Symantec Virus Warnings (phony)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I am regularly being spammed by a "tool" that tells me a file I sent had a
virus attached to it and the "warning" comes from I
genuinely suspect this is bogus and were I to click on the link (I'm
replicating one of the "emails" below) then I'd probably be hijacked. I've
gone onto Symantec's site and tried to notify them of the thing, sending the
IP from which it comes. I'm using Outlook 2003 and I've set a junk mail
filter so they're automatically deleted. BUT THEY ARE ANNOYING. What's even
more annoying is Symantec's lack of a link anywhere on their websites so you
can "talk" to them. That's why I dropped Norton/Symantec years ago. I'm
protected with F-Secure, rebranded by my ISP as if it's their own. Works for

Is there anything else I can do? Am I doing the right thing? It just goes on
and on and on. Been almost a year now. You'd think the buggers who get tired
when they got no response from my IP. But then maybe a computer never gets
tired...or gives up.

This message has been processed by Symantec's AntiVirus Technology.
message.scr was infected with the malicious virus W32.Sality.U and has been
deleted because the file cannot be cleaned.

For more information on antivirus tips and technology, visit /

Re: Symantec Virus Warnings (phony)

Quoted text here. Click to load it

Your, ahem, "copy" of the e-mail is worthless to anyone except you.
You show no headers.  You don't indicate if what you pasted was from
the rendering of an HTML-formatted e-mail or if the e-mail was in
plain text.  Obviously the URL that *you* show here is in the Symantec
domain but then we don't know if that is where the URL points in an
HTML-formatted e-mail.

Since only you have a copy of the purported e-mail, check the IP
address in the Received header for the sender to see if it belongs to
Symantec.  If it is coming from Symantec then there is a very good
chance that you have submitted a file for them to analyze.  For all we
know, you configured the Symantec software to forward a copy of
whatever you quarantine so they can analyze it.

Re: Symantec Virus Warnings (phony)

Quoted text here. Click to load it

Wow. Tacky response or what? Excuse me! Ok. Mr. Techy. I don't know how to
access the source code in Outlook 2003. It's easy in Outlook Express but
it's beyond me in Outlook 2003.

Re: Symantec Virus Warnings (phony)

Quoted text here. Click to load it

From your original post, it didn't appear that you are a newbie in
using Outlook.  It looked like you knew Outlook well enough to know
how to see the headers and HTML source and why I lambasted you for
omitting them.  Claiming what an e-mail said without showing headers
(munge out any personal info, like your e-mail address) along with the
raw source for the body is like walking into a car shop and saying
"It's broke" without providing any details or proof.  I over-estimated
your expertise with Outlook.

To view the headers, use View -> Options (I use OL2002 so menu
navigation may differ in OL2003).  If the e-mail is HTML formatted,
right-click in the body to use View Source.  If that is too laborious
or you simply want some other navigation to get at the same info, get
the PocketKnife Peek add-on to Outlook
( ) which gives you a toolbar
button to open a separate tabbed window to look at headers and the raw
source of the body.

As for there being no contact links on Symantec's web site, well,
can't see how you missed it.  On several occasions in the past when I
still used their Norton products, I contacted them using their
"e-mail" web form whereupon they would respond within 3 business days
to start a discussion.  I just went to their site and in a minute
(this was for NAV 2008; you will need to navigate through their
support pages to select whatever product you want to discuss with

Re: Symantec Virus Warnings (phony)

Quoted text here. Click to load it
Quoted text here. Click to load it

Thank you. Perhaps I can't see for looking, re their webform. Regardless
some kind soul gave me the spam email and I forwarded the emails to them.
Touch wood I'm not getting any more of the emails from whomever. Here is the
header information, and thank you again for showing me how I can find this
in Outlook 2003.

Received: from
 ( []) by l-daemon
 (Sun Java System Messaging Server 6.2-7.05 (built Sep  5 2006))
 06 Sep 2007 03:00:36 -0600 (MDT)
Received: from ([])
 by (Sun Java System Messaging Server 6.2-7.05 (built
Sep; Thu, 06 Sep 2007 03:00:35 -0600 (MDT)
Received: from ([])
 by with ESMTP; Thu, 06 Sep 2007 02:59:40 -0600 (MDT)
Received: from ([])
 by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
 06 Sep 2007 02:59:41 -0600 (MDT)
Date: Thu, 06 Sep 2007 01:59:39 -0700
Subject: Mail Delivery (failure
MIME-version: 1.0
Content-type: multipart/mixed;
X-Priority: 3
X-MSMail-priority: Normal
Original-recipient: rfc822;

Re: Symantec Virus Warnings (phony)

The following e-mail headers you show for the e-mail purported from
Symantec never came from Symantec.  Following the chain of mail hosts
through the Received headers (where they are prepended to the e-mail
as it passes through each mail host, so top-down is how you trace back
to the sender):

Received: (this one was added by your mail host)
    from (
    by   l-daemon
         (Sun Java System Messaging Server ...) ...

    from ([])
         (Sun Java System Messaging Server ...) ...

    from ([])
    by ...

    from ([])
    by   l-daemon (Sun ONE Messaging Server ...) ...

Looks like you got an e-mail from another Shaw user except this last
Received header has been fucked by the sender.  The sender was *not*
on the domain when they sent the e-mail.  They used a false
hostname but the receiving mail host adds their IP addressed when they
connected to that mail host.  Every host knows the IP address of the
host that connects to it.  The IP address of the sender was
and that is for someone using an ISP in India (BNSLNET); you can use to do an IP WhoIs lookup to see what ISP is allocated
an IP address.  The rest of the Received headers above the bogus one
look like the e-mail was bouncing between several mail routers
internal to Shaw's network, especially since internal-use only IP
addresses are used in them.  Someone using BNSLNET in India sent you
the e-mail.

Now it is possible it was Symantec that sent you the e-mail since they
have a call center in India - except they wouldn't be falsifying the
hostname in the Received header.  Symantec or their call centers
shouldn't be lying about the hostname that the sender can specify,
especially when it can be seen not to match up with the IP address
that the receiving mail host identified for the sender.

Site Timeline