Closed Bug 116443 Opened 23 years ago Closed 19 years ago

Deleted inbox after receiving virus infected mail (McAfee, Norton, AntiVir)

Categories

(MailNews Core :: Backend, defect)

Product:
MailNews Core
Component:
Backend
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rocky-beach, Assigned: Bienvenu)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: dataloss, Whiteboard: [asaP1])

Attachments

(2 files)

add (currently) hidden pref "mailnews.downloadToTempFile" which makes pop3 download each message to a file before appending to inbox
24.81 KB, patch
mscott
: superreview+
Details | Diff | Splinter Review
fix multiple message case
1.06 KB, patch
mscott
: superreview+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.7+)
Gecko/20011220
BuildID:    2001122003

Today for the third time my inbox was emptied by receiving a mail which was
infected by the W32/Badtrans@MM virus.

Reproducible: Always
Steps to Reproduce:
1. Some mails are in the inbox.
2. I receive an infected mail. My NAV software pops up and warns me.
3. 

Actual Results:  The messages in the inbox are still displayed but the Inbox
file has file size 0 (some information of the inbox mails are still stored in
Inbox.msf) so I think they are displayed in the inbox, but it is impossible to
delete these messages. I had this problem (first time) also with the build from
17th of Dezember.

Expected Results:  Mails in the inbox should not be deleted.
Navin, don't you have a dup of this?
Assignee: bienvenu → naving
Status: UNCONFIRMED → NEW
Component: Mail Database → Mail Back End
Ever confirmed: true
I'm pretty sure this is a dup also.  There's another bug out there with the
suggestion that we store our attachments outside of the mail file so that in the
worst case scenario just that attachment would be deleted.
Status: NEW → ASSIGNED
Now I have more information. NAV software moves  - after receiving infected
mails - the now infected Inbox file to quarantine.
I think mozilla should prevent this while running.
Just had this hit a user I had converted over to Mozilla for his E-mail.  Was
running InoculateIT for anti-virus protection.  There were reports of BadTrans
in the AV log files, but unfortunately no dates attached.  The entire inbox got
wiped out.  No real indication of what all happened.

From what the user told me, he had just click on Get Messages while in the
process of dragging older messages to folders outside his inbox to be filed. 
Prior to even seeing what had been sent, the inbox went blank.  I went and
checked his profile folder, and sure enough the inbox.sbd file showed a file
size of zero. Don't know what to tell him at this point.

Personally, I would concur with putterman's opinion that attachments be stripped
off an E-Mail prior to being stored in the inbox.  Prior to my seeing this bug I
would have thought of that as a usability issue.  Now it seems that this
suggestion should be thought of as a security or stability issue.

I've moved the severity of this bug to blocker and added "dataloss" to the
keywords.  I did so as I can't imagine how much worse a bug can get than
actually losing so much critical stored data so quickly.  I would further
recommend that a target milestone be established for this due to the extreme
severity.
Severity: major → blocker
Keywords: dataloss
Same user, got hit again wiping out everything in his inbox.  This may be 
taken as a flame, but I'm moving this user off of Mozilla mail to something 
more stable.  This user has lost significant data twice over now.  The second 
time was doing nothing more than changing which folder was in view.

I wish I had more info to provide, but that's pretty much all I could dig out. 
By the time I got to the box the data was lost beyond recovery.  Based on what 
this user described this was not a virus issue, but a database corruption 
issue.  No reliable way to reproduce that I can see.  It just decides to blow 
up every week or so with unread mail permanently destroyed.

Now I need to figure out how to get the mail out of Mozilla and onto something 
like Eudora or Pegasus.  I just can't allow this user to trust his E-Mail to 
Moz any longer.


I don't think that it's a good idea to store attachments separate from the rest
of the mails. This would violate the mbox file format and would make restoring
the original mail (for export, proof, external processing, whatever) harder or
impossible.

If it's really the anti-virus software deleting the folders, I'd said that it's
a severe bug in *that* AV software, not Mozilla. How could Mozilla possibly
prevent that?
Eudora has been storing attachment files seperate from the messages for at 
least the last 2 major versions now.  The folder for these files is placed by 
default in a folder along with the message body files.  For backing up, you'd 
back up the entirety of the /Mail folder, just like you would with Moz or NS 
4.7x.  All the attachments go with.

If an attachment no longer exists in that folder, Eudora notes the fact the 
file is no longer there, and retains the message body.  Without exception, 
everyone I have ever personally discussed this with would LOVE to be able to 
remove an attachment from an E-Mail while retaining the original body text.  
That of course would be a usability issue, where as this is an integrity bug.

As to how Mozilla should have prevented this from happening, much as I have 
already stated.  By removing the attachment before entering the mail into the 
InBox no virus protection software would feel compelled to muck about with 
mail folders.  The AV software is left scanning only the attachments, thus no 
conflict is possible.

The alternative is to have every AV vendor be fully aware of every mail client 
vendor's method of storing mail.  Conversely, Mozilla would need to be aware 
of every AV vendor's methods as well.  This would simply lead to finger 
pointing on both sides as to who was at fault.  All the while, users are 
suffering data loss.

All I would seriously ask of any developer reading this bug is to give a hard 
look at how Eudora handles attachments.  It's quite a popular feature amongst 
it's users, and insures a safe seperation between the message body and what 
needs to be scanned by AV products.


This is an antivirus issue. The anti virus should not be allowed to touch the
mozmail inbox. Since InnoculateIT has no email protection (only file
protection), that folder should be exclude when scanning (I know that this means
no email scanning, but that is what you get for using an anti virus scanner that
does not scan emails).

OTOH, mork should be smarter about data corruption, though I doubt this can
happen between now and 1.0 (if ever).
> everyone I have ever personally discussed this with would LOVE to be able to 
> remove an attachment from an E-Mail while retaining the original body text.  

That's another bug (already filed) and different from separating *all*
attachments from the bodies.

> The alternative is to have every AV vendor be fully aware of every mail client 
> vendor's method of storing mail.

mbox is a very common storage method. They *have* to know that, if they mess
with emails at l.

Mozilla's (and 4.x's) usage of mbox was very helpful in the past. Removing mbox
just because some AV software is braindead and can't behave is not a good move IMO.
Replying to Micheal Collette's post <a32f9g$9j73@ripley.netscape.com> in
n.p.m.mail-news:

> Eudora strips an attachment from an E-Mail, [...] The anti-virus 
> software never gets involved with the actual mail folders as they contain 
> nothing but plain text.

This is not necessarily true. In fact, to do anything at all with Mozilla's
attachments, the AV software has to MIME decode them, which would be special
email knowledge. If they can MIME-decode, they really should know mbox, too. But
 you said that the website of InnoculateIT's AV software (one of the problematic
ones, as it seems) says that it doesn't scan email.

IIRC, some AV software scans for some typical "signatures" of virii, and that
signature might be in the subject or body of the mail or the filename of the
attachment. The circumstances suggest that this might be what happened here. In
this case, a separation between bodies and attachments wouldn't help at all - in
the worst case, all your mails (without attachments) are gone while the
attachments (incl. the infected one) are still there.
_basic, this bug has nothing to with mork. Did you mean mbox?
heh! yeah typo, (should learn to not try to look at too many discussions at the
same time ;-)
From what I've seen of InnoculateIT in action, I don't believe it takes any
actions until the file is trying to be saved.  Reason I say that is it turned
out this user had a bunch of mail with viruses attached.  As I converted him
over to Eudora and these files were stripped that's when the AV caught the bulk
of these, and removed them.  The inbox was not touched.

The reason BadTrans caused problems with Norton is that the mail included HTML
that attempted to automatically run the attachment.  This is going to trigger
any AV app into some kind of action.  Only Mozilla Mail, so far as I know,
attempts to launch this virus.

Mind you, I have zero evidence to suggest that the second wipe out had anything
to do with AV software or even an attachment.  There was no warning from the AV
software, no was there even a message being viewed at that moment.  The user was
in the process of switching folders.

The main thing I'm trying to get across here is that due to Eudora's handling of
attachments, at least 20 (most likely many more, lost count) infected E-Mails
were cleaned up with zero data loss in the actual E-mail. Where as in Mozilla
mail the inbox was wiped out twice over, each time taking one other folder
(seemingly at random) and wiping it out as well.  How could I possibly sit here
and recommend that he continue to use Mozilla?  Telling him that Moz is
compliant with the mbox format isn't exactly a selling point when a user hadn't
had any AV problems under NS 4.7x or now under Eudora.

One last thing to consider here is that most users aren't going to be able to
figure out what the heck happened.  This bug has tracked two major AV vendors
that very possibly caused the dataloss in question.  The only thing an end user
is going to honestly know is that Mozilla lost their E-mail.  Even if the mail
box is just renamed and moved, how many folks actually know where to look for it?

Just pointing to Norton and/or InnoculateIT and saying they're wrong isn't going
to do any good for Mozilla or it's users.  If McAfee gets to doing the same
thing should I just tell my users that they shouldn't run AV software at all? 
It seems most likely that most users will react by switching to a mail client
that is capable of living with the AV product they have installed rather than
the other way around.

> when a user hadn't had any AV problems under NS 4.7x or now under Eudora.

From what I understood about his bug, 4.x would be affected just as Mozilla,
because they work very similar (both use mbox).

> The only thing an end user
> is going to honestly know is that Mozilla lost their E-mail.

That's what the user *thinks*, yes. We all know that.
If a virus does an |rm -rf ~/.*|, did "Mozilla lose all your email"?

Did anyone contact the AV software vendors (not via the usual support channels)
to make them aware of the problem? They are creating themselves one of the
problems they claim to protect they users from...
Does anyone have any other suggestions?
> They are creating themselves one of the problems they claim to protect they
> users from...

At least, that's what it looks like. Would be a good chance to test the assertion.


In my case I haven't contacted the AV vendor as this particular product no
longer exists.  It was purchased from Computer Associates by e-Secure.  Although
I have run Norton in the past, I haven't got this installed on any machines to
do testing with.  I also don't have a copy of the suspected virus that may have
triggered the AV software.  Worse yet, I don't actually know that the AV
software was at fault here.  The only thing we do know is that something is
causing critical data loss, and we suspect 2 major AV apps might have something
to do with it.

One thing that is different from Netscape's mail is how it handled HTML in the
message body that attempted to save to the users hard drive some attachment.  NS
simply wouldn't do this.  Mozilla does.

