Nod32V3 inserting codes into mail headers

Discussion in 'ESET NOD32 Antivirus' started by Missileman, Jan 19, 2008.

Thread Status:
Not open for further replies.
  1. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    Now this will sound silly and picky, but NOD32 AV and ESS are inserting an Eset ID code like "X-EsetId: 3D31132BC2823C326F72" into the headers or at the end of some mail/spam messages that I receive. The problem is that I am an avid antispammer. I report every un-requested message to various places around the net, request domain removal from their registrars, request their name servers be null routed,etc.... Now this sounds like a job and it is, but many of the operations are automated. The problem comes in that Eset just inserts their code where ever and they don't pad it with a line return or even a space. This results in a lot of the information being misread by the reporting software because it sees X-EsetID as part of the address or header. This causes the lookups to fail meaning the report doesn't get generated or I have to do it manually. I don't think the code itself is causing any issues, but the way they insert it is very bad. It forces me to do way more manual processing of this spam junk.

    Could somebody at Eset look into how you are inserting these codes and pad them a bit so they don't join themselves on to valid information?
     
  2. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    that only applies to downloaded mail through pop3 (my imap mail hasn't been touched, even when received in outlook).

    also, i seem to remember seeing an option in the "advanced" tab about whether or not imon should insert stuff into scanned emails.
     
  3. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    Since I'm running version 3 there is no option to turn this off. No IMON.

    Still a major issue to any of us who report spam rather than buy their crap.
     
  4. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    http://god.nihplod.com/~ethernal/nod_imon.JPG
     

    Attached Files:

    Last edited by a moderator: Jan 21, 2008
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you please explain in details as to what the problem is?

    This is the header with ESS email protection / integration disabled:

    .
    .
    .
    Subject: test
    18:06:39;0801211806390136;7751
    Date: Mon, 21 Jan 2008 18:06:37 +0100
    MIME-Version: 1.0
    Content-Type: text/plain;
    format=flowed;
    charset="iso-8859-2";
    reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

    test


    And this one with email protection / integration enabled:

    Subject: test
    X-Eset-AntiSpam: OK;0;whitelist;2008-01-21 18:01:41;0801211801410128;6159
    Date: Mon, 21 Jan 2008 18:01:38 +0100
    MIME-Version: 1.0
    Content-Type: text/plain;
    format=flowed;
    charset="iso-8859-2";
    reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    Old-X-EsetId: AD23EA2B0FCE3432FE62
    X-EsetId: AD23EA2B0FCE3432FE62
    X-EsetScannerBuild: 2214

    test
     
  6. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    Here is one that is being read wrong by the reporting software:

    Delivered-To: xxxxxxxxxxx@gmail.com
    Received: by 10.141.122.6 with SMTP id z6cs193727rvm;
    Mon, 21 Jan 2008 12:40:31 -0800 (PST)
    Received: by 10.140.248.17 with SMTP id v17mr4776026rvh.9.1200948031554;
    Mon, 21 Jan 2008 12:40:31 -0800 (PST)
    Return-Path: <5xxxxxxxxxx@dreamgirldirect.com>
    Received: from secretaria ([190.41.110.193])
    by mx.google.com with SMTP id k77si10348139rnb.5.2008.01.21.12.40.11;
    Mon, 21 Jan 2008 12:40:31 -0800 (PST)
    Received-SPF: neutral (google.com: 190.41.110.193 is neither permitted nor denied by best guess record for domain of 5xxxxxxxxxx@dreamgirldirect.com) client-ip=190.41.110.193;
    Authentication-Results: mx.google.com; spf=neutral (google.com: 190.41.110.193 is neither permitted nor denied by best guess record for domain of 5xxxxxxxxxx@dreamgirldirect.com) smtp.mail=5sharpshoot@dreamgirldirect.com
    Received: from 147.123.126.136 (HELO localhost.localdomain) (108.133.117.140)
    by 175.141.191.147 with SMTP; Mon, 21 Jan 2008 15:38:41 +0500
    Date: Mon, 21 Jan 2008 15:38:41 +0500
    Message-Id: <2IX711EJXVWDA810@themadisongroup.com>
    X-Mailer: MIME::Lite 3.01 (F2.72; A1.62; B3.01; Q3.01)
    X-Header-CompanyDBUserName: hpccm
    X-Header-MasterId: 219272
    X-Header-Versions: Hewlett-Packard.8t7bn7nd2.fk@us.newsgram.hp.com
    X-FID: 58E42DBC-3485-03AF-B8E0-42CDEA17DCB2
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    To: <beckytay2007@gmail.com>
    From: "Goldie Sheridan" <5xxxxxxxxxx@dreamgirldirect.com>
    Subject: Ladies and Gents watches from only 9.99 inc. delivery ...

    We only sell premium watches. There's no battery in these replicas just like the real ones since they charge themselves as you move.
    - The color of the gold looks exactly like a genuine Rolex watch
    Ready to Ship Now !! 100% money back Guarantee !!

    http://www.testalerep.orgX-EsetId: 3D31132BC2823C326E72


    Notice the Eset tag - the software tries to report http://www.testalerep.orgX-EsetId because there is no space/break line return.
     
Thread Status:
Not open for further replies.