How to find the email a threat is coming from?

Hello desertman,

SAV Mac HE's basic strategy is to scan files - it neither intercepts data transfers not does it hook or track applications. While it inspects containers (like archives) it does not attempt to decode all of them (which would be unfeasible anyway) but relies on the application to do so. This might seem a shortcoming but it isn't. An "attachment" is just a bunch of bytes with no particular meaning and impact unless properly unpacked, decoded and instantiated as a specific object. Furthermore - considering email in particular - a mail client needn't use a "known" format for storing the messages, thus scanning them might be moot anyway.

Once the client "detaches" an attachment it is of course subject to scanning. But then it contains no information about its origins - so you can't trace it back. There is no meta-data saying Extracted from ... by ....  If a client automatically extracts possible attachments only it knows where it has taken them from. The client has to keep a stub in order to be able to present you the attachment - thus if an AV scanner removed an offending file it's the mail client which would have to tell you message xyz had an attachment, I've stored it away but can't find it anymore. Anyway - Sophos does not modify the original mail.

As for "identifying" the email - what might it help? Rarely you can trace it back to a single compromised account or a certain person - although I won't rule it out. But then, if you can make use of the the information in the email's headers you normally don't have to ask how to identify in the first place. No insult meant though.

Christian

Hello desertman,

SAV Mac HE's basic strategy is to scan files - it neither intercepts data transfers not does it hook or track applications. While it inspects containers (like archives) it does not attempt to decode all of them (which would be unfeasible anyway) but relies on the application to do so. This might seem a shortcoming but it isn't. An "attachment" is just a bunch of bytes with no particular meaning and impact unless properly unpacked, decoded and instantiated as a specific object. Furthermore - considering email in particular - a mail client needn't use a "known" format for storing the messages, thus scanning them might be moot anyway.

Once the client "detaches" an attachment it is of course subject to scanning. But then it contains no information about its origins - so you can't trace it back. There is no meta-data saying Extracted from ... by ....  If a client automatically extracts possible attachments only it knows where it has taken them from. The client has to keep a stub in order to be able to present you the attachment - thus if an AV scanner removed an offending file it's the mail client which would have to tell you message xyz had an attachment, I've stored it away but can't find it anymore. Anyway - Sophos does not modify the original mail.

As for "identifying" the email - what might it help? Rarely you can trace it back to a single compromised account or a certain person - although I won't rule it out. But then, if you can make use of the the information in the email's headers you normally don't have to ask how to identify in the first place. No insult meant though.

Christian