The office I admin is very nearly all NS 4.7x E-Mail users running InnoculateIT.
 I have not seen any reports or complaints from users that would suggest that
similar things are happening with this combination.  Been about 6-7 months of
using that as our AV software.  The user I'm referring to in this report is a
friend of mine that had been using this same combination for at least as long,
without corruption of his mail box.

> That's what the user *thinks*, yes. We all know that.
> If a virus does an |rm -rf ~/.*|, did "Mozilla lose all your email"?

Good point, except the virus never launched.  Had the virus actually launched
this wouldn't be a Mozilla bug report.

I feel I should mention that I have been a long time advocate of providing the
ability for a user to delete an attachment from an E-Mail.  I get asked how to
do this by too many people to not believe this is a highly wished for feature. 
Prior to a few days ago I would not have been an advocate of stripping
attachments on the fly as Eudora does.  Seeing this bug in action has definitely
changed my mind about that.  Just thought I should add where I'm coming from on
this.

> One thing that is different from Netscape's mail is how it handled HTML in the
> message body that attempted to save to the users hard drive some attachment.  NS
> simply wouldn't do this.  Mozilla does.

Can you please investigate this and file a bug report (if needed with security
flag on)?
Bug 109249 is already handling this aspect of it.  Not sure if one of these 
should be considered a dependancy on the other.  They seem to be related.  At 
present, 109249 is listed as a MIME bug.

Sorry to interrupt your discussion.

NS 4.78 and receiving a BadTrans virus the inbox get wiped out too.
Definitely not an interruption Titus.  In fact, very much to the point.  Which 
AV app was involved?

It was Norton AV Corporate Edition 7.50.846
Is there no backup copy of the inbox file that could be maintained until Mozilla
could be sure that the updated inbox file was written succesfully?
Adding relnote,
decreasing severity from blocker to critical.
Severity: blocker → critical
Keywords: relnote
*** Bug 136623 has been marked as a duplicate of this bug. ***
What about enhancement request 103487?  I can't help but think that Moz might be
able to work WITH the AV software proactively to prevent data loss.  If an item
were forcefully scanned before even being entered in the inbox, any deletions or
quarantines should be isolated to that particular item.  Any thoughts about this?
Just as additional info, a coworker's inbox was wiped today by McAfee's
VirusScan 6.02 in response to an email labeled "Re: Your Password"
(W32.Frethem.D@mm). The antivirus prompted for user choice (delete, quarantine,
and others). The user selected "delete", and the messages remained in the
listing, but where not available. When new messages arrived, the message list
goes nuts (wrong message, etc)

I ran into this with Norton AV. FYI, for anyone who has this problem, you can 
go into the Norton tools, look in the quarantine and select the Inbox file and 
restore it to recover the data. It appears to strip the 'virus' email in the 
process. It's not an ideal solution, but if you're running Norton it's a way to 
recover lost data.
mass re-assign.
Assignee: naving → sspitzer
Status: ASSIGNED → NEW
Commnet #26: Actually, Mozilla and the AV software both worked correctly. The 
user choosed "delete", the AV did delete the file in which the virus was 
hiding - the Mozilla Inbox. This is correct behaviour IMHO. The user should 
know what he is doing when commanding an AV software.
But there may be some workarounds:
1. The AV probably said which file it is going to delete and the user should 
have spotted that.
2. Mozilla can lock its mail files. Currently it locks its files in the way, 
that they can be read, but not opened for write. And not even copied. Maybe a 
more prohibiting locking should be implemented. If it could deny reading, the 
AV wouldn't spot the virus and there would be no problem. The virus will be 
detected when it is opened and saved. No problem, as I see it.
Sorry, I was a bit wrong at point 2. Mozilla locks only the .msf files of 
folder that were opened. These can't be copied. The mbox files (like Inbox) are 
freely accessible. That's probably why the AV succeeded in deleting the file.
I would argue that this bug should probably be a WONTFIX.

Here's the argument,

The user, in most cases, is in control of the virus scanning software and can
control whether a file is left alone, moved, or deleted during the "realtime"
scanning of the file system.  As such, it is the user's responsibility to decide
what the policy should be.  AV vendors will not be able to constantly write new
code to handle each new mail storage format.  Thus most have gone to a "proxy
server" technique where a local server is inserted in the mail retrieval loop. 
This avoids the problem with mail storage formats because the mail is scanned
prior to storage.  

For local file scanning, the solution is to simply not delete the mailbox.  Here
is an excerpt from Symantec's knowledge base on the subject: (sorry for the long
URL)
http://service1.symantec.com/SUPPORT/ent-security.nsf/9d94c8571a91ba4788256bf3007f62b5/712247a53df336e088256a22002724ad?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=sav_8_ce

-----------
Netscape or Outlook Express Inbox is quarantined when infected email is detected

Situation:
Symantec AntiVirus Corporate Edition (Symantec AV) or Norton AntiVirus Corporate
Edition (NAVCE) has detected an infected email, and the options are set to have
infected files quarantined. You now find that your Netscape or Outlook Express
5.0 Inbox has been quarantined.

Solution:
Netscape and Outlook Express store email in a single file. Symantec AV or NAVCE
scans the file, and quarantines the file if a virus is detected. Because all
email is stored in a single inbox file, the entire inbox is quarantined in some
circumstances. To avoid quarantining the entire inbox file, we suggest excluding
the inbox file from being scanned.

How to avoid having the entire Inbox placed in Quarantine
Excluding the inbox file from being scanned prevents the inbox file from being
quarantined while still allowing a virus to be detected. When a virus is found
in an opened email message, rather than during a scan or when downloading, the
opened message can be safely quarantined--or deleted--without causing problems
with the Inbox itself.

-----------

As the virus scanning vendor suggests that the user configure the scanner to
leave the file alone, it would seem that it rests upon the user to take the
action, rather than Mozilla.

If not marked WONTFIX, I suggest that "dataloss" keyword be removed and severity
be reduced to normal (I could do this, but I'll leave it to someone with more clout)

A addition to the release notes should be made indicating to the users that the
mail folders should not be scanned by file system scanners.  Scanning of mail by
"proxy servers" is still a viable option for scanning mail. 

Kevin
*** Bug 186930 has been marked as a duplicate of this bug. ***
*** Bug 216948 has been marked as a duplicate of this bug. ***
I strongly recommend looking seriously at this bug.
Here's what happened to me:

Symantec AntiVirus Corporate detected with its heuristic virus auto-detection 
(bloodhound) a virus in one of the attached emails (showing inline as my 
preferences) of a bugtraq email I got.  The attached email had some malicious 
html code in it and it triggered bloodhound.  Wiped out my mail folder.  

Since we are running a big network of computers, we don't let the user chose 
what to do with the infection.  It's desinfect or quarantine.  So this is kind 
of odd since folder deletion is not preventable.  Notice that I've never opened 
an attachment or did anything that could lead to virus infection.  I only had 
enabled inline attachment viewing and am using bloodhound with SAV (enabled by 
default).

IMO, the problem wouldn't be that bad if it was triggered only when clicking on 
an attached virus (because it will actually prevent infection! the opposite of 
if they remove this folder from realtime protection like suggested above!) but 
as my case showed it was triggered automatically in an entreprise scenario (no 
control over AV at all) where we don't trust OE but do trust Thunderbird.

I imagine that this will be complicated to fix.  Goodluck!  Great product!
Please report this to Symantec, because it's clearly *their* program which
deleted your mailbox. The more customers complain about dataloss there, the more
likely they are to fix it.
The thing I don't understand is that if it's *their* program's fault how come 
outlook express handles everything perfectly?  I will report it to Symantec but 
I feel they'll tell me it's Thunderbird's fault.
Outlook Express stores all of your mail in one giant database instead of
individual mailbox files. Symantec probably has a special case for dealing with
the OE file, but not for individual mailbox files like INBOX. Usually this is
done with file extensions (INBOX has no file extension). I forget what the OE db
is called but it has a special file extension.
bienvenu, do you think it would have sense to give mboxes a file extension, at
least on Windows?
No, that would be a nightmare. Virus checkers can be configured to deal with
files w/ no extensions.
If this is a problem that should preferably be solved by symantec, shouldn't we 
call in some people from Evangalism to add some pressure to our case?
doesn't symantec already have the option to deal with files with no extension? I
don't have a copy myself...
(In reply to comment #6)
> If it's really the anti-virus software deleting the folders, I'd said that it's
> a severe bug in *that* AV software, not Mozilla. How could Mozilla possibly
> prevent that?

While I agree that it's the anti-virus software that absolutely sucks
for moving files out from under running problems, Mozilla should be more 
robust (at least since the anti-virus behavior is now a known problem and
the severity of the data loss is so great).

Also see bug 235588 (Inbox zeroed out when filter target folder file 
quarantined).
NAV has something called "exclude at risk files", according to the manual this
option will be available if the could not be deleted. Maybe it could be locked
or something so that NAV cannot delete it?
If someone here could email me (bart at mozilla dot org) the name of ANY contact
person at Symantec so we could discuss an arrangement for getting this problem
solved, I'd be happy to try & help connect the dots.  I just tried making a
blind call over there and ran into a nightmarish experience ("pls call technical
support") that got me nowhere (I think)...
*** Bug 233966 has been marked as a duplicate of this bug. ***
Hi.

I just installed Mozilla mail in order to prevent Netsky virus to cause havoc in
my computer with Internet Explorer (which for unknown reasons I cannot update).

I had the exact same problem : all my emails were "erased" after Panda cleaned
the messages infected with various sorts of viruses. In fact, I could read my
mails in plain text after opening my inbox file with the Mozilla composer.

I tried to find a solution after looking for bugs solutions (and discover that
this bug hasn't been resolved) and found that if you uncheck the "Display
Attachments Inline" in the "View" menu of the Mozilla Mail windows, then, even
if Panda detects viruses and cleans them, then you keep all your messages
without problem.

I hope this aids.

If this can be useful, I run Windows ME OS, and not Windows 2000.
(In reply to comment #47)
> Hi.
> I just installed Mozilla mail in order to prevent Netsky virus to cause havoc 
in
> my computer with Internet Explorer (which for unknown reasons I cannot 
update).
> I had the exact same problem : all my emails were "erased" after Panda cleaned
> the messages infected with various sorts of viruses. In fact, I could read my
> mails in plain text after opening my inbox file with the Mozilla composer.
> I tried to find a solution after looking for bugs solutions (and discover that
> this bug hasn't been resolved) and found that if you uncheck the "Display
> Attachments Inline" in the "View" menu of the Mozilla Mail windows, then, even
> if Panda detects viruses and cleans them, then you keep all your messages
> without problem.
> I hope this aids.
> If this can be useful, I run Windows ME OS, and not Windows 2000.


