listserv email lists & avast

XXXXList is a listserv email list… set up with SubjectHDRS whose short headers would look simular to this:


From: me me@xyz.NET
To: XXXXList@LISTSERV_HOST.EDU
Subject: Re: [XXXXList] Messages
Date sent: Tue, 26 Apr 2005 12:24:19 -0500


a subscriber recently started using Avast… and now has the following problem… any suggestions… Please???:

“I use Outlook Express on an XP with avast Anti-virus protection. Only messages from XXXXList give me a warning. Details say “Suspicious whitespace sequence” What does that mean? How do I prevent it? Is it a setting from XXXXList? None of my other groups get it.”

If you left click on the Avast icon and select internet mail - then go to customize - then click onto the heuristics tab you will see the white space check. If you select customize on this tab you will have the option to disable the white space check. Now whether this is safe to do so I’m not sure. Or if you know the url of the mail sender you can allow that url as permitted and the check will no be carried out. I think thats right if I’ve made an error someone will be along soon to put me right… ;D

The white space check is reporting that an attachment has a large number of spaces (you can edit this figure) in the file name of the attachment. Why anyone would want to have a large number of spaces together in a file name for a legitimate use is beyond me.

It is usually used to confuse and hide the true intent of the attachment, e.g. “this-harmless-looking-file.txt .exe” that is why avast’s heuristics checking is flagging it.

Edit or leave as suggested by essexboy. However, disabling it does so for every email, known or unknown.

hmm… well attachments can not come through the listserv email list as it’s configured… and this appears to be happening with every post this subscriber gets from the list.

The whitespace sequence could be detected elsewhere then the attachment file name.
Maybe the subject… Do you know if it’s an URL frame that is making this error (does the warning say anything more than you’ve posted before)?

Ok, is it possible that the listserv email lists just have the email content without an attachment, but if there is an attachment for that email, then the attachment name would be in the email’s header information.

Because the white space check is only done on the attachment name, not the subject, etc. So the attachment name could only be checked either in the email headers or the actual attachment.

Other than this I’m baffled as to where the heuristic white space warning is coming from.

Oopss… David is correct again. My fault, sorry :-[

Nope… no attachments can get through to subscribers the way this listserv email list is configured, unless they are html or text and html isn’t allowed (hotmail’s gets through, but not as an attachment…which is why it gets through >:( )

What i posted is pretty much what is seen in a typical list post’s header …

No problem, now there’s something, different me being right ;D

What I said though is based on summation as I don’t know where avast looks to check the attachment file name for the white space check. Unless there is some other undocumented white space check other than the attachment file name.

Whilst the attachments may not get through, if there was one then there would be a reference to it in the original email headers. So unless the listserv is stripping header information (which I would doubt), then there could be a reference to the originag attachment file name.

What you posted doesn’t appear to be an email header, just what appeares at the top of an email.

This is what an email header might look like, you should also see reference to avast’s anti-virus check:

Return-Path: Received: from msgrouter1.edited (msgrouter1.edited [edited ]) by mail04.edited (Mirapoint) with ESMTP id AFY60634; Mon, 17 Jun 2002 00:00:46 +0100 (BST) Received: from mail.edited ([edited ]) by msgrouter1.edited (Mirapoint) with ESMTP id CQA19718; Sun, 16 Jun 2002 23:59:55 +0100 (BST) Received: from david [213.121.71.161] by mail.edited (SMTPD32-7.06) id A8CBC1B00202; Mon, 17 Jun 2002 00:01:31 +0100 Message-ID: <003801c21589$b9297540$a14779d5@david> Reply-To: "DavidR" From: "DavidR" To: "edited " Subject: edited - Conference Call Schedule Date: Mon, 17 Jun 2002 00:00:18 +0100 Organization: . MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0032_01C21591.F770C800" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Hi… i know that wasn’t the full message… thought i stated it was the short header…

Here’s a full one with particulars (domains, userids) changed: this is from the one subscriber using Avast … and having to OK every post from the email list she gets… including her own… such as the one below:

Return-Path: owner-XXXXList@LISTSERV.HOST.EDU
Delivered-To: me@that.user
Received: (qmail 29191 invoked from network); 27 Apr 2005 03:26:40 -0000
Received: from unknown (HELO LISTSERV.HOST.edu) (149.68.45.24)
by station192.com with SMTP; 27 Apr 2005 03:26:40 -0000
Received: from LISTSERV.HOST.edu (149.68.45.24) by LISTSERV.HOST.edu (LSMTP for OpenVMS v1.1a) with SMTP id 10.952D1CA3@LISTSERV.HOST.edu; Tue, 26 Apr 2005 22:27:24 -0500
Received: from LISTSERV.HOST.EDU by LISTSERV.HOST.EDU (LISTSERV-TCP/IP
release 1.8d) with spool id 3088369 for
XXXXList@LISTSERV.HOST.EDU; Tue, 26 Apr 2005 22:27:23 -0500
Received: from mail4.ipns.com (208.187.190.24) by LISTSERV.HOST.edu (LSMTP
for OpenVMS v1.1a) with SMTP id 8.93C69CE5@LISTSERV.HOST.edu;
Tue, 26 Apr 2005 22:27:21 -0500
Received: from subscribersHP (dialup-ras6-29.pdx.or.uspops.net [216.239.177.29])
(authenticated bits=0) by mail4.ipns.com (8.12.10/8.12.10) with ESMTP
id j3R3QMfE008602 for XXXXList@LISTSERV.HOST.EDU; Tue, 26 Apr
2005 20:26:24 -0700
References: 426E32F3.21552.9B149F@localhost 426E6EE7.2292.18545FD@localhost
MIME-Version: 1.0
Content-Type: text/plain; charset=“Windows-1252”
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus: avast! (VPS 0517-1, 04/26/2005), Outbound message
X-Antivirus-Status: Clean
Message-ID: 000f01c54ad8$e13c8b80$1db1efd8@KathysHP
Date: Tue, 26 Apr 2005 20:25:52 -0700
Reply-To: XXXXList XXXXList@LISTSERV.HOST.EDU
Sender: XXXXList XXXXList@LISTSERV.HOST.EDU
From: SUBSCRIBER subscriber@OREGONSBEST.COM
Subject: Re: [XXXXList] Messages/ Avast
To: XXXXList@LISTSERV.HOST.EDU
X-PMFLAGS: 34078848 0 1 P2I5FLUS.CNM

Thank you, Scout,

I get that response to every XXXXList message but not to any other messages.

subscriber

[[snip quotes]]

             To LEAVE the list.. and other commands:
             http://www.skally.net/XXXXList/faq.html
                  XXXXList (XXXXList Chat) chat room:
          http://autos.groups.yahoo.com/group/XXXXList/

Sorry, I missed the bit about the short headers.

That is very weird as I can see nothing there that should trigger the whitespace sequence check and there is no attachment (nor a reference to one) in that email. Even stranger that it came from an avast user and has been checked and the header stamped as clean.

Unless Alwil can come up with why this might trigger the whitespace sequence alert, you may have to untick that check. Whilst that is not ideal, if an attachment was infected it wouldn’t matter how many whitespaces were there it should get detected, assuming it is one that avast recognises.

cleok: Could you please send me whole message that causes it (as eml) to sedina@avast.com? I will analyze it. thanks! pavels

Done Pavels … of note… this isn’t the only listserv host that is experiencing this problem… there was at least one other thread on these boards about it… perhaps more without “listserv” being mentioned.

THANKS!