More filter fodderX-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: adsl-ull-197-119.44-151.net24.it)
Two "versions" of this bogus virus scan appear to be being used, 2.0.1.5 and 2.0.1.10 and these are accompanied by a similar, slight variation in the AVE (anti-virus engine?) and VDF (virus definition file?) parameters.
The host part is interesting, following as it does one of two distinct patterns. It is either forged as some innocent third party's domain or host name or else it is a valid PTR or CNAME of an IP belonging to some ISP's dynamic pool. In the latter case it always matches both the HELO in the final received header and the IP address recorded there. There is always at least one forged received header too.
Most spams bearing this hallmark are pornography but we have at least one sighting of Russian spam with exactly the same characteristics, leading me to believe that we are looking at a feature in some piece of spamware.
It appears that there really is such a thing as AntiVir MailGate, but its headers will show more variation as the engine and pattern information will change often. Could be that poor old AntiVir may suffer the same fat as The Bat! and that would be sad.
Time to get tweaking those mail rules again, or if your inbound MTA can manage regex filtering on inbound MIME streams this should be still less of a challenge.
Category: Spam miscellany
Technorati: Spam miscellany
Unable to post a comment? Please read this for a possible explanation...
- 