Hello,

I have today the same problem, with Netsky virus : when arrives, deletes Inbox.
For similar raisons, I have recently move from Opera 7 to Mozilla 1.6 
(Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113).

Note that (with the same mail), this problem doesn't happend with MS Outlook 
Express 6.

When this problem will be solved ?

Thanks.


(In reply to comment #48)
> (...)
> Note that (with the same mail), this problem doesn't happend with MS Outlook 
> Express 6.
> (...)

Does anyone know what are the reasons for this difference? Are viruses detected
without deleting mail in other mail clients, or is there any different behavior?
Possibly it would be interesting to know the general mechanisms for this.

Perhaps the problem is that some antivirus software is currently developed with
MS mail clients in mind, mainly. (?) In this case, it seems that it would be
important to talk to them for collaboration with Mozilla to fix this bug.
Mailbox files of Microsoft clients have a unique extention and those are added
to the exclusion list of most mailclients. Mozillamail (and thunderbird) use
mbox format mailboxes without an extention. adding the mbx or mbox extention
would make it much easier to exclude the files for the AV companies.

This seems a case where the Maldir format would show its strengths over mbox. In
fact, in this particular case it would even display the expected behaviour: the
infected message would be deleted leaving the rest unchanged. Anyway, I think
changing the mail database format is out of the question. An alternate solution
would be saving the incoming message to a temp file (each message to its file)
on arrival, and only after that, if it was still there, it would be added to the
inbox. This way the AV software would be able to catch *only* the infected
messages. This way it wouldn't be necessary to contact *all* the AV software houses.

OTOH, the mbox is a pretty well known format, so it would be expected that AV
software producers would know that it's this kind of file they're dealing with
(without the need to check the file extension) and delete only the infected
message, levaing the rest in place...


(In reply to comment #51)
> This seems a case where the Maldir format would show its strengths over mbox. In
> fact, in this particular case it would even display the expected behaviour: the
> infected message would be deleted leaving the rest unchanged. Anyway, I think
> changing the mail database format is out of the question. An alternate solution
> would be saving the incoming message to a temp file (each message to its file)
> on arrival, and only after that, if it was still there, it would be added to the
> inbox.

This only works for incoming messages with known virusses. The inbox would still
be deleted if a new virus snuck into your inbox and is detected on a schedulled
scan two days later.

> This way the AV software would be able to catch *only* the infected
> messages. This way it wouldn't be necessary to contact *all* the AV software
houses.

That's true.

Just changing teh extension and announcing this in public with a huge font and a
note to software houses in press releases all over the world should get their
attention don't you think? (probably not). But changing the extension would
probably be the best way to get around this.

I vote for renaming inbox -> inbox.mbx or inbox.mbox. same for all subfolders.
*** Bug 243162 has been marked as a duplicate of this bug. ***
*** Bug 245414 has been marked as a duplicate of this bug. ***
I am having the same problem, and as far as I can tell it is a bug in Symantec
AntiVirus Corporate Edition. My office just upgraded from version 8.1 to 9.0 and
it performed a full system scan (all files). A bunch of my mailboxes were
immediately quarantined.

To recover my mail, I restored mailbox files from the quarantine and parsed the
messages into smaller sub-mailboxes. Then I scanned each sub-mailbox file to
find the infected section. Many iterations later I found and deleted the
infected message and then put the "healthy" messages back where they belong.
Some of the infected mailboxes were large so this was a very long process (not
done yet). Since I manually scanned each mailbox/sub-mailbox file outside of
Mozilla, I don't see how this can be a Mozilla problem. As far as I know,
mailbox files are just palin text files as far as the anti-virus program is
concerned. Having said that, it appears that the anti-virus program does
recognize Outlook pst mailbox files as it extracts and quarantines the infected
message from the pst file and leaves the rest of the mailbox alone. I consider
this a Symantec bug, and I think they should be notified.

Unfortunately, the tedious process described above doesn't always work. I am
still in the process of trying to fix my Inbox (fortunately I don't leave
anything important there). When I parsed the messages into sub-mailboxes and
scan each one they were all fine. When I put all the messages back in a single
mailbox, Symantec found a virus and quanrantined the whole thing again. I'm
already losing my hair, and by the time I'm done with this, I may not have any
left. Of course our sysadmin says I should just switch to Outlook.

The ability to strip attachments from email messages would certainly be helpful
here. On top of that, I often get mail with attachments I don't need to keep or
that need to be saved elsewhere, e.g. in a file management system. These
attachments end up just bloating my mailboxes. It is important to keep the email
messages themselves as they provide a record of when the mail was received and
who sent it. For sent mail, it is often important to know to whom I sent a file
and when, but I don't need to leave the file attached.

So to whoever out there is counting votes for an option to strip attachments off
email messages, please add mine.

Sorry for the length of this posting, but I thought the detail might be helpful.
(In reply to comment #55)
> (...)
> 
> The ability to strip attachments from email messages would certainly be helpful
> here. (...)
> 
> So to whoever out there is counting votes for an option to strip attachments off
> email messages, please add mine.

If you wish, you may add yours to the current 355 votes of Bug 2920 ["Delete
attachment from mail message in folder (remove/strip attached files from email
messages)"].

Some programmers are trying to fix it, a not easy task within the complex
Mozilla code.
Many have posted that this is a user problem, and that simply excluding the
Mozilla inbox folder(s) from the scan fixes this problem. Many of us are on
corporate networks where we don't have the luxury of being able to pick and
choose exclude folder for virus scanning. In particular Norton's corporate
edition tends to lock users out of any such configuration options. As has been
stated many times, this is a problem that could be easily resolved by storing
attachements as separate files. While I'll admit I don't know how much work will
be involved in doing such a thing, it seems like a better solution than simply
blaming the problem on the user. One of the advantages of Open Source is that in
general- developers don't turn a blind eye on user problems. I love
Thunderbird/Mozilla, but I have to seriously look at going back to a M$ product
now that I have lost all of my inboxes for the fourth time in the last month.
(In reply to comment #57)
> (...) As has been
> stated many times, this is a problem that could be easily resolved by storing
> attachements as separate files. (...)

In this case (something like the Eudora automatic functionality as a possible
Mozilla option), it's bug 9309 -"option to have attachments auto saved to chosen
location"- rather than bug 2920. Naturally it would be great to have these two
enhancements soon.
> this is a problem that could be easily resolved by storing
> attachements as separate files.

This is *everything* but easy. Not only would it be a lot of work, it would also
be very dangerous in case of bugs  in the new code.

> better solution than simply blaming the problem on the user.

I'm blaming the anti-virus product, not the user. mbox is a very old, standard
and widely-used format, they wipe it, they have no excuse. Please call them, the
more people the better.
Look at Symantec knowledge base Document ID:2000051809560948 
which describes their solution...
(In reply to comment #60)
> Look at Symantec knowledge base Document ID:2000051809560948 
> which describes their solution...

That's:

Symantec Knowledge Base
Netscape or Outlook Express Inbox is quarantined when infected email is detected
http://service1.symantec.com/SUPPORT/ent-security.nsf/6fffc7260966992188256bf300818635/712247a53df336e088256a22002724ad
Blocks: 247126
Adding dependency on 9309 which would effectively contrinbute to solve this.

Confirming this bug. It also deletes/moves the Junk mail and Trash folders and
whatever folders have emails with viruses in them. These folders should not be
easily modified/moved/deleted by other applications.

Platform: PC
OS: Windows 2000 Pro
Product: Thunderbird
Version: 0.7.2 (20040707)
Component should be changed to Mail Window Front End

This has also been reported on the MozillaZine forums:
http://forums.mozillazine.org/viewtopic.php?t=101013
http://forums.mozillazine.org/viewtopic.php?t=75470
http://forums.mozillazine.org/viewtopic.php?t=79453

Workaround:
http://kb.mozillazine.org/index.phtml?title=Thunderbird_:_FAQs_:_Anti-virus_Software
Depends on: 9309
*** Bug 254453 has been marked as a duplicate of this bug. ***
No longer blocks: 247126
*** Bug 247126 has been marked as a duplicate of this bug. ***
As mentioned once, the whole issue should be resolved by moving to the maildir
format. Although, there is a clear disadvantage of switching to a different
default mail storage format, there are several other advantages to the format,
not the least of which is that new user wouldn't have to know ahead of time of
this risk in order to avoid having their inbox deleted. I believe there's
another bug about supporting the maildir format.
(In reply to comment #63)
> *** Bug 254453 has been marked as a duplicate of this bug. ***

Sorry for filing this bug again, I checked for other bugs but didn't see bug
116443. I read a little of the previous discussion on this bug. I think it is
fine and prudent that a virus checker removes or quarantines an infected file -
email or others - that's the whole point of a virus checker, after all. In this
context, excluding files from the virus checker (comment #60/61) is precisely
what I don't want to do because incoming mail is the number one potential virus
source on my machine.

After thinking I had a great idea involving a temp file before saving into the
inbox, I read comments # 25, 51 and 52 and discovered that others had the same
idea years before me. Now, my  question is: why is not every single e-mail given
some counter number or time stamp as a name and saved individually in text or
mbox format in an inbox FOLDER? I realize that this increases storage space, but
since we're talking GB meanwhile, it would be well worth it for me.
*** Bug 238499 has been marked as a duplicate of this bug. ***
Blocks: 233833
Blocks: 235588
*** Bug 200287 has been marked as a duplicate of this bug. ***
Blocks: 256034
I wanted to note that this is something that Mozilla needs to handle.  The
latest versions of the two biggest (I believe) corporate virus scanning clients,
McAfee and Norton, seem to have problems with this, and these problems do not
occur when used in conjunction with Outlook or Eudora.  Also, in the corporate
environment, anti-virus program settings may be locked down, so the
MailNews/Thunderbird mailbox files cannot be exempted and individuals in these
situations flat out CANNOT use MailNews/Thunderbird as their e-mail client.  As
long as incoming files were written to an individual file first, then appended
to the mailbox after the scanner has a chance to react, many (not all) of these
problems would go away.  Maildir would be the ultimate fix, but in the mean
time, something MUST be done if corporate deployment is a goal.
Blocks: eudora
Summary: Deleted inbox after receiving virus infected mail → Deleted inbox after receiving virus infected mail (McAfee, Norton)
Blocks: 229235
No longer blocks: 256034
I'll mark a number of bugs as dups (currently deps), which are about different
situations (filtering, compacting folders, Eudora import), but essentially the
same cause.
No longer blocks: 229235, 233833, 235588
*** Bug 229235 has been marked as a duplicate of this bug. ***
*** Bug 235588 has been marked as a duplicate of this bug. ***
*** Bug 233833 has been marked as a duplicate of this bug. ***
(In reply to comment #70)
> I'll mark a number of bugs as dups (currently deps), which are about different
> situations (filtering, compacting folders, Eudora import), but essentially the
> same cause.

