In the past couple of days, I’ve gotten several warnings about infected incoming email, but I am confused about what is happening. Here is the last message I got:
Sign of “Win32:Trojan-gen {Other}” has been found in “Incoming email ‘Emailing: file8.zip’ From: Ben Gerdemann XXX@XXXX.net, To: Ben Gerdemann XXX@XXXX.net\file8.zip#1970799374\crack.exe” file.
The message is confusing because I wasn’t sending any email to myself and even though I let Avast pass this message (I didn’t delete it our put it in the chest), I never received this message in my Inbox. I searched my computer for file8.zip and crack.exe and didn’t find either. This isn’t the first time I got a message like this either. Previously I had warnings that I was sending files to a friend with a suspicious attachment (streamripperinst.exe) even though I wasn’t sending any messages, never heard of the file before, couldn’t find the file on my computer and my friend never received the suspicious messages even though I told Avast to let them through. Can someone clarify what is going on? I am using Windows Vista and Thunderbird 3.0 beta.
Misteries… emails never send, never received, files that never exist…
I’m empty, can’t guess what’s going on. Hope someone else could do it.
Welcome to avast forums.
It is a common tactic to have the from email address the same as the recipient (To address) as this sails through anti-spam measures as it generally accepts email from the users email accounts.
So no big mystery, just a tactic that failed to get past avast as it doesn’t give a stuff who it is from, they all get scanned.
I have an anti-spam application and I have a filter to flag all emails that supposedly come from Me and are to Me, imaginatively called MeMe, this is how common a spam tactic it is.
If this email did originate from your system either user or spambot generated, guess what, avast would have detected the infected attachment when you tried to send it, as it did when it was received.
The warnings are the same, some dumb email server that just looks at the from address and fires off an automated response (just delete them).
This type of thing is also used as a pre-emptive infection method by pretending an email you sent couldn’t be delivered, etc. open the attached email for details, etc. open it an bingo you could be in trouble.
OK, but that doesn’t really explain why I can’t see any evidence of these emails that my computer is supposedly sending and receiving. They appear nowhere in my email program, neither do the infected attachments and no one who was supposedly receiving them received anything. Avast provides so little information about what it found, (no message headers, no body of the email message, no time stamp just the to and from addresses and subject) it’s only possible to guess where these phanton emails are coming from. In fact the messages that I allowed to pass through do not show up in any of the Avast logs (or my email software)! I did a complete scan using Avast, Norton Security Scan, Spyware Doctor and Windows Defender and found nothing. I’m calling bunk on Avast–I don’t think there’s anything here.
Because you didn’t send them, that is all about what I said, it is a trick to try and bypass anti-spam tools as they generally don’t block mail from your own email address.
This is the relevant paragraph, not the highlighted IF.
[b]If[/b] this email did originate from your system either user or spambot generated, guess what, avast would have detected the infected attachment when you tried to send it, as it did when it was received.
avast detected it before it gets into your inbox (in a transparent proxy so emails can be scanned), in the actions given on detection, which did you choose ?
Any action other than no action (which would be a poor decision) wouldn’t let the email be delivered to your inbox.
Edit: I also notice your mention of doing a Norton Security Scan, do you also have Norton installed as having two resident AVs installed isn’t recommended and can cause some confilsts which could present themselves in some very strange ways.
avast does not invent emails to scan. There is the possibility that have been infected by an email spambot that is using your system to send out spam emails.
Setting the level of the Internet Mail provider to high should warn you if you are indeed sending out spam.
I think it might prove useful to create (for a while) an avast! log of your mail connections.
You can get the Internet Mail provider to log your connections by editing with Notepad the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file - you will be prompted by avast’s self defense mechanisn to confirm that you want to alter the file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log
OK, thanks to everyone who helped. I finally figured out what is going on.
I have a folder of old emails from 2006 in Thunderbird that I haven’t been looking at or touching in any way. For some reason Avast was scanning these old emails and found an infected file. I verified that the file really was infected, so I Avast was doing it’s job correctly. The problem was the way Avast presented the error message. The message implied that the email was being sent at the time and not from the scan of an old archive. It didn’t report a time stamp, directory name, headers on the email or anything that would help identify where this was coming from. So kudos to Avast for finding an old virus I didn’t even know about, but a big thumbs down for reporting it in a confusing way.
The explanation does not ring true to me. It does not fit the facts or the way that avast works.
The error message reported in the first post is not an on-demand scan message. Avast will not be scanning inactive Thunderbird folders of its own accord and, in fact, avast does not understand the Thunderbird file structure. avast is totally incapable of finding a virus in a Thunderbird folder unless the virus is in the very first (usually the oldest) message of the folder. In which case avast is likely to mangle the folder into an unrecoverable mess.
(Just FYI … I test this every week - I do have viruses (real ones) deliberately stored in my Thunderbird archived mail folders. These folders are created by year so once the year is over the Thunderbird folder is not updated anymore and very rarely accessed. Every week they are scanned by avast and avast never finds the viruses).
I agree. My theory is that since I’m using IMAP where messages are stored on both the email server and email client, that Thunderbird was syncing old messages with the server which Avast saw as a message being sent or received. I think it’s valid for Avast to scan these messages, but it really needs to report them in a clearer way. If it had at least reported the date and body of the infected message I would have figured out what was going one pretty quickly. Instead I wasted a lot of time scanning my system for a non-existent spam and posting on this forum.
Where are you from in Brazil? I’m living in Curitiba right now…