Symantec Virus Warnings (phony)

  • Thread starter Thread starter Oregano
  • Start date Start date
O

Oregano

I am regularly being spammed by a "tool" that tells me a file I sent had a
virus attached to it and the "warning" comes from ses.symantec.com. I
genuinely suspect this is bogus and were I to click on the link (I'm
replicating one of the "emails" below) then I'd probably be hijacked. I've
gone onto Symantec's site and tried to notify them of the thing, sending the
IP from which it comes. I'm using Outlook 2003 and I've set a junk mail
filter so they're automatically deleted. BUT THEY ARE ANNOYING. What's even
more annoying is Symantec's lack of a link anywhere on their websites so you
can "talk" to them. That's why I dropped Norton/Symantec years ago. I'm
protected with F-Secure, rebranded by my ISP as if it's their own. Works for
me.

Is there anything else I can do? Am I doing the right thing? It just goes on
and on and on. Been almost a year now. You'd think the buggers who get tired
when they got no response from my IP. But then maybe a computer never gets
tired...or gives up.

Replicated:
This message has been processed by Symantec's AntiVirus Technology.
message.scr was infected with the malicious virus W32.Sality.U and has been
deleted because the file cannot be cleaned.

For more information on antivirus tips and technology, visit
http://ses.symantec.com/
 
I am regularly being spammed by a "tool" that tells me a file I sent
had a virus attached to it and the "warning" comes from
ses.symantec.com. I genuinely suspect this is bogus and were I to
click on the link (I'm replicating one of the "emails" below) then
I'd probably be hijacked. I've gone onto Symantec's site and tried
to notify them of the thing, sending the IP from which it comes. I'm
using Outlook 2003 and I've set a junk mail filter so they're
automatically deleted. BUT THEY ARE ANNOYING. What's even more
annoying is Symantec's lack of a link anywhere on their websites so
you can "talk" to them. That's why I dropped Norton/Symantec years
ago. I'm protected with F-Secure, rebranded by my ISP as if it's
their own. Works for me.

Is there anything else I can do? Am I doing the right thing? It just
goes on and on and on. Been almost a year now. You'd think the
buggers who get tired when they got no response from my IP. But then
maybe a computer never gets tired...or gives up.

Replicated:
This message has been processed by Symantec's AntiVirus Technology.
message.scr was infected with the malicious virus W32.Sality.U and
has been deleted because the file cannot be cleaned.

For more information on antivirus tips and technology, visit
http://ses.symantec.com/
Click to expand...


Your, ahem, "copy" of the e-mail is worthless to anyone except you.
You show no headers. You don't indicate if what you pasted was from
the rendering of an HTML-formatted e-mail or if the e-mail was in
plain text. Obviously the URL that *you* show here is in the Symantec
domain but then we don't know if that is where the URL points in an
HTML-formatted e-mail.

Since only you have a copy of the purported e-mail, check the IP
address in the Received header for the sender to see if it belongs to
Symantec. If it is coming from Symantec then there is a very good
chance that you have submitted a file for them to analyze. For all we
know, you configured the Symantec software to forward a copy of
whatever you quarantine so they can analyze it.
 
Vanguard said:
in message news:wXSDi.133863$rX4.69515@pd7urf2no...


Your, ahem, "copy" of the e-mail is worthless to anyone except you. You
show no headers. You don't indicate if what you pasted was from the
rendering of an HTML-formatted e-mail or if the e-mail was in plain text.
Obviously the URL that *you* show here is in the Symantec domain but then
we don't know if that is where the URL points in an HTML-formatted e-mail.

Since only you have a copy of the purported e-mail, check the IP address
in the Received header for the sender to see if it belongs to Symantec.
If it is coming from Symantec then there is a very good chance that you
have submitted a file for them to analyze. For all we know, you
configured the Symantec software to forward a copy of whatever you
quarantine so they can analyze it.
Click to expand...

Wow. Tacky response or what? Excuse me! Ok. Mr. Techy. I don't know how to
access the source code in Outlook 2003. It's easy in Outlook Express but
it's beyond me in Outlook 2003.
 
Oregano said:
I don't know how to access the source code in Outlook 2003.
It's easy in Outlook Express but it's beyond me in Outlook 2003.
Click to expand...

You will get little sympathy here from those of us that recognize that
outlook (and OE while we're at it) is a horrible e-mail (and usenet)
client program.
 