OK, but does that imply that whoever fixes this needs to test that the fix
actually works in all of these situations? It may turn out that the cause is not
quite as identical as you assume.
Flags: blocking-aviary1.0?
*** Bug 245538 has been marked as a duplicate of this bug. ***
*** Bug 260384 has been marked as a duplicate of this bug. ***
*** Bug 260855 has been marked as a duplicate of this bug. ***
Flags: blocking-aviary1.0? → blocking-aviary1.0-
Anyone interested in having this solved should also check 9309 and vote for it /
contribute to it.
(In reply to comment #78)
> Anyone interested in having this solved should also check 9309 and vote for it /
> contribute to it.

That should be restricted to those who think that the best way to solve this
problem is a complete redesign of Mozilla's data formats, although the experts
seem to say that that is not the best way. To put it another way, I don't agree
that there is real a dependency on bug 9309.

An alternative and probably much simpler way of solving this problem would be to
save and reopen each incoming message (or each one with an attachment) as a
separate temporary file before adding it to the inbox. This would trigger a
virus scan of the temporary file. This is the same kind of strategy as the good
one used with downloaded executable files, that they are always saved and
reopened before being executed, and so any virus scanner has the chance to scan
them. But I'm not sure if the performance hit would be acceptable.

Is anyone seeing this problem with latest versions of anti-virus software? I
haven't seen it since I have been using Norton AV 2003 and now 2004, with e-mail
protection. Maybe that is because they catch the virus before it makes it to the
inbox. (Or maybe it is because my ISP is catching the viruses before they get to
me.) None of the recent duplicates mention exactly what anti-virus software is
in use or whether e-mail protection is enabled.

Saving the file to a temp location and then adding won't help if you're behind
with signiature files (happens to the best, just 10 minutes behind can be 10
minutes too many); the virus creeps into the inbox file; signiatures are
downloaded; inbox get's deleted.

I think you're no longer seeing this with NAV 200[345] because most virusses are
stopped during teh POP3 transfer, but the above situation applies to this aswell.
How is this solved in ms outlook?
It saves all it emails in one file, too, doesn't it?
Or is this file just encrypted, so the anti-virus programms can't scan it?
(In reply to comment #80)
> Saving the file to a temp location and then adding won't help if you're behind
> with signiature files (happens to the best, just 10 minutes behind can be 10
> minutes too many); the virus creeps into the inbox file; signiatures are
> downloaded; inbox get's deleted.

NAV 2004 at least supports automatic update of signature files, if enabled as
recommended. Of course they still come out after the viruses first appear. But
in this scenario the anti-virus program should not delete an infected file, but
should clean it or quarantine it (and quarantined files can be retrieved).

The basic problem here as I observed it is that Mozilla overwrites the inbox
before the AV program gets the chance to quarantine it. I think what is
happening is that Mozilla can't read a file, because the AV program is locking
it, and so instead Mozilla overwrites it, which is not blocked by the AV program
- all before the user has had the chance to respond to the "what do you want to
do about this virus" dialog. The fallacy here is Mozilla's assumption that
because it cannot read a file that file may be safely overwritten; there are
many reasons other than virus problems why this is a bad assumption e.g.
multi-user locks, network glitches. This is certainly happening when an inbox is
deleted while being compacted: Mozilla can't read the inbox because it is
infected, so deletes it - see my report of bug 233833 of which this is
considered a duplicate.

By the way, ;-) would the problem be solved if mailbox files were given the
extenstion .pst? That would automatically exclude them from at least some AV
scans. Or is this extension a Microsoft copyright? ;-)
In response to Christian Fersch's question.  My experience is with Outlook and 
McAfee, where McAfee hooks itself into Outlook and can scan the mail messages 
and delete them using Outlook's COM API.
*** Bug 264172 has been marked as a duplicate of this bug. ***
(In reply to comment #82)
>
> The basic problem here as I observed it is that Mozilla overwrites the inbox
> before the AV program gets the chance to quarantine it. I think what is
> happening is that Mozilla can't read a file, because the AV program is locking
> it, and so instead Mozilla overwrites it, which is not blocked by the AV program

I'm not sure if this is what really happens. When Norton AntiVirus 8.0 found the virus in my inbox, an
alert box popped up that stated:

  Action taken:  Clean failed : Quarantine succeeded : Access denied

  (see my dup 264172 for further infos)

I read into that, that NAV tried to clean my mbox file, but didn't succeed because of a lock. However, it 
succeeded with moving the file to the quarantine.

Furthermore, does anyone know, why I could use Thunderbird / NAV for over half a year now with
hundreds of viruses trickling in my Inbox before this bug occurred twice this week (with the same kind
of virus)? Does this affect only viruses found with bloodhound?

Anyway. It's a nasty situation for anyone that gets into it. Even if it might be the AV-Vendors fault, it
won't be easy to convince all of them to provide a fix, so a solution on the Mozilla side would really be 
appreciated.


This problem also exists with McAfee's VirusScan Enterprise 8.0i; I got my junk
mail folder deleted even though I have only set it to automatically clean files
and move into quarantaine them if the clean failed.
Would be alot better if McAfee's Email Scanner would also do
Thunderbird/Mozilla/Netscape 7 (which is all the same product).
Despite all the finger-pointing at anti-virus applications, this still appears
to be an E-mail client problem.  

I use Norton Anti-Virus 2003.  My E-mail client is Eudora Lite 3.0.6 (yes,
several years old).  I do NOT have this problem.  Why?  Because viruses are not
found in the E-mail messages themselves, only in the attachments to those
messages.  Eudora Lite merges messages into long files, one per folder; but it
saves the attachments separately, each attachment as an individual file.  Thus,
a virus results in the deletion, repair, or quarantine of the afflicted
attachment file, leaving the merged message file untouched.  

I know the process used by my Eudora Lite is somewhat old-fashioned.  But it
works.  The more modern process used by Mozilla and Thunderbird is broken with
respect to anti-virus protection.  

Some questions:  
*  How likely do you think it would be for all anti-virus application vendors to
change their products for compatibility with Mozilla products?  
*  Given the unending problem of computer viruses, which is more likely --
someone disabling their anti-virus application to use a Mozilla E-mail client or
someone enabling their anti-virus application and refusing to use a Mozilla
E-mail client?  

I must agree with comment #85 and suggest that this be fixed in the affected
Mozilla products.   There should be no room for an attitude that says: "We're
right and we don't care how adversely it impacts our users or the future growth
of our organization."  
*** Bug 264916 has been marked as a duplicate of this bug. ***
I Have had the same problem with Norton AV 2004. 

It detected copies of netsky downloaded into the mailbox file and so quite
sensibly blocked access to that file. To get mozilla mail working again I had to
log in as admin, turn off the AV, manually edit the mailbox file to remove the
content of said bad e-mails and then run mail and hope it all worked ok.

As soon as I had it working 2 more Netsky mails came in and I had to do it all
again :(

Possible solutions:

 - Don't download attachments until the user tries to open them (as a pref)
 - Don't store the e-mail attachments in the mailbox as mentioned earlier.
    Prehaps store a ref to the file that contains the attachment?
    (Much better solution although both combined would be nice)

This is getting to be quite an issue as I have had to go and fix quite a few
machines with this issue. It also appears to be getting mozilla mail a bad
reputation as "outlook never did this".

I have to agree with previous comments about the fact that this needs fixing. Is
there a good reason why the attachments are stored in the mailbox or just a
legacy thing?

(See Also: BUG 9309 and 2920)


(In reply to comment #89)
...> Possible solutions:
> 
>  - Don't download attachments until the user tries to open them (as a pref)

Please, no! This would be disastrous for those who download e-mail by sometimes
expensive dial-up and read it later off-line. Anyway, I don't suppose POP3
supports this.

But then I would suggest using an ISP which filters viruses - not 100% of
course. Or save and reopen the file as I suggested in comment 79 - again not
100% but not far short.

...
> This is getting to be quite an issue as I have had to go and fix quite a few
> machines with this issue. It also appears to be getting mozilla mail a bad
> reputation as "outlook never did this".
> 
> I have to agree with previous comments about the fact that this needs fixing.

Agreed. This is potentially a major, almsot show-stopping problem with
Mozilla/Thunderbird. It's not enough to say this is not Mozilla's problem,
anything which means that Mozilla appears not to work is a PR disaster for Mozilla.

(In reply to comment #90)
> (In reply to comment #89)
> ...> Possible solutions:
> > 
> >  - Don't download attachments until the user tries to open them (as a pref)
> 
> Please, no! This would be disastrous for those who download e-mail by sometimes
> expensive dial-up and read it later off-line. Anyway, I don't suppose POP3
> supports this.

Was a suggestion to provide a user pref so you could choose to do this, not
enforce it on all users.

On reflection I am fairly sure you are correct about POP3's lack of support for
this :(
Is it possible to download new messages into separate files in a tmp directory, 
then merge them into the mailbox?  This gives AV software an opportunity to 
detect problems and delete individual messages and attachments, but then 
Thunderbird can work with singular mail box files as designed.  This also gives 
Thunderbird a chance to insert a replacement message with a note about what 
happened where the offending message would have appeared.
yes, pop3 doesn't support not downloading attachments (imap does). But, you can
configure mozilla not to download pop3 messages over a certain size (not sure
how big the nevsky virus usually is).
(In reply to comment #93)
> yes, pop3 doesn't support not downloading attachments (imap does). But, you can
> configure mozilla not to download pop3 messages over a certain size (not sure
> how big the nevsky virus usually is).
Depending on which of the mails I got the sizes were 41.2K & 42.1K

So under the moz 50k limit

you can make the moz limit whatever you want - 50K is just the initial default
(In reply to comment #95)
> you can make the moz limit whatever you want - 50K is just the initial default

Fair point, however the people using mail that are showing the problems would
like to be able to accept word documents, pdfs and similar, which are usually as
large as the netsky option.

