On 25 Nov 2016, at 5:28, geoff.sa_users_161...@alphaworks.co.uk wrote:
On 25/11/2016 10:26, Paul Stead wrote:
On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:
X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message
X-Antivirus-Status: Infected
X-Attachment: INVOICE_<removed>.zip#1783656308|>HQ2s9y6f.js Virus:
JS:LockyDownloader [Trj] Deleted
Your AV correctly identified the bad attachment - generally these
don't
even get as far as SA in my setup
This all depends on the glue used and ordering within your MTA and
how
it reacts to malware attachments
I don't have a lot of control over my setup as it's a hosted VPS. The
AV is locally on my PC so comes late in the process...
That might explain why there's no valid Received header in the whole
message...
It LOOKS like that is being generated by a PHP script on the host that's
delivering it, which appears to be running some atrocious mail handler
calling itself 'nullmailer' that doesn't do Received headers in any
useful way. It might help to know what the 'x.x.x.x' was, but I suspect
not much. The mess of headers MAY be secondary to your AV mangling the
message and reconstructing it without the original headers.
