As others have posted. I am having a BIG problem with what has been described as ‘false positives’ in emails which Avast (Home Edition 4.7) is scanning. Emails with attachments (as a general rule these are .JPGs) are having the attachments stripped from them before the messages is allowed to proceed into Outlook Express. Below are the particulars and work arounds I have tried.
OS is Windows XP Home edition (Updated automatically)
Email program is Outlook Express
Processor is 1.8 Ghz Pentium
Memory is 512 M
Antivirus Program is Avast Home Edition 4.7 (Updated automatically)
Other security programs include:
Spybot Search and Destroy, Hijack This, AdAware SE, Spyware Blaster
Having read several posts describing the same problem here on the forum, I decided to try a few experiments to isolate the problem. First I downloaded and installed Mozilla’s Thunderbird email program (an alternative to Outlook Express). Then, using a Yahoo ID and Yahoo Email, sent myself a test message with a .JPG attachment. After sending this I logged on to my ISP email USING THUNDERBIRD and Avast immediately popped up the same Virus warning as had appeared in Outlook Express. The only options Avast offers is ‘Delete’ or ‘Continue’. Obviously clicking on Delete would delete the entire message so I clicked on ‘Continue’. The message was then downloaded to my inbox, but MINUS THE ATTACHMENT.
I logged off of Thunderbird and logged back in to my ISP email using Outlook Express. Next, I sent the same message (from Yahoo mail, and with the same attachment) to myself again. Avast immediately threw up another virus warning as it had on my first attempt. Instead of clicking on anything in the warning window, THIS time I logged on to BellSouth’s web based email. At this point It is important to note messages remain on the ISP’s mail server until Outlook Express accesses the server and transfers the messages there into the subscriber’s PC. Since I had not yet taken any option on Avast’s virus warning message, the original message I had sent myself was still intact on the ISP’s web based email server. I was able to read the message on the web based server AND view the attachment. Having proven that the message and the attachment were actually there, I logged OFF of the web based server and clicked on ‘Continue’ in Avast’s warning message. The message itself was downloaded, but the attachment had been stripped off.
Since this more or less proves that the problem is NOT within Outlook Express, it seems to isolate the problem to be in one of two places - It’s either within Avast, or within BellSouth’s services. I am curious as to what others who are experiencing the same problem have found out about it, and what they have been advised is being done to remedy this error.
Well if we can believe tech support @ BellSouth (which is located in India ;D ), they say nothing has changed as far as the headers go.
The fact that I can send the same message FROM BellSouth (using OE) with the SAME attachment… and it gets through ok, tells me it’s not a BellSouth problem. I get the message AND the attachment.
I know you asked for further input from those experiencing the problem but …
It is worth noting that not all folks using avast and receiving mail from Yahoo (in Thunderbird or Outlook Express) are using BellSouth and we are not seeing error reports from them.
I has conducted some tests with my Yahoo account and receiving those messages through my ISP (Comcast) on both Thunderbird and Outlook Express. None provoke the warning from avast.
BellSouth users have reported receiving the warnings on messages from services other than Yahoo.
It is interesting (but not surprising) that BellSouth users only report the errors on messages originating from Outside BellSouth. Messages BellSouth users send to themselves almost certainly do not go through the same antispam checking and updating as message originating from outside.
The avast Internet Mail provider does not know which mail client is being used, it just knows that port 110 is being used to receive email and it scans it. As far, as avast is concerned there is no difference between the mail clients.
The only common factor that is appears here is that all the warnings are occurring on emails received through the BellSouth email service.
as opposed to alanrf I don’t still there have been ANY changes in the mail scanner, regarding the multiple-mime-header type of thing (not even back in 2005). Such emails ARE suspicious, and there’s no plan to remove this check a.t.m. Maybe alanrf was refering to the iFrame check? (which indeed changed)
I absolutely refuse to believe that avast strips any attachments from the email (unless it reports a virus and you tell it to “Delete”, “Move to Chest” etc). That is, if you can’t access an attachment e.g. in Outlook Express (and avast is either disabled or doesn’t ptoduce an alarm) it’s more likely the “security” feature of OE that’s blocking the attachment - OR someone/something EN ROUTE has crippled your message (e.g. your ISP, i.e. Bellsouth). The fact that (as someone here already wrote) the attachments come as inline text in the message body really suggests that the messages are getting somehow corrupted (and this can then trigger the avast heuristic alert) BUT this is not done by avast itself, the messages are already coming like this from your ISP.