Certainly the suggested solution of using maildir or the suggestion from comment
92 would provide some resolution of this problem.

I don't think any normal user would see the whole mailbox going due to a vius
being recied but not run as good.

I agree that the AV vendours SHOULD understnad mbox, however the major ones
apppear not to, and as such no only is this issue causing data loss and user
problems, it's also generating some very bad PR for mozilla.

I'd just like to point out the I'm using McAfee 4.5.1, which is a fairly old
version (kept up to date of course), but it has *NEVER* tried to delete my
inbox, and I have had numerous virii sent to me. It only prompted after *I*
saved the attachment.

So McAfee used to do the right thing...
(In reply to comment #97)
> I'd just like to point out the I'm using McAfee 4.5.1, which is a fairly old
> version (kept up to date of course), but it has *NEVER* tried to delete my
> inbox, and I have had numerous virii sent to me. It only prompted after *I*
> saved the attachment.
> 
> So McAfee used to do the right thing...

Only if it's really the right thing to allow your inbox to remain infected. I
would expect anti-virus software to find a virus even when it is in encoded form
in my inbox - and to do something sensible when it finds it. Norton knows not to
delete an entire zip archive, or even quarantine it, when it finds a virus in
one, so it and McAfee could use a similar strategy for viruses in mailboxes.

> Only if it's really the right thing to allow your inbox 
> to remain infected. 

Note that your mailbox is _not_ infected.   Is anything 
executing the virus code when the virus data is sitting 
in your mail file?  No.  (The virus can't get executed 
unless the virus is decoded (from e.g., MIME) into some 
executable form (e.g., saving as an executable file).)


> I would expect anti-virus software to find a virus even when 
> it is in encoded form in my inbox - 

Okay, _detecting_ the virus data is reasonable.


> and to do something sensible when it finds it. 

Like what?  If you find a virus attachment in an e-mail file
while some application (Mozilla) is using the file, what's a 
sensible thing to do?  Unless you know something specific 
about the application, what can you do?

Moving the file out from under the application (e.g., 
quarantining it by renaming it or otherwise making it appear
to be deleted) is NOT a reasonable thing to do.  


> Norton knows not to delete an entire zip archive, or even 
> quarantine it, when it finds a virus in one, so it and 
> McAfee could use a similar strategy for viruses in mailboxes.

That's what Norton doesn't do, but what does it do?  (What
is its strategy for viruses (virus data) in mailboxes?
(What can it be other than to leave the mailbox files alone
and catch the viruses at a subsequent stage?))


Of course, even though Mozilla can't be responsible for 
working perfectly if someone comes along and hides its files
while it's running, Mozilla should be more robust given
the severity of deleting the entire mailbox file's contents.

Mozilla's file-compaction logic should probably be a little
paranoid, checking things every step along the way (checking
that all reads and writes worked, verifying that the 
compacted-to file has the expected structure and contents
before actually deleting the original file, etc.)


> I agree that the AV vendours SHOULD understnad mbox, 
> however the major ones apppear not to, ...

Are you sure?

The fact that a virus is detected in Mozilla's mailbox
file means that the AV software _does_ understand the 
format enough to detect the virus (e.g., find the 
message headers, find the MIME header and 
boundary, base-64-decode the virus attachment, etc).




RE: comment 100 
> The fact that a virus is detected in Mozilla's mailbox
> file means that the AV software _does_ understand the 
> format enough to detect the virus (e.g., find the 
> message headers, find the MIME header and 
> boundary, base-64-decode the virus attachment, etc).

OK so they are decoding it, so obviously understand the encoding method. However
they blatantly don't realise that the code is only a small part of the mbox file.

Ideally they shoul.d do what I did by hand:

 - Find the infected message.
 - Delete the section of the infected message and replace it with a string such
   as "Some idiot sent you something nasty so we removed it for you" in it's
   place .

A program called mailscanner does this when it scans incoming messages so it
can't be that hard.

The problem is that all current and 2005 releases that are out there will trash
a mozilla mailbox. Even though it isn't directly mozilla mails fault, it looks
bad on mozilla and a work around should be used.

In relation to my previous comment about maildir, this could cause problems on
file systems with an insufficient number of inodes, so it appears that saving an
attachment as a temporary file, letting the AV do it's evil, and if it's gone
replacing it with a simple message of:

"The attachment '<FILE NAME>' was removed by a third party product (possibly
Anti Virus)."

Anyway fingers crossed for a solution soon or I may have to seriously consider
outlook again :(
Don't suppose anybody can tell me in which files the code that handles the
downloading of mail is.

I found a few bits but couldn't find anything that appeared to do this. Guess I
must be looking in the wrong place :(
(In reply to comment #99)
> > Only if it's really the right thing to allow your inbox 
> > to remain infected. 
> 
> Note that your mailbox is _not_ infected.   Is anything 
> executing the virus code when the virus data is sitting 
> in your mail file?  No.

Well, this is a matter of definition, but as I understand it, something which
contains a viable virus etc (whether medical or software) is considered
infected, whether or not the virus etc is active at the time.
...
> 
> Like what?  If you find a virus attachment in an e-mail file
> while some application (Mozilla) is using the file, what's a 
> sensible thing to do?  Unless you know something specific 
> about the application, what can you do?
> 
> Moving the file out from under the application (e.g., 
> quarantining it by renaming it or otherwise making it appear
> to be deleted) is NOT a reasonable thing to do.  
> 
Agreed. One sensible strategy is described in comment 101.
> 
> > Norton knows not to delete an entire zip archive, or even 
> > quarantine it, when it finds a virus in one, so it and 
> > McAfee could use a similar strategy for viruses in mailboxes.
> 
> That's what Norton doesn't do, but what does it do?  (What
> is its strategy for viruses (virus data) in mailboxes?
> (What can it be other than to leave the mailbox files alone
> and catch the viruses at a subsequent stage?))
> 
In fact what Norton does with infected zip archives is only warn the user. It
could do the same with mailboxes, as an alternative strategy. This is a lot
better than doing nothing and also a lot better than deleting or quarantining
the whole mailbox.
> 
> Of course, even though Mozilla can't be responsible for 
> working perfectly if someone comes along and hides its files
> while it's running, Mozilla should be more robust given
> the severity of deleting the entire mailbox file's contents.
> 
> Mozilla's file-compaction logic should probably be a little
> paranoid, checking things every step along the way (checking
> that all reads and writes worked, verifying that the 
> compacted-to file has the expected structure and contents
> before actually deleting the original file, etc.)
> 
Indeed. The initial problem which I saw was not that anti-virus was deleting the
mailbox, but that it was hidden from Mozilla and so Mozilla simply overwrote it.

> > > Only if it's really the right thing to allow your inbox 
> > > to remain infected. 
> > 
> > Note that your mailbox is _not_ infected.   Is anything 
> > executing the virus code when the virus data is sitting 
> > in your mail file?  No.
> 
> Well, this is a matter of definition, but as I understand it, something which
> contains a viable virus etc (whether medical or software) is considered
> infected, whether or not the virus etc is active at the time.
> ...

I tend to agree that if the code is there, even in a dormant form, it's still a
virus. It's likle dormant smallpox is still smallpox and hence still nasty.

> Indeed. The initial problem which I saw was not that anti-virus was deleting 
> the mailbox, but that it was hidden from Mozilla and so Mozilla simply 
> overwrote it.

Yes it does quarantene the file, however on some versions of norton at least it
says could not fix, shall I delete the virus infected file?

Again a request to anybody who knows in which file the code that handles
download of e-mails & parsing of MIME are as I can not find them in the source
tree :( 
the code that writes to the mailbox file is in
mozilla/mailnews/local/src/nsPop3Sink.cpp - in particular,
nsPop3Sink::WriteLineToMailbox writes to m_outFileStream.

see http://lxr.mozilla.org/mozilla/source/mailnews/local/src/nsPop3Sink.cpp#647

Optionally using a temp file is going to be a non-trivial amount of work, though
it's doable...you'll have to deal with message filters moving the message, among
other things...
I'd like to point out that this particular problem has exposed a somewhat larger
issue: 

We need a How To or FAQ for installing Mozilla, Thunderbird and Firefox in
corporate environments with some tips on dealing with other applications that
may need to be tuned to peacefully coexist with something other than Outlook and
IE. For example, there is a known method of excluding the Inbox from scanning by
Symantec AV or Norton Corporate AV (same product - names recently changed). As
was pointed out some months ago, other email clients use similar indox file
structures, so it isn't an entirely new issue for the AV vendors (even if they
choose not to fix it but offer a workaround).

This would be very helpful for IT people attempting to build desktop packages
for testing and mass deployment (including documentation of installation
procedures), as well as those of us who build 3 or 4 systems at a time once
every few months.

And it should anticipate questions like: if I build a Ghost image with Mozilla
as the default browser and mail client, will I need to change the id number of
the default client on each cloned computer to avoid potential identity problems
between 2 clients sharing the same id number?
(In reply to comment #104 and comment #105)

Thanks, I'll have a look at the code, I'm probably getting in a bit deep as Java
is my main language rather than C, however I'll have  look over it and see whats
what and if I can do anything with it.

(In reply to comment #106)

> For example, there is a known method of excluding the Inbox from scanning by
> Symantec AV or Norton Corporate AV (same product - names recently changed). As
> was pointed out some months ago, other email clients use similar indox file
> structures, so it isn't an entirely new issue for the AV vendors (even if they
> choose not to fix it but offer a workaround).
> 
> This would be very helpful for IT people attempting to build desktop packages
> for testing and mass deployment (including documentation of installation
> procedures), as well as those of us who build 3 or 4 systems at a time once
> every few months.

The issue is probably more severe if your building 10+ machines at once, and
rolling out few hundred in a matter of days. The FAQ can be useful, however the
comment about not scannig certain fails for worms & viruses is not really a safe
option.

I am sure it wouldn't take much for somebody to write something that was
downloaded and run (by the user clicking) and then looking over inbox, MIME
Decoding the viral code and then running it, posibly even hidden from the AV.

