<html>
Mailcanner experts,<br>
We are running mailscanner 2.6 on an aix 4.3 system along with
Sophos engine. It has been running fine for more than a year
without any real issues. I just received a complaint from an
outside site where the sender claims that they send very simple messages
(no attachments and signature turned off). However, she always gets
back the following response.<br>
------------------<br>
MailScanner <root@beloit.edu> wrote:Date: Wed, 12 Feb 2003
15:26:34 -0600<br>
From: "MailScanner" <br>
To: <br>
Subject: Warning: E-mail viruses detected<br><br>
Our virus detector has just been triggered by a message you sent:-<br>
To: <br>
Subject: signature file<br>
Date: Wed Feb 12 15:26:34 2003<br>
Any infected parts of the message have not been delivered.<br><br>
This message is simply to warn you that your computer system may have
a<br>
virus present and should be checked.<br><br>
The virus detector said this about the message:<br>
Report: >>> Virus 'W32/Sircam-A' found in file
./h1CLQDb23038/signature file.doc<br>
.com<br><br>
--<br>
MailScanner<br>
Email Virus Scanner<br>
------------------------------------------------- end of
message.<br><br>
<br>
Currently we have mailscanner configured to simply delete any
message that is determined to have a virus and simply send notification
back to the sender. So she always gets the above message.
They can't find any viruses on her computer. I had her send me a
message to a smtp server without any mailscanner intercept so that I
would get the entire message without any filtering: Below is the
raw message with her name replaced by xxxxx:<br><br>
From xxxxx@mail.uca.edu Thu Feb 13 10:43:13 2003<br>
Received: from list.uca.edu (list.uca.edu [161.31.208.98])<br>
by
<a href="http://www.beloit.edu/" eudora="autourl">www.beloit.edu</a>
(8.11.6/8.11.6) with ESMTP id h1DGhCf22588<br>
for <tylert@www.beloit.edu>; Thu, 13 Feb 2003 10:43:12 -0600<br>
Received: from localhost (list.uca.edu [127.0.0.1])<br>
by list.uca.edu (Postfix) with ESMTP id F2AB049F5<br>
for <tylert@www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)<br>
Received: from mail.uca.edu (mail.uca.edu [161.31.208.25])<br>
by list.uca.edu (Postfix) with ESMTP id 415194822<br>
for <tylert@www.beloit.edu>; Thu, 13 Feb 2003 10:45:45 -0600 (CST)<br>
Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48);<br>
13 Feb 03 10:43:18 -0600<br>
Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600<br>
Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48);<br>
13 Feb 03 10:42:49 -0600<br>
Message-ID: <004d01c2d37e$f14a17a0$6f781fa1@uca.edu><br>
From: "xxxx xxx" <xxxxx@mail.uca.edu><br>
To: <tylert@www.beloit.edu><br>
Subject: hello<br>
Date: Thu, 13 Feb 2003 10:42:48 -0600<br>
MIME-Version: 1.0<br>
Content-Type: multipart/alternative;<br>
boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0"<br>
X-Priority: 3<br>
X-MSMail-Priority: Normal<br>
X-Mailer: Microsoft Outlook Express 6.00.2600.0000<br>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000<br>
X-Virus-Scanned: by AMaViS new-20020517<br>
Status: OR<br><br>
This is a multi-part message in MIME format.<br><br>
------=_NextPart_000_004A_01C2D34C.A69EDEC0<br>
Content-Type: text/plain;<br>
charset="iso-8859-1"<br>
Content-Transfer-Encoding: quoted-printable<br><br>
hi tim,=20<br>
here's the message, the funny thing is, all the people I normally email =<br>
everyday aren't having any problems.. just people i've never heard of!! =<br><br>
alli=20<br><br>
------=_NextPart_000_004A_01C2D34C.A69EDEC0<br>
Content-Type: text/html;<br>
charset="iso-8859-1"<br>
------=_NextPart_000_004A_01C2D34C.A69EDEC0<br>
Content-Type: text/html;<br>
charset="iso-8859-1"<br>
Content-Transfer-Encoding: quoted-printable<br><br>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><br>
<HTML><HEAD><br>
<META http-equiv=3DContent-Type content=3D"text/html; =<br>
charset=3Diso-8859-1"><br>
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR><br>
<STYLE></STYLE><br>
</HEAD><br>
<BODY bgColor=3D#ffffff><br>
<DIV><FONT face=3DArial size=3D2>hi tim, </FONT></DIV><br>
<DIV><FONT face=3DArial size=3D2>here's the message, the funny thing is, =<br>
all the=20<br>
people I normally email everyday aren't having any problems.. just =<br>
people i've=20<br>
never heard of!!&nbsp; </FONT></DIV><br>
<DIV><FONT face=3DArial size=3D2>alli </FONT></DIV></BODY></HTML><br><br>
------=_NextPart_000_004A_01C2D34C.A69EDEC0--<br><br>
<br>
----------------------------------------------<br>
<b>Is there any reason why the above email message would results in triggering the former mailscanner response?<br><br>
<br>
</b><x-sigsep><p></x-sigsep>
Tim Tyler<br>
Network Engineer - Beloit College<br>
tyler@beloit.edu</html>