MailScanner"
>>To:
>>Subject: Warning: E-mail viruses detected
>>Our virus detector has just been triggered by a message you sent:-
>>To:
>>Subject: signature file
>>Date: Wed Feb 12 15:26:34 2003
>>Any infected parts of the message have not been delivered.
>>This message is simply to warn you that your computer system may have a
>>virus present and should be checked.
>>The virus detector said this about the message:
>>Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature
>>file.doc
>>.com
>>--
>>MailScanner
>>Email Virus Scanner
>>------------------------------------------------- end of message.
>>
>>   Currently we have mailscanner configured to simply delete any message
>that
>>is determined to have a virus and simply send notification back to the
>>sender.  So she always gets the above message.  They can't find any viruses
>>on her computer.  I had her send me a message to a smtp server without any
>>mailscanner intercept so that I would get the entire message without any
>>filtering:  Below is the raw message with her name replaced by xxxxx:
>> >From xxxxx at mail.uca.edu Thu Feb 13 10:43:13 2003
>>Received: from list.uca.edu (list.uca.edu [161.31.208.98])
>>         by
>>www.beloit.edu
>>(8.11.6/8.11.6) with ESMTP id h1DGhCf22588
>>         for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:43:12 -0600
>>Received: from localhost (list.uca.edu [127.0.0.1])
>>         by list.uca.edu (Postfix) with ESMTP id F2AB049F5
>>         for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)
>>Received: from mail.uca.edu (mail.uca.edu [161.31.208.25])
>>         by list.uca.edu (Postfix) with ESMTP id 415194822
>>         for <tylert at www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)
>>Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48);
>>     13 Feb 03 10:43:18 -0600
>>Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600
>>Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48);
>>     13 Feb 03 10:42:49 -0600
>>Message-ID: <004d01c2d37e$f14a17a0$6f781fa1 at uca.edu>
>>From: "xxxx xxx" <xxxxx at mail.uca.edu>
>>To: <tylert at www.beloit.edu>
>>Subject: hello
>>Date: Thu, 13 Feb 2003 10:42:48 -0600
>>MIME-Version: 1.0
>>Content-Type: multipart/alternative;
>>         boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0"
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>>X-Virus-Scanned: by AMaViS new-20020517
>>Status: OR
>>This is a multi-part message in MIME format.
>>------=_NextPart_000_004A_01C2D34C.A69EDEC0
>>Content-Type: text/plain;
>>         charset="iso-8859-1"
>>Content-Transfer-Encoding: quoted-printable
>>hi tim,=20
>>here's the message, the funny thing is, all the people I normally email =
>>everyday aren't having any problems.. just people i've never heard of!!  =
>>alli=20
>>------=_NextPart_000_004A_01C2D34C.A69EDEC0
>>Content-Type: text/html;
>>         charset="iso-8859-1"
>>  ------=_NextPart_000_004A_01C2D34C.A69EDEC0
>>Content-Type: text/html;
>>         charset="iso-8859-1"
>>Content-Transfer-Encoding: quoted-printable
>><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
>>hi tim,
>>here's the message, the funny thing is, = all the=20 people I normally
>>email everyday aren't having any problems.. just = people i've=20 never
>>heard of!!
>>alli
>>------=_NextPart_000_004A_01C2D34C.A69EDEC0--
>>----------------------------------------------
>>Is there any reason why the above email message would results in triggering
>>the former mailscanner response?
>>Tim Tyler
>>Network Engineer - Beloit College
>>tyler at beloit.edu
>
>Tim Tyler
>Network Engineer - Beloit College
>tyler at beloit.edu
>


--
Tim Tyler
Network Manager - Beloit College
tyler at beloit.edu



More information about the MailScanner mailing list