[Avcheck] IP of infected computer?

Thu, 18 Jul 2002 02:26:23 +0400

Velimir Kalik wrote:
> 
> Hi,
> 
> Oh you are so right, its just that pine didn't display that part as plain
> text but printed only the From and To fields of the "Infected message"
> instead of the whole thing and I could have seen what I needed, withouth the
> need to look dumb now :)

;)  Well, some dumb things happens sometimes with all of us.

> Here is what I now see with joe editor of my virusmail inbox:
> 
> This is a multi-part message in MIME format.
> 
> --antivirus-boundary-14514-2002-07-12-09-45-20@rt270
> Content-Type: text/plain; charset=us-ascii
> Content-Description: Notification
> 
> Hello!  This is a mail anti-virus program at host rt270.

Hmm.  Your hostname is not FQDN.  Or is it?  I don't know if this
may be a problem or not.  On my machines, `hostname' command returns
FQDN, but on others, it doesn't.  This *may* be a problem somewhere.
At least you may edit `infected' handler and set your hostname
there to a real name (or use HOST=`hostname`.`domainname` or whatether).
But that's irrelevant.

[]
> --antivirus-boundary-14514-2002-07-12-09-45-20@rt270
> Content-Type: message/rfc822
> Content-Description: Infected message
> 
> Received: from Nidza (unknown [147.91.35.110])
>         by rt270.vin.bg.ac.yu (Postfix) with SMTP id EDB45D87
>         for <izvestaj@mnt.bg.ac.yu>; Fri, 12 Jul 2002 09:45:16 +0200 (CEST)
> Message-ID: <000b01c22978$7c12b3d0$6e235b93@Nidza>
...

> And this is what I see in pine:
> 

[]
>     [ Part 2: "Infected message" ]
> 
> Date: Fri, 12 Jul 2002 09:48:12 +0200
> From: Nikola Zivkovic <nikolaz@rt270.vin.bg.ac.yu>
> To: izvestaj@mnt.bg.ac.yu
> Subject: ETR.6.02.0147.B. Izvestaj za 1.1.2002. - 30.6.2002.
> 
>     [ Part 2.1.2: "Attached Text" ]

See: your pine displayed nested message just fine - the same way
it displayed main message (in brief).  I sure pine has an option
to show you headers alone and/or to turn on/of headers display in
`view' window.  But I don't know pine.

> etc...
> 
> So should I edit and change the infected script and place text/plain headers
> for "Infected message" part or should I learn to use pine better? :)

I think it's the latter - to learn pine.  Because this part isn't a
plaintext per se, but a whole nested message/rfc822 - this is exactly
why this type was used.  Another type used is message/rfc822-headers
(only headers of original message) - this too isn't *strictly* a plaintext.
But there is no harm to show both as plaintext either - this all depends
on - who knows what.  This sort of things has no well-choisen preferences.
When you forward a message to someone else, that cleanly will be message,
not plaintext (esp. if that original message has it's own attachments etc).
But in this case, I don't know what's better.  I just followed the same
format as used in Postfix and Sendmail for bounces (see: in a bounce,
there is an original message present as message/rfc822).  But funny that
in this very case, in a report about virus-infected message, it may be
dangerous to use message/rfc822 type for original message, since some
MUA may try to open that nested message (it should not try to open text/plain
attachment) -- just like you pine did -- and be infected itself... ;)
Hmm....  Interesting...

> Thanks and sorry for bothering you! BTW avcheck is really great!

Oh well... ;)  Avcheck is a tiny glue between a great MTA and your
virusscanner software - those two does real work, not avcheck! ;)

/mjt