Completely mangled email

[Chris Ridd]

I just received an email message from a virus scanner which is *complete*
gibberish when displayed by Entourage (2004) in either the preview pane or a
separate window.

The actual message from the virus scanner is base-64 encoded, and view
source says it is this:

--i523u9D01304513
Content-Type: text/plain;
charset=US-ASCII
Content-Transfer-Encoding: base64

CkRlYXIgQ3VzdG9tZXIsCgpUaGUgYmx1ZXlvbmRlciBhbnRpLXZpcnVzIHN5c3RlbSBmb3VuZ
CBhIHZpcnVzIGluIHRoaXMgbWVzc2FnZSB3aGljaCBpdAp3YXMgdW5hYmxlIHRvIGNsZWFuIG
FuZCBhbGwgaW5mZWN0ZWQgYXR0YWNobWVudHMgaGF2ZSBiZWVuIGRlbGV0ZWQuCgpUaGlzIGl
zIGFuIGF1dG9tYXRlZCBtZXNzYWdlIC0gUExFQVNFIERPIE5PVCBSRVBMWSBUTyBUSElTIE1F
U1NBR0UgQVMKVEhJUyBNQUlMQk9YIElTIE5PVCBNT05JVE9SRUQuCgpGb3IgZnVydGhlciBvb
mxpbmUgc2VjdXJpdHkgaW5mb3JtYXRpb24gYW5kIGFkdmljZSBvbiB3aGF0IHN0ZXBzIHlvdS
BjYW4KdGFrZSB0byBtYWtlIHlvdXIgY29tcHV0ZXIgZXZlbiBzYWZlciBwbGVhc2UgdmlzaXQ
gb3VyIGhlbHAgc2l0ZToKCmh0dHA6Ly93d3cuYmx1ZXlvbmRlci5jby51ay9zZWN1cml0eQoK
ImJsdWV5b25kZXIgZG9lcyBub3QgZ3VhcmFudGVlIHRoYXQgdGhlIHJlbWFpbmluZyBhdHRhY
2htZW50cyBhcmUgc2FmZQp0byBvcGVuLiBZb3UgbWF5IHdhbnQgdG8gcnVuIGF0dGFjaG1lbn
RzIHRocm91Z2ggeW91ciBvd24gdmlydXMgc29mdHdhcmUKYmVmb3JlIG9wZW5pbmciCgotLS0
tLS0tLS0tLS0tLS0tLS0tLS0tCkZyb206IHNoZW9uZ19rODRAeWFob28uY29tClRvOiBsbnZA
Ymx1ZXlvbmRlci5jby51awpTZW50IE9uOiAwMi8wNi8wNCAwMzo1NjowOQoKb2hfbm8zMjEuV
FhULnppcChhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0pCWluZmVjdGVkCUktV29ybS5Tb2Jlci
5nCgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgo=
--i523u9D01304513

But Entourage displays this text:

Dear Customer,

The blueyonder anti-virus system
found™≥™Ù¥ÉÕÌ™¥¸™Ñ¡¥Ì™µÃÃ∑ˇ‰™†¡¥Ÿ ™¥‹)†∑̙Ւ∑≈±‰™Ñπ™Ÿ±∑¸™•æBƈæfV7FVB
GF6∫ÖVçG2∫fR&VVâFVÆWFVBà ¥F∫˜2‰È[√]]ÛX]YY\ÜØYÙHHPTÑHÈ„
ÕŒTHÈTÈQ@SSAGE AS
THIS MAILBOX IS NOT MONITORED.

For further ol
±¥’‰™ÃŸÕÉ¥Ñ䙥’˙âˆÃ‰Âµâˆ‘Ñ¥âˆÂ¸â„¢âˆ‘’∆™∑ŒÙ¥Ÿ‰™âˆÂ¸â„¢â€ Â¡âˆ‘‹™ÃÑÃÌ™åâˆÃ”•6à§F¶RFòÖ¶Rˆ÷W
"6ö◊WFW"WfVâ6fW"ÆV6RfËœ6Ëœ@†\√[Ú]N≠≠˚—ˆ††Ë˘ËY^[Û˙\—˘ÛË
ˇZËÜÙX†\˚]B≠•"blueyonder does not guarantee that the remaining atta`
¡µ’ÑÌ™∑ɉ™Ã∑˙‰)Ñπ™âˆÃ¸¸™eâˆÃ”™µ∑䙆∑’‹™Ñπ™ÉÕ¸™∑ÑÑ∑Ÿ¡µ’ÀG2FΩ&÷Vv≠ˆ÷W"÷vâf
Ëœ'W26ögGv&PÅ“&Vf÷&R÷Væˆær  ¢ÒÒ‹KKKKKKKKKKKKKKKKKKBÅ’Ë›ËÛN√Ú[Û˙◊ÚÎ
XZÛˢÛÛBÎ√ˇ∆blueyonder.co.uk
Sent On: 02/06/04
03:56:09