...

Wow. Tacky response or what? Excuse me! Ok. Mr. Techy. I don't know
how to access the source code in Outlook 2003. It's easy in Outlook
Express but it's beyond me in Outlook 2003.
Click to expand...

From your original post, it didn't appear that you are a newbie in
using Outlook. It looked like you knew Outlook well enough to know
how to see the headers and HTML source and why I lambasted you for
omitting them. Claiming what an e-mail said without showing headers
(munge out any personal info, like your e-mail address) along with the
raw source for the body is like walking into a car shop and saying
"It's broke" without providing any details or proof. I over-estimated
your expertise with Outlook.

To view the headers, use View -> Options (I use OL2002 so menu
navigation may differ in OL2003). If the e-mail is HTML formatted,
right-click in the body to use View Source. If that is too laborious
or you simply want some other navigation to get at the same info, get
the PocketKnife Peek add-on to Outlook
(http://www.xintercept.com/pkpeek.htm) which gives you a toolbar
button to open a separate tabbed window to look at headers and the raw
source of the body.

As for there being no contact links on Symantec's web site, well,
can't see how you missed it. On several occasions in the past when I
still used their Norton products, I contacted them using their
"e-mail" web form whereupon they would respond within 3 business days
to start a discussion. I just went to their site and in a minute
found
http://www.symantec.com/home_homeoffice/support/productdetail/contact_ts.jsp?pvid=nav_2008
(this was for NAV 2008; you will need to navigate through their
support pages to select whatever product you want to discuss with
them).
 
Vanguard said:
in message news:u70Ei.133426$fJ5.32348@pd7urf1no...

From your original post, it didn't appear that you are a newbie in using
Outlook. It looked like you knew Outlook well enough to know how to see
the headers and HTML source and why I lambasted you for omitting them.
Claiming what an e-mail said without showing headers (munge out any
personal info, like your e-mail address) along with the raw source for the
body is like walking into a car shop and saying "It's broke" without
providing any details or proof. I over-estimated your expertise with
Outlook.

To view the headers, use View -> Options (I use OL2002 so menu navigation
may differ in OL2003). If the e-mail is HTML formatted, right-click in
the body to use View Source. If that is too laborious or you simply want
some other navigation to get at the same info, get the PocketKnife Peek
add-on to Outlook (http://www.xintercept.com/pkpeek.htm) which gives you a
toolbar button to open a separate tabbed window to look at headers and the
raw source of the body.

As for there being no contact links on Symantec's web site, well, can't
see how you missed it. On several occasions in the past when I still used
their Norton products, I contacted them using their "e-mail" web form
whereupon they would respond within 3 business days to start a discussion.
I just went to their site and in a minute found
http://www.symantec.com/home_homeoffice/support/productdetail/contact_ts.jsp?pvid=nav_2008
(this was for NAV 2008; you will need to navigate through their support
pages to select whatever product you want to discuss with them).
Click to expand...

Thank you. Perhaps I can't see for looking, re their webform. Regardless
some kind soul gave me the spam email and I forwarded the emails to them.
Touch wood I'm not getting any more of the emails from whomever. Here is the
header information, and thank you again for showing me how I can find this
in Outlook 2003.

Return-path: <[email protected]>
Received: from pd2mr3so.prod.shaw.ca
(pd2mr3so-qfe2.prod.shaw.ca [10.0.162.108]) by l-daemon
(Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with ESMTP id <0JNX00FMDVP0QJ80@l-daemon> for (e-mail address removed); Thu,
06 Sep 2007 03:00:36 -0600 (MDT)
Received: from pd2mr3so.prod.shaw.ca ([127.0.0.1])
by pd2mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built
Sep
5 2006)) with ESMTP id <[email protected]> for
(e-mail address removed); Thu, 06 Sep 2007 03:00:35 -0600 (MDT)
Received: from pd3mi4so.prod.shaw.ca ([10.0.121.162])
by pd2mr3so.prod.shaw.ca with ESMTP; Thu, 06 Sep 2007 02:59:40 -0600 (MDT)
Received: from shaw.ca ([59.94.8.75])
by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
with ESMTP id <0JNX0023TVNA3G80@l-daemon> for (e-mail address removed); Thu,
06 Sep 2007 02:59:41 -0600 (MDT)
Date: Thu, 06 Sep 2007 01:59:39 -0700
From: (e-mail address removed)
Subject: Mail Delivery (failure (e-mail address removed))
To: (e-mail address removed)
Message-id: <0JNX0023VVNB3G80@l-daemon>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary=fV1Z5fCwvxvhebaYNJA72gNF1uxidVOJ11lXQ2kM
X-Priority: 3
X-MSMail-priority: Normal
X-BLTSYMAVREINSERT: BLM0wVbfXUYfQgwog8xz19mvNVMA
Original-recipient: rfc822;@pd2ims1.prod.shaw.ca:[email protected]
 