Could someone (who’s using Outlook Express) please do Save As on such a message, save it in the EML format, then ZIP it and send it to may email address for inspection?
I use OE, I have an email that did not have an attachment and still sounded the alarm. (I posted a copy in the other thread but changed last names in email addys).
I sent an email to tech support for BellSouth. Not sure it will do any good, but can’t hurt.
Dear Sir or Madam,
I use Avast AV (anti-virus). There are number of Avast users who are having trouble with false alarms on emails. It’s only with BellSouth customers. We’ve been testing for 2 days trying to nail this down. An email from another Bellsouth customer comes thru fine with no alarm. But emails from Yahoo or Prodigy (and possibly more) are alarming under a heuristic detection with the message, “Multiple Content-Type header - HIGH DANGER!.” If it has an attachment (and this is only for ISP’s other than BellSouth) it is stripped or changed to garbage or text and placed within the body of the email.
Have there been any changes to the way email is handled when coming from other ISP’s? Is the anti-spam filter possibly changing or adding something?
Indeed, the email is malformed. Namely, the end of the message header block lacks the blank line (as is dictated by RFC 822).
The last line of the message header is
X-SOURCE-IP: [192.168.16.145]
After this line, there should have been a blank line (separating the header from the message body) - but there isn’t one. That’s also why the message is not rendered correctly.
To me, it seems that Bellsouth has some kind of mail filter installed on their mail server, and this filter corrupts all emails by stripping the blank line from the end of the header section.
I’ve copied your post and included it in an email to BellSouth. I hope they will do something about it. My first response from them was to contact Tech support at their 800 number… the folks in India. I told them I’ve already talked to them about it and they knew nothing about it. :
I have told my system to “leave messages on the server”. I look in OE and the attachments are not there. I go to Bellsouth server and you can view the attachments. It’s got to be in the way Bellsouth transfers to Outlook express. Funny I forwarded a email from a yahoo user with an attachment to myself. I went to OE and there it was with complete attachment. It is just something with the Yahoo and a few other 's like Prodigy.
I just received 5 forwards. However, this one different from the rest was not a forward yet still when I brought it in there is NO message content. Again a YAHOO sender yet NOT a forward…just to me alone. I’m believing more and more that the problem has dwindled down to a Yahoo/BellSouth problem. I vaguely remember having one before. Comodo catching them as spam is all that has happened to me for 2 days…none of the flashing, talking message with Avast on its face.
From Source of the one message that was directly to me…not a forward.
We know this is not just a Yahoo/BellSouth problem - Rick F. has the same errors from a user on Prodigy.net.
I already posted an explanation that this problem will almost certainly not occur when you forward messages to yourself inside BellSouth because it will not be subjected to the same spam filtering that outside mails gets. I would hazard a guess that it is the spam filtering and the insertion by BellSouth of the spam filter header line into the message that is causing the problem for some domains delivering to BellSouth.
Appreciate the info VLK. I’ve referred this to BellSouth along with a link to the forum here and in particular to your reply. Maybe they’ll get serious about trying to fix this if enough of us take similar action.
While working with a BellSouth technician about this problem he requested that I send MYSELF a test message with an attachment from Outlook Express. I tried it and it worked. He also suggested that until this problem is solved, it might be a good idea to use the option to leave the messages on the server. It COULD actually be that YAHOO is the culprit in corrupting the files that are being flagged as a virus.
There is yet to be an instance of a message being sent from a BellSouth account to another BellSouth account having an error. I have already explained why they are unlikely to.
The errors are being seen from other sources than Yahoo too.
When you send a email to someone other than a bellsouth user, from a yahoo site, even with an attachment, it goes through fine. I sent one from yahoo to a wildblue.net address with an attachment and this person has Avast. it went through fine. Seems to me if it was yahoo problem, it would be with someone other, and more than just Bellsouth.
I still think it’s Bellsouth…