That would be a disaster and is probably a good enough reason to find a
permanent solution.
A footnote on the behavior of Symantec Anti Virus 9.0 when you manually exclude
the inbox (and enter the incoming port of your email feed if different from the
default). This is different from that of it's predecessor - Norton Corporate AV 7.6.

Upon opening the message in Mozilla, SAV displays the message:

"Symantec Email Proxy deleted the following email message:
From: xxx@xxx.com
To: yyy@yyy.net
Subject: Mail Delivery (failure yyy@yyy.net)"

It isn't clear when it actually deletes the virus payload, but I suspect it is
upon reciept, as it seems to be inserting itself as a proxy (since it requires
the incoming port #) before Mozilla. If so, this may be of some help to those
who fear leaving a virus payload intact if it can be verified.


Norton 2004 etc are supposed to install a proxy mail server for pop3 whereby it
recieves the message and then scans it and passes it on to the mail program. 
Have to say I am not sure why it works with netscape, but appears to not be set
up  with the install of mozilla mail I have.

The message you have does sound like it has removed a nasty attachment or mail
mind :)


(In reply to comment #105)
> the code that writes to the mailbox file is in
> mozilla/mailnews/local/src/nsPop3Sink.cpp - in particular,
> nsPop3Sink::WriteLineToMailbox writes to m_outFileStream.

I've had a look over the code and don't currently trust my C skills to be
sufficient to not create a buffer overflow or some odd pointer error while
hacking at that. (Sorry, looks like I got too used to Java managing memory etc
for me, so I will have to brush my C up).

Regarding the comment about message filters moving the message, how about
grabbing the message before any of the filters have a chance to do things with
it and then popping it back where it came from?
To at least spare users from the worst data loss, would auto-creating a backup
of the mail account on startup be an easy enough work around? I realize that
would be a lot of data for some people, but still. That way, if users experience
this bug the damage is somewhat limited.
This seems to be a fork in the road branding issue - there are workarounds, but
they require our users to be sufficiently motivated to seek them. 

BUT, if Mozilla/Thunderbird is going to compete in the consumer market against
IE, it must come out of the box in such a way as to be able to cope with this
issue. Otherwise Moz will not retain the perception of quality that people who
want something better than IE will expect. 

I realize this is a really tough issue that is going to take some really serious
work by some highly skilled people (I'm certainly not that good) on a volunteer
basis. This is one of the weaknesses of the open source paradigm - but it can be
a real strength as well if our collective passion to build a better mousetrap is
sincere!
(In reply to comment #112)
... 
> I realize this is a really tough issue that is going to take some really serious
> work by some highly skilled people (I'm certainly not that good) on a volunteer
> basis. This is one of the weaknesses of the open source paradigm - but it can be
> a real strength as well if our collective passion to build a better mousetrap is
> sincere!

It is certainly a weakness of the open source paradigm, or at least of Mozilla's
implementation of it, that a "critical" issue like this one is in fact not being
dealt with at all because the person it is assigned to, Seth Spitzer, is "not
reading bugmail". No doubt Seth has good reasons, but if his absence is not
temporary this bug needs to be reassigned. And since there are those who have a
commercial interest in the success of Mozilla, and since this is an issue which
threatens that success and is officially listed as "critical" and causing data
loss, perhaps it is a candidate for reassignment to one of the few who are not
volunteers.
Symantec/Norton Anti Virus corporate (7+) and Intel LanDesk (6+) store thr
exclusion directories/extentions in the registry at the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan
 - keyname "ExcludedExtensions" collon separated list of extentions (all caps)
eg. "MSG,TST,EXT"

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan\NoScanDir
 - key name is the full path eg "c:\dir\subdir" and the value is 0
(non-recursive) 1 (recursive)

It would not be hard to detect the existence of this key and add the profiles
directory upon installation.

I know similar registry locations exist for McAfee (I'll look them up tomorrow
at work) and other Anti-Virus programs. 

The least we can do is warn the user on startup that their mailbox needs to be
excluded if the exclusion is not detected. Offering to do this automatically and
 supply a link to the knowledgebase of the AV supplier, or a FAQ page on the
Thunderbird homepage.

This would also be a great addition to the (upcoming) msi package.
(In reply to comment #109)
> Norton 2004 etc are supposed to install a proxy mail server for pop3 whereby it
> recieves the message and then scans it and passes it on to the mail program. 
> Have to say I am not sure why it works with netscape, but appears to not be set
> up  with the install of mozilla mail I have.

I can confirm that NAV 2004 (and various earlier versions) use a proxy scanner
that scans all inbound and outbound e-mail (even if it's not going through the
Windows registered mail client).  However, it doesn't always seem to catch stuff
when it comes in.

My mail provider scans and cleans before delivery so I don't normally get to see
how NAV responds to e-mail worms, but in September a new batch of worm-spawn
edged out the filters and made it to my inbox.  Strangely, NAV didn't alert me
until I had the message open for about 15 seconds (either to read or forward). 
For what it's worth, here's the excerpt from the NAV log:

========== BEGIN CUT N' PASTE ==========
Source: Unknown00000000.data 
Description: The compressed file Unknown00000000.data within
Unknown0000288A.data within E:\winutils\Thunderbird profile\Default
User\Mail\pop.sbcglobal.net\After Thunderbird.sbd\Spam.sbd\Contain virus is
infected with the Download.Trojan virus. 
Click for more information about this virus : Download.Trojan
========== END CUT N' PASTE ==========


I don't know if it wasn't detected until that point because it was "compressed"
or what, but I was frustrated to find that the scan didn't catch it as it
entered my system.


My $0.02US.

-Neil R.
(In reply to comment #115)

> I can confirm that NAV 2004 (and various earlier versions) use a proxy scanner
> that scans all inbound and outbound e-mail (even if it's not going through the
> Windows registered mail client).  However, it doesn't always seem to catch
stuff when it comes in.

Thats quite interesting. I wonder if it only recognises certain versions that
possibly co-incide with Netscapre releases. Prehaps my proxy got dumped during
an upgrade.

Certainly however the AV needs to understand mbox, however Mozilla/firefox
should not leave itself open to this.

Regarding the option of just excluding the mailbox, I feel that is unacceptable
as we still have dormant viral code left on the computer.

What are the work arounds that are refered to?
Are they proper solutions or just quick and dirty hacks?

I'd like to point out that many users, such as a co-worker and myself, might use
Thunderbird in Corporate environments to check their personal mail. I have no
access to the corporate settings (well, technically I do, but I'm not about to
explain to the CTO that I need to exclude a file on my machine) and therefore
are in a situation where they probably need to use Outlook or Eudora to check
their mail. I've lost my inbox twice in the last month alone. Just food for
thought for those trying to determine if this is worth fixing or not ... 
I sufered the same problem, and i am sure this is not AV problem, but
Thunderbird's. Until recently I used Mozilla mail and I also use Outlook
Express. I had no problem of this kinf with them. I use Kaspersky Antivirus set
to report virus only. Kaspersky locks file and reports that it found virus.
Nothing more.

Thunderbird has problem with locked file and for some reason it truncates it.

In other mail readers, when virus occures, I turn of antivirus, delete virus
from mailbox, pack mail database and turn Antivirus On. With Thunderbirt it does
not work. When file is locked for the first time, and I turn off antivirus, file
remains locked for Thunderbird until i exit and start it again.

So, now, when Antivirus reports virus, I have to disable Antivirus, exit
Thunderbird, start it again, erase virus mail, pack database and then enable
antivirus. If I fail doing that it is likely that mailbox will be truncated by
Thunderbird.

I am experienced user and I can bet this is Thunderbird's bug. It seems it tries
to ignore the fact that file is locked which results in unwanted consequences.

What it should do:
- when it finds mailbox locked it should say so and do not remember that state
- it should check if file is locked each time it tries to access it, not to
remember the first occurence of lock
- if file is locked, Thunderbird should awoid any operation that may truncate
file. It should report the problem to user, instead, like saying "Hey, I cannot
do that, mailbox is locked, possibly by your antivirus"
*** Bug 270839 has been marked as a duplicate of this bug. ***
Product: MailNews → Core
*** Bug 233223 has been marked as a duplicate of this bug. ***
*** Bug 271578 has been marked as a duplicate of this bug. ***
I second (or third, fourth... :-)) the suggestion of switching to maildir
format. Not only does it provide security against the entire mailbox being
deleted when a subsequent AV signature update causes a previously undiscovered
virus to be detected, it is also significantly faster: the real-time scanners
cause a significant CPU load and delay when saving mails to a large inbox or
other folder, because they scan the entire file. This problem is magnified when
the profile or mail directory is on a network drive.

To those who suggest excluding the profile directory from AV scanning:
1. What if I choose to save my mail in a different directory? I can do this on
Account Settings / Server Settings / Local directory.
2. What if I add another profile? Do I have to manually add the exclusion to the
AV program?
3. (Perhaps a little contrived, but given that we're aiming for millions of
users, possible:) What if a user manages to save an attachment with a not yet
detected virus to their profile folder, and later (after an AV update would
detect it) open the file? They then have a virus on their system which would
otherwise have been caught.

I am not at all familiar with the Thunderbird codebase, but surely it cannot be
an immense problem to switch the mail storage system. There must be some storage
subsystem which tells the front end which messages are in a folder, and delivers
the message content, because IMAP works completely differently to POP3. Looking
at an existing IMAP account, the .msf files exist, but no mbox files until the
folder is marked for offline use.

There's probably enough mail program code with a BSD (or Apache?) license that
could be used as a starting point for maildir support.
my $0.02: this is a data loss bug, there should be no known data loss bugs in
any shipping software.  Whatever it takes to fix it, workaround it, whatever,
needs to be addressed ASAP.

I would also think maildir format would be better for this bug as well as I
would assume there would be performance/memory advantages of being able to
access individual emails not indexing into a large (many, many MB in my case) file. 
First let me say that I applaud the work so far of the Thunderbird developers. 
You have the makings of a potentially great mail client here.  With the release
of 1.0 I was getting ready to recommend it to people I know as well as making it
the standard mail client in the school district in which I work as head of IT.  