Please use some common sense and stop quoting the entire thread with
each of your replies.
some kind soul gave me the spam email and I forwarded the emails
to them.
Click to expand...

That is useless. What you forwarded to them would not include the
full header as it sits in your own in-box.
Here is the header information,
Click to expand...

Um, no it's not. The first Received: line contains a source IP that's
not a routable IP - it's part of an internal network assignment.

What you posted is not the full header as received originally by your
account. I don't know what it is.
 
There are so many rules and there are so many CHANGING rules. One person
says...don't top post. Another says...top post. One person says quote the
thread. Another says, don't quote the thread. One can't "follow the rules"
if the rules are constantly changing. I'm not getting any more of those
emails and have gotten a reply from Symantec. Given the response I'm getting
in this newsgroup, which frankly is less than friendly, I'm unsubscribing to
it!
 
Oregano said:
There are so many rules and there are so many CHANGING rules. One person
says...don't top post. Another says...top post. One person says quote the
thread. Another says, don't quote the thread. One can't "follow the rules"
if the rules are constantly changing. I'm not getting any more of those
emails and have gotten a reply from Symantec. Given the response I'm getting
in this newsgroup, which frankly is less than friendly, I'm unsubscribing to
it!
Click to expand...
Your choice. But you want to grow a thicker skin or stay with the
petunia primping forums.

My preference is to add what I have to say after each segment I am
responding to and to snip heavily, leaving just enough to identify the
part of the post I am responding to, and which post. It's a slow day
when I follow fewer than 50 threads.

Top posting has another problem, people don't snip the extra, and
occasionally add a single line or two in the middle. With word wrap
breaking previous posts and some people not adding a blank line before
their contribution? What they say is easily lost.

As for your problem email, the point remains. You need the headers. You
cannot get the headers? Ask how to do so, don't go peeing and moaning
about how bad mannered people are for telling you that you need to give
more information before they can help.
 
in message
The following e-mail headers you show for the e-mail purported from
Symantec never came from Symantec. Following the chain of mail hosts
through the Received headers (where they are prepended to the e-mail
as it passes through each mail host, so top-down is how you trace back
to the sender):

Received: (this one was added by your mail host)
from pd2mr3so.prod.shaw.ca (pd2mr3so-qfe2.prod.shaw.ca
[10.0.162.108])
by l-daemon
(Sun Java System Messaging Server ...) ...

Received:
from pd2mr3so.prod.shaw.ca ([127.0.0.1])
by pd2mr3so.prod.shaw.ca
(Sun Java System Messaging Server ...) ...

Received:
from pd3mi4so.prod.shaw.ca ([10.0.121.162])
by pd2mr3so.prod.shaw.ca ...

Received:
from shaw.ca ([59.94.8.75])
by l-daemon (Sun ONE Messaging Server ...) ...

Looks like you got an e-mail from another Shaw user except this last
Received header has been ****ed by the sender. The sender was *not*
on the shaw.ca domain when they sent the e-mail. They used a false
hostname but the receiving mail host adds their IP addressed when they
connected to that mail host. Every host knows the IP address of the
host that connects to it. The IP address of the sender was 59.94.8.75
and that is for someone using an ISP in India (BNSLNET); you can use
www.dnsstuff.com to do an IP WhoIs lookup to see what ISP is allocated
an IP address. The rest of the Received headers above the bogus one
look like the e-mail was bouncing between several mail routers
internal to Shaw's network, especially since internal-use only IP
addresses are used in them. Someone using BNSLNET in India sent you
the e-mail.

Now it is possible it was Symantec that sent you the e-mail since they
have a call center in India - except they wouldn't be falsifying the
hostname in the Received header. Symantec or their call centers
shouldn't be lying about the hostname that the sender can specify,
especially when it can be seen not to match up with the IP address
that the receiving mail host identified for the sender.
 
Back
Top