Jump to content

Another virus false positive?


Recommended Posts

Awhile back, I posted a query about Spamcop's incoming virus filters catching (and silently discarding) phishing attempts. This was confirmed by the support folks.

While this is annoying, it's not a huge deal. I keep copies of all email that my system forwards to spamcop, so I can manually drop the phishes into my "Held Mail" folder and then report them. It's an extra step - but it doesn't happen often enough to be a major hassle.

However, today, a friend sent me a forwarded, tasteless picture that vanished into the Spamcop blackhole...

My suspicion is that Spamcop's mail system decided it was a virus and silently deleted it, which begs the question: What criteria does Spamcop use for silently deleting a message? I understand (and agree) about deleting viruses - but this kind of false positive seems like something is misconfigured. (While the picture was tasteless, the message itself was harmless - a 2-part MIME message: one part plain text, the other part a JPG with a Michael Jackson joke).

Additional technical details for those who care: I run two mail servers (one at home and one at work). Each system forwards certain messages to accounts at spamcop.net. In the case of my work email, Spamcop then filters the messages and returns the good ones back to a "secret" account on my mail server. This all works quite well - but outages in the past have made me paranoid, so I have a second copy of all such messages delivered to a special local holding account. The servers are running Mandrake Linux 9.1 and Postfix 2.0.6 and I have two different Spamcop accounts (one for each server).

Link to comment
Share on other sites

(While the picture was tasteless, the message itself was harmless - a 2-part MIME message: one part plain text, the other part a JPG with a Michael Jackson joke).

29732[/snapback]

Could the message or subject been close to the recently released virus based on the Jackson case that it was recognized?

Link to comment
Share on other sites

Maybe IronPort really needs to fill that job opening for an antivirus architect :D. If it is really the virus filter, I don't think that the SpamCop administrator can do much about which messages are flagged as viruses and which ones are not. He will have to rely on the vendor of the virus filter, which seems to be Sophos in this case. Since you have another copy of the message, you could try to submit it to VirusTotal to see whether there is some consensus among the various antivirus vendors about whether it should be recognized as a virus.

Link to comment
Share on other sites

Since you have another copy of the message, you could try to submit it to VirusTotal to see whether there is some consensus among the various antivirus vendors about whether it should be recognized as a virus.

29741[/snapback]

Thanks. That's a very cool resource!.

I sent it the picture and the entire email and it found nothing (as expected).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...