oh_no321.T
aP’é¥À¡∑Ãñ¥Ÿ∑Ñ¥âˆÂ¸âˆâˆÅ¸Ã‘‹µÃÑÉ∑´€%¥’˙ŸÑ∆%$µ]âˆÃ‰Â´â€™Mâˆâ‰ˆï£¿Ãˆâ€¢
æp ¢ÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒ‹ 

Wild, eh? I used perl to decode the base64 chunk, and it decodes to
something quite plausible and not gibberish at all. Has anyone seen anything
like this?

Cheers,

Chris

 

[Barry Wainwright]

I just received an email message from a virus scanner which is *complete*
gibberish when displayed by Entourage (2004) in either the preview pane or a
separate window.

The actual message from the virus scanner is base-64 encoded, and view
source says it is this:

--i523u9D01304513
Content-Type: text/plain;
charset=US-ASCII
Content-Transfer-Encoding: base64

Well, I don't know what is happening there...

The encoding is correct and decodes to this:

Dear Customer,

The blueyonder anti-virus system found a virus in this message which it
was unable to clean and all infected attachments have been deleted.

This is an automated message - PLEASE DO NOT REPLY TO THIS MESSAGE AS
THIS MAILBOX IS NOT MONITORED.

For further online security information and advice on what steps you can
take to make your computer even safer please visit our help site:

http://www.blueyonder.co.uk/security

"blueyonder does not guarantee that the remaining attachments are safe
to open. You may want to run attachments through your own virus software
before opening"

----------------------
From: [bnw: email address removed before posting]
To: [bnw: email address removed before posting]
Sent On: 02/06/04 03:56:09

oh_no321.TXT.zip(application/octet-stream) infected I-Worm.Sober.g

Can you send the entire source for the full message? (or, better still, usae
the 'forward as attachment' menu item in the Message menu to send me a copy
of the message off-list?

Unless there is something weird about the rest of the message headers,
entourage should have decoded this correctly.

Not exactly to the point, but I have to wonder why on earth they are
encoding this error message, when plain text would have sufficed???

 

[Chris Ridd]

I just received an email message from a virus scanner which is *complete*
gibberish when displayed by Entourage (2004) in either the preview pane or a
separate window.

The actual message from the virus scanner is base-64 encoded, and view
source says it is this:

--i523u9D01304513
Content-Type: text/plain;
charset=US-ASCII
Content-Transfer-Encoding: base64

Well, I don't know what is happening there...

The encoding is correct and decodes to this:

Dear Customer,

The blueyonder anti-virus system found a virus in this message which it
was unable to clean and all infected attachments have been deleted.

This is an automated message - PLEASE DO NOT REPLY TO THIS MESSAGE AS
THIS MAILBOX IS NOT MONITORED.

For further online security information and advice on what steps you can
take to make your computer even safer please visit our help site:

http://www.blueyonder.co.uk/security

"blueyonder does not guarantee that the remaining attachments are safe
to open. You may want to run attachments through your own virus software
before opening"

----------------------
From: [bnw: email address removed before posting]
To: [bnw: email address removed before posting]
Sent On: 02/06/04 03:56:09

oh_no321.TXT.zip(application/octet-stream) infected I-Worm.Sober.g

Can you send the entire source for the full message? (or, better still, usae
the 'forward as attachment' menu item in the Message menu to send me a copy
of the message off-list?

Yes, I thought you might say that

Unless there is something weird about the rest of the message headers,
entourage should have decoded this correctly.

Not exactly to the point, but I have to wonder why on earth they are
encoding this error message, when plain text would have sufficed???

I know. Especially since the content is marked as US-ASCII...

Cheers,

Chris