How to respond to "You sent me a virus"

[dinowuff]

Hello All:

Here is my situation. User calls HD to report that one of his customers states that all of the attachments he sends are infected with a virus. As are all attachments sent from other users at this location.


This is what I know:

The users sends the attachment to multiple companies. Only one company states the attachment is infected.

Gateway and Email AV is up to date. Enterprise AV is up to date.

Did a manual scan of the documents with Trend, MacAfee, Symantec [sp?] No virus found.

No strange traffic in or out noted in the AV, Gateway/firewall logs.

Now before I run off asking the customer if they have changed/upgraded/added anything to their AV/Filtering "stuff" Is there any way I could be sending a virus?

btw I turned on AV for out going mail for a while just to check. Nothing

[DjM]

Ask the "Customer" to send you a copy of the e-mail he/she says is infected, complete with the original header records so you can verify the e-mail is actually coming out of your domain. My guess, it's being spoofed.

Cheers:

[Katja]

You'd have to do some guesswork here. First of all, this customer might have received a spoofed email, and the real sender is unknown. Actually, if the customer happens to be infected then the virus will be running on his system using his address book to generate spoofed emails and it might be one of those that is returning to his own systems!
But you figured that out already...

If you or one of your users were sending infected emails then you would probably receive responses from several recipients. With only one company complaining, the problem is with that company, I guess. But you could ask that customer to send you the headers of the infected email (if they still have it) for further investigations. Then you can check if the email did originate from your location or not.

Of course there is another option. This customer might be using very strong heuristic scanning with their AV scanner and that scan might tell them something is wrong with the attachment. It could indicate that there is a virus in the attachment but to find it you'd have to set up your scanner to it's most secure settings, which often will generate false positives. (And once in a while it will detect a genuine, new virus.)

[the_JinX]

Are you sure it's a mail you sent (a false positive)
Or could it be a mail with spoofed header saying you sent it ?

The only mail's like that I got were spoofed virus mails.. And that were a lot of mails (has gotten better, but still ocasionaly get them).

If you are sure it's a spoofed mail then please ask the company sending you those "you sent" mails to 'fix' their mail AV, since spamming is illegal..

http://attrition.org/security/rant/av-spammers.html


(all you's in this message are not you as a natural person, but you as a company)

[nihil]

Errr....................

one of his customers states that all of the attachments he sends are infected with a virus. As are all attachments sent from other users at this location.

That is NOT spoofing. That is genuine correspondence.............notice the "all" in both sentences?

You need to know:

1. What type of attachments?
2. What type of AV (including build and pattern file #s?
3. What virus has been identified?
4. What e-mail client is being used?

If the guy complaining gets other similar attachments OK.................sounds like he could be set to block all attachments of a certain type?

[Egaladeist]

Hi nihil,

I know that's what my security settings are set at...' do not allow attachments to be opened '...I only uncheck the box when I have been pre-informed and am expecting an attachment...then I check it again.

Saves me from accidently opening something I shouldn't.

Eg

[dinowuff]

Originally posted here by nihil
Errr....................



That is NOT spoofing. That is genuine correspondence.............notice the "all" in both sentences?

You need to know:

1. What type of attachments?
2. What type of AV (including build and pattern file #s?
3. What virus has been identified?
4. What e-mail client is being used?

If the guy complaining gets other similar attachments OK.................sounds like he could be set to block all attachments of a certain type?

Correct - It's not spoofing.

The attachments are .doc and .pdf I have not recieved an email with the header info yet.

I'll keep you up to date.

[nihil]

Hi Dino~

You need to know if it really is a virus, or have they set their system to reject certain attachments.

Does the actual e-mail get through intact?

[hesperus]

For a little more peace of mind it might be worth submitting the file in question to Jotti. Perhaps some scanner is hitting a false positive.

http://virusscan.jotti.org/

[dinowuff]

Originally posted here by nihil
Hi Dino~

You need to know if it really is a virus, or have they set their system to reject certain attachments.

Does the actual e-mail get through intact?

You'll love this:

Go to original sending PC here and resend attachment. Call recipient and have her forward the email to my account.

email and attachment is clean going out and coming back in.

So I call recipient and ask what version of AV, blah blah blah the normal questions.

After about 15 minutes she states that it's not her antivirus telling her it's infected - it's windows.

So I ask her about her settings, as Egaladeist suggested, and her reply was..

"Well it's really not windows. When I try to burn the file to CD, The CD burning software says the file may be infected 'do you wish to continue'

Ah what the hell, I didn't have anything better to do today. Was going to ask if the CD burning software was a new install, what type, version etc., but that's a job for her tech support.