Then I found this bug, and I've had to stop dead in my tracks.  It is almost
unbelievable to me that a critical dataloss bug three years old has not been
fixed.  I've been looking at the posts here, and I have seen lots of excuses. 
"It's the AV companies' fault."  You're not going to change them all, if any,
especially with TB's small market share.  "It's ignorant users' fault."  The
world is full of ignorant end users, or corporates who can't control their
antiviruses.  Do you want to write off all of these people?

There have been some fixes suggested here.  Changing the mailbox format?  I
don't know if it will work.  How about changing the mailbox file extension?  My
NAV, for instance, doesn't scan .mbx (OE) mailboxes by default.  How about
changing to that?

The problem doesn't have to be solved tomorrow, and it may not be easy. 
However, it will never be solved by talking it to death.  C'mon, coders, let's
please get an solution to this problem so that I and others can use Thunderbird
and recommend it as what it should be - a world-class e-mail client.




Sorry, but in my last comment I meant that by default NAV does not scan .dbx
files (not .mbx) and that using .dbx on the mailbox files might be considered.


Changeing the mailbox format by stripping out attachments is probably not a good
idea, it potentially breaks other software. 

E.g. what would happen to imap folders if  I read the mail from another imap
client. Then the attachment would already be stripped out and residing on some
other client unavailable to me. 

If this can be fixed without any such side effects fix it, if not, mark it as
wontfix. By the way don't forget to complain to your AV software vender if you
are affected by this.
(In reply to comment #126)
> Changeing the mailbox format by stripping out attachments is probably not a good
> idea, it potentially breaks other software.  
> ...
> If this can be fixed without any such side effects fix it, if not, mark it as
> wontfix. ...

I agree that changing the mailbox format is not a good idea, at least certainly
not as the best quick way to fix this urgent bug. But fortunately there are ways
to fix it, or at least greatly reduce its severity, without changing the format.
One of those is the one I mentioned in comment 79: to save each attachment to an
incoming message as a temporary file, and then reopen it and save the reopened
version in the mailbox. This should force the virus scanner to scan the
attachment before it ever reaches the mailbox file. If this has a serious
performance hit, it can be made optional.

I know there can still be problems if a virus gets into the mailbox before the
anti-virus data is updated to catch it. But this should catch the great majority
of incoming viruses.
(In reply to comment #126)
> E.g. what would happen to imap folders if  I read the mail from another imap
> client. Then the attachment would already be stripped out and residing on some
> other client unavailable to me. 

What other mail client would be accessing Thunderbird's LOCAL cache of IMAP
folders?  Other IMAP client would acces the server's version which would still
have the attachments on each message.  We're talking about the local cache of
the IMAP folders and they are in the TB profile folder so no other program
should be touching them.
A lot has been said in this bug and people are beginngin to repeat what others 
have said.

There are a couple of solutions that will help solve this problem, one is 
better than the other and at present there is no solution that has been 
decided on.

To recap:
Add a extension to the mbox files (be it .bdx, .mbx, .mbox, .tbm wtc)
pro's
  -  The extension can easily be added to a list of excluded filetypes in all
     antivirusapplications
con's
  -  The virus would remain in the file unnoticed until it is finally
     extracted by a user to a location on the harddrive/floppydrive.
  -  Large coorporations are probably not willing to exclude extensions for
     different kinds of files because of the above.

Switch to maildir format
pro's
  -  each file itself would be scanned upon access and cleaned or removed. 
     This prevents the whole mailfile from being deleted.
  -  Compacting of folders will be a thing of the past (unless an index of 
     files is kept for other performance enhancements.
con's
  -  Lots of files on a harddrive cause defragmentation and thereby 
     performance degradation of the whole system. On windows systems
     the swapfile is configured to reside on the same disk as the maildir
     would be lowering performance even more.
  -  Complete change in format breaks compatibility with older versions and 
     would require a lot of extraction/conversion upon upgrades.

Extact binaries to a different folder altogether
pro's
  -  Infected attachments would reside in a different folder, virusscanners
     would not delete the mailfolder if a virus is detected.
  -  Changes to the mailformat would be small and can probably be worked 
     around by inserting file:// references to the attachments so that older 
     clients still know where to find the attachments.
con's
  -  Many plain text pieces in messages are detected as virusses (scripting 
     that manipulates outlook into doing bad things for example). These would 
     still reside in the mailbox file. Detection of these would still cause 
     a virusscanner to delete the whole maildir file.
  -  Naming issues or the attached files (what to do with attachments that 
     contain files with the same name), this could be solved by using a 
     foldername that is unique for each message, potentionally causing a lot
     of folders to be created.
  -  Small breakage of the current format
  -  Still need to extract all attachments upon upgrade.

Extracting an attachment (or save the whole message), see what the 
virusscanner does and re-include the attachment into the mbox file
pro's
  -  Known virusses cannot end up in the mbox file.
  -  Known scripted messages could also be deleted by the virusscanner 
     before infection of the mbox file occurs.
  -  No changes to the file format causing no breakage with older versions.
     delete
con's
  -  Virusses that are not yet known (due to older definition files) will
     still be included into the mbox file causing the mbox file to be deleted
     upon next access.

Nag the viruscompanies to fix their scanners till they've done so
pro's
  -  No changes to the file format
con's
  -  Needs coorporation of all anti-virus companies (which they've been very
     reluctant to give)
  -  Does not solve the problem for people stuck on older versions of the 
     virusscanner software

Encrypt the mbox format
pro's
  -  encrypted format is probably undetected by the antivirus software
con's
  -  Virus is still dormant in the mbox file
  -  Needs conversion upon upgrade
  -  Breaks compatibility with the older versions

Integrate with anti-virus software using MS-office integration
pro's
  -  Uses a way to scan the mbox file using a documented? format
  -  directly integrates with current versions of anti-virusscanners
con's
  -  Currently unknown how to do this integration
  -  Currently unknown if this will actually work.

Split the mbox into partitioned files of x Mb each
pro's
  -  Format is relatively unchanged
  -  Only part of mail history is lost
  -  Defragmentation of prevented due to larger filesize
con's
  -  Requires conversion upon upgrade
  -  breaks compatibility with older versions
  -  Dataloss still occurs

To conclude:

Safest method is to save messages in seperate files, but this will cause 
performance loss due to defragmentation.

Easiest to implement is add an extension to the mbox files and adding those to 
the exclusionlist (which is unlikely to happen in corporate environment).

Also easy is to implement is to encrypt the mbox files with a simple 
encryption/decryption stream.

Whichever method is chosen, none of them are perfect and none of them will 
completely solve all problems. It is however very important that a solution is 
chosen that at least minimizes dataloss.
(In reply to comment #129)
...
> 
> Switch to maildir format
...
> con's
>   -  Lots of files on a harddrive cause defragmentation and thereby 
>      performance degradation of the whole system. On windows systems
>      the swapfile is configured to reside on the same disk as the maildir
>      would be lowering performance even more.
...
> 
> Safest method is to save messages in seperate files, but this will cause 
> performance loss due to defragmentation.

Another con here, if you really mean saving each message (and not just each
attachment) as a separate file, is that it can be very wasteful of disk space in
some filesystems. A high proportion of the many thousands of messages in my
folders are 1 KB or 2 KB. But the minimum file allocation is 16 KB I think. The
result could be many thousands of wasted blocks of 14-15 KB. Not everyone has
gigabytes to spare on their disks.
...
> 
> Whichever method is chosen, none of them are perfect and none of them will 
> completely solve all problems. It is however very important that a solution is 
> chosen that at least minimizes dataloss.

Agreed. But who is in a position to choose and implement a solution? It seems
that Seth Spitzer has taken responsibility for this bug and gone away (or been
sent). Is there any way the assignment can be reversed - if Seth is not coming
back? Is the situation being officially monitored e.g. by our QA contact Esther?
Believe me, this is high on my priority list. My plan is to do the temp file
thing first, since that's fairly easy. It will probably be optional - I'll have
to see. I'm also thinking of doing the single file per message thing, though
that will definitely be optional, and is a lot more work. The rest of the
approaches (storing attachments separately, etc) are not likely at this point
given our mailbox format. Though I'd also like to add support for removing
attachments for other reasons, while still keeping our mailbox format.
Assignee: sspitzer → bienvenu
(In reply to comment #129)
 
> There are a couple of solutions that will help solve this problem, one is 
> better than the other and at present there is no solution that has been 
> decided on.

Bearing in mind comments #123 and #124 (i.e. the release change from 0.x to 1.0
and the effects this will have on expectations and production environments),
wouldn't it be pragmatic step forward if there was a new warning screen in the
install wizard, to tell the user to configure the virus scanner to quarantine
files instead of deleting them?

It might not help every layman but at the very least this would alert system
administrators to the risks involved giving them the chance to postpone (#124)
or configure the virus scanners properly.

Bearing in mind the consequences of this issue (meltdown) and the length of time
that developers have been aware of the potential disaster - anything short of
such a warning would be cavalier.

Alan
*** Bug 273969 has been marked as a duplicate of this bug. ***
(In reply to comment #132)
...
> wouldn't it be pragmatic step forward if there was a new warning screen in the
> install wizard, to tell the user to configure the virus scanner to quarantine
> files instead of deleting them?

Unfortunately this doesn't work round the problem properly. The problem is that
a quarantined file is unreadable. And at least some parts of Mozilla, including
the routine to compact a folder and maybe also the one to append a new incoming
message to it, seem to assume that an unreadable file is empty and so overwrite it.

This suggests another relatively quick fix, or partial fix: if a folder file is
found to be unreadable (but the file does exist), do something sensible like
flagging an error, but do not attempt to write anything to that file. See
comment 82.
> configure the virus scanner to quarantine files instead of deleting...
> Unfortunately this doesn't work round the problem properly. 
Not wanting to distract from your quick-fix I'd just like to point out that
configuring the virus-checker to quarantine files is the suggestion from the
issues FAQ and it's disappointing to hear that this doesn't solve the problem
after all.
How about a instal warning saying that the following anti-virus programs CAN be
used with thunderbird ... and that others may lead to lost inboxes?
Summary: Deleted inbox after receiving virus infected mail (McAfee, Norton) → Deleted inbox after receiving virus infected mail (McAfee, Norton, AntiVir)
(In reply to comment #129)
> Switch to maildir format
> pro's
>   -  each file itself would be scanned upon access and cleaned or removed. 
>      This prevents the whole mailfile from being deleted.
>   -  Compacting of folders will be a thing of the past (unless an index of 
>      files is kept for other performance enhancements.
> con's
>   -  Lots of files on a harddrive cause defragmentation and thereby 
>      performance degradation of the whole system. On windows systems
>      the swapfile is configured to reside on the same disk as the maildir
>      would be lowering performance even more.

