Malformed container violation

[Dick Hoffman]

From time to time Earthlink intercepts and quarantines emails
containing purported viruses and notifies me of these events with the
following "information":

'MESSAGE QUARANTINED

Virus Detected: Malformed container violation'

followed by From and To information to tell me where the email came from
(the virus involved is not identified). What are they telling me? What
is a "malformed container violation"?

Dick

 

[Roger Wilco]

From time to time Earthlink intercepts and quarantines emails
containing purported viruses and notifies me of these events with the
following "information":

'MESSAGE QUARANTINED

Virus Detected: Malformed container violation'

followed by From and To information to tell me where the email came from
(the virus involved is not identified). What are they telling me? What
is a "malformed container violation"?

Have you asked them?

Probably the "Incorrect MIME type" exploit used by many email vector
worms is what is being noticed by their scanner. If the "Content Type"
is "audio/x-wav" and the file's name is "something.exe" there is a
mismatch that allows unpatched systems to execute the "something.exe"
without the user's permission (the IE/OS combo thinks it is a wave file
for background sound and stupidly without verifying passes the exe to
the loaders). No legitimate email should have such a mismatch, so it is
probably safe for them to delete it. Email is not infectable, but is
often a container for content which 'is' infectable. Some malformed
containers make the container into an exploit trojan by exploiting flaws
in the application (mail client) or OS it is running on to circumvent
the security permissions set and automatically execute the attached or
included malicious content. Others can be malicious in themselves by
buffer overflow - the exploit trojan itself allows arbitrary code
execution (the "Malformed E-mail Header Exploit" was of this second
type)