What if the maildir was zipped? Most virus scanners can scan inside a zip file
-- can they clean/delete a file within a zip file?  Just put compression on low
for the zip (for better performance) and there could even be a user option for
the compression level so they can trade-off performance<--->disk-space.

>   -  Complete change in format breaks compatibility with older versions and 
>      would require a lot of extraction/conversion upon upgrades.

Why do we need to maintain backwards compatibility with older versions?  It's
not like a document editor where we have older clients opening files distributed
by newer clients.  We're (discussing) making a one-time conversion to a new
format. I don't think it's too much to require an initial conversion on an
upgrade either.


>>   -  Complete change in format breaks compatibility with older versions and 
>>      would require a lot of extraction/conversion upon upgrades.
>
> Why do we need to maintain backwards compatibility with older versions?  It's
> not like a document editor where we have older clients opening files distributed
> by newer clients.  We're (discussing) making a one-time conversion to a new
> format. I don't think it's too much to require an initial conversion on an
> upgrade either.

Thunderbird isn't the oinly client using the mbox format. A host of unix based
emailclients use this. I know a lot of people who use Thunderbird under
X-Windows and a text/commandline client when connected through SSH. So it is not
only a backwards compatibility issue. You must also keep in mind that if a newer
version isn't as much liked as an older version, or if the newer build contains
a nasty bug, people will want to be able to downgrade until a
workaround/fix/enhancement is made. Completely changing the format makes this
impossible.
(In reply to comment #137)
> >>   -  Complete change in format breaks compatibility with older versions and 
> >>      would require a lot of extraction/conversion upon upgrades.
> >
> > Why do we need to maintain backwards compatibility with older versions?  It's
> > not like a document editor where we have older clients opening files distributed
> > by newer clients.  We're (discussing) making a one-time conversion to a new
> > format. I don't think it's too much to require an initial conversion on an
> > upgrade either.
> 
> Thunderbird isn't the oinly client using the mbox format. A host of unix based
> emailclients use this. I know a lot of people who use Thunderbird under
> X-Windows and a text/commandline client when connected through SSH. So it is not

good point, I know that many others use mbox but I hadn't considered that other
clients might share mbpx folders with TB.  It does warrent consideration,
however, how many other mainstream email programs take that case (other email
programs sharing thier data) into consideration?  By mainstream I'm mainly
referring to Eudora, Outlook, whatever AOL uses. Maybe Evolution too, not sure
what it does.

TB (well the community) has to decide whether they are attempting to have TB
become widespread (like Firefox) or remain an email program mainly for
experienced users.  If we are targeting the general computer users, then we
can't be concerned with storing our email in a non-standard format and can't
worry about if some other program wants to share our data without going through
our APIs.  I'm not saying we shouldn't TY to play nice like that, however I
think it's more important that the bugs get fixed (especially data loss bugs)
then it is to worry about other programs directly accessing and using our data
without going through TB.

Note: obviously we document the storage format completly so anyone can read the
data if they want to add code for that

> only a backwards compatibility issue. You must also keep in mind that if a newer
> version isn't as much liked as an older version, or if the newer build contains
> a nasty bug, people will want to be able to downgrade until a
> workaround/fix/enhancement is made. Completely changing the format makes this
> impossible.

Well, what if TB introduces a bug that corrupts my data or gets all my data
wiped by, oh, I dunno, a virus scanner.  I can't downgrade to fix that.  I'm not
trying to be annoying, I'm serious.  Right now, there's a data loss bug in the
software. I'll be the first person to step up and say 'assume you won't be
perfect' and would normally be all over that agreeing with you.  However, in
this case, the tradeoff is fix a bug where you could permanently lose all your
data but people may have to deal with not being able to downgrade, or take the
chance of complete data loss.  

We have a large pool of alpha/beta testers and recent experience has shown that
the testing process works, and builds released for public consumption (0.8, 0.9,
etc.) have not had the major bugs in them that force people to downgrade --
that's why we test before releasing a milestone -- and fixes to major bugs have
landed quickly.

So, I would say, yes, I agree that that tradoff (not supporting downgrades) is
there, but I think the positives of fixing that bug outweight the negatives of
disrupting downgrades.


*** Bug 250401 has been marked as a duplicate of this bug. ***
(In reply to comment #130)
> (In reply to comment #129)

While using Mdir could be a good idea, a person would have to configure file
systems such as ext2/3 to cope with a very large number of nodes.

If they don't do this they waste a very large amount of disk space and if they
do do this then the filesystem will be very slow.

As suggested mbox with save to temp files, then merge scanned file into mbox
seems like a safe idea for now.

In reply to people saying that this would allow undiscovered code/scripts in and
then loose data afterwards consider that:

 - Not scanning will let said code trash your system.
 - Any form of scanning could trash your system.
 - Realistically, if the code got past your AV you probably have more things to
worry about.
*** Bug 275027 has been marked as a duplicate of this bug. ***
Ok..

Had it another 2 times...

Really frustrating and a good waste of my time reconstructing mail boxes.
I am affraid that mozilla/thunderbird is just not worth it at present.

Will be changing peoples mail clients, and will revisit the options when this is
fixed.
*** Bug 275372 has been marked as a duplicate of this bug. ***
(In reply to comment #142)
I was up to the point to leave TB as mail client due to this bug, when I
installed the new Symantec Norton Antivirus version 9 yesterday.
It installs a mailproxy that intercepts the mailstream and deletes viruses in
attachments on the fly. The result is a message like:
****** quote cleaned mail *******
Symantec Email Proxy deleted the following email message:

From: re-mail_system@hotmail.com
To: Mail-User@planet.nl
Subject: illegal signs in your mail
.
****** end quote ******

This suggests that you can still use TB or Mozilla Mail as your preferred mail
client, as long as you keep your antivirus program up to date :-)

Harold

*** Bug 275649 has been marked as a duplicate of this bug. ***
*** Bug 276186 has been marked as a duplicate of this bug. ***
This patch adds support for a (currently) hidden pref
"mailnews.downloadToTempFile" which makes pop3 download each message to a file
before appending to inbox - if a virus checker deletes the temp file before we
can append it to the inbox, we ask the user if they want to skip this message.
If they skip it, we won't try to download it again (and if leave on server
isn't set, we will delete the message from the server). We may want to add a UI
for this in advanced settings...but I don't think we want to default it to
true.
Attachment #170512 - Flags: superreview?(mscott)
Blocks: 241894
David - importing mail also triggers this - see bug 241894.
*** Bug 247223 has been marked as a duplicate of this bug. ***
*** Bug 235232 has been marked as a duplicate of this bug. ***
Same thing:  t-bird 0.9  incoming mail infected with Netsky_32  Norton report,
complete inbox deleted without a trace....
*** Bug 278580 has been marked as a duplicate of this bug. ***
I have also installed Symantec AntiVirus 9 and without even realising it at 
first have since noticed it intercepts all my mail as it comes in. I didn't 
have to configure anything.

However, even though this is the case, with the "mailnews.downloadToTempFile" 
idea, if an email passes through the scanner at first but is then detected a 
week later due to newer definition files, we are back in the same spot where 
we'll lose our Inbox. Likewise with Symantec AntiVirus 9... If mail passes 
through at first and is then detected as infected later, we too will lose our 
Inbox.

Regardless of the mail scanner we use, we are in a bad situation if we keep all 
our mail in the one file. To address this situation once and for all we need to 
change the way mail is handled to be either individual files, or encrypted so 
as to avoid initial detection. Then when the mail is re-opened, you could copy 
the email to a temp file, let the automatic virus scanner have it's way and 
amend the database accordingly if it gets removed.
Encryption makes the mailboxes much less portable.  The ultimate solution to
this problem, I think, is maildir.  However, maildir has it's own problems one
of them being ease of implementation.

I think the most reasonable course of action until maildir can be implemented
would be the file extension idea.  Granted, there will be messages in the box
that have viruses, however they will be detected if the attachments are saved or
launched.

It probably wouldn't be too difficult to have an option that allows the user the
specify the extension, with the default being the same as Outlook's mailbox
extension.

(In reply to comment #153)
Encryption makes the mailboxes much less portable.  The ultimate solution to
this problem, I think, is maildir.  However, maildir has it's own problems one
of them being ease of implementation.

I think the most reasonable course of action until maildir can be implemented
would be the file extension idea.  Granted, there will be messages in the box
that have viruses, however they will be detected if the attachments are saved or
launched.

It probably wouldn't be too difficult to have an option that allows the user the
specify the extension, with the default being the same as Outlook's mailbox
extension.

(In reply to comment #153)
I think the most reasonable course of action is to separate the attachments from
the messages so that if a virus is sent, only the attachment is deleted and not
the message.  This has other advantages too, like, I can delete large
attachments but save the message it came with.

Eudora does this and has been very successful.  

Just put a marker with a reference to the attachment in the message that is
stored in the mbox file.  This should be a portable, backwards compatible
solution if the reference is just a small text line/file inserted where the
attachment would be in the mbox file.  Other mail readers would just see a text
attachment and Moz would interpret that attachment as a refrerence to the actual
file somewhere else on disk. Moz can support both systems (actual file and
reference) simultaniously.
(In reply to comment #156)
> I think the most reasonable course of action is to separate the attachments from
> the messages so that if a virus is sent, only the attachment is deleted and not
> the message. ...

Although this would reduce the frequency of the bug, it doesn't actually fix it.
For a virus may be included in the main text portion of the message. I'm not
sure if it could be active in such a case (it would be if encoded with something
like UUENCODE), but it would still be detected by anti-virus scanners and as a
result the inbox or folder would be quarantined - although not usually deleted
completely.
Actually I hate that feature of Eudora.

In my experience, the attachments always end up disassociated with the messages
and either the user deletes the message and the attachment stays...or the user
clicks on the attachment and cannot pull it up...or the program forgets which
messages have attachments because the TOC gets corrupted.

This feature also makes it very difficult to move away from Eudora if you decide
you do not like it.

Also, as someone else indicated, what if the message itself contains something
the virus checker thinks is a problem?  An example of this is a paypal phishing
scam.

(In reply to comment #156)

Also see 260539 - a warning when this happens, so the user can retrieve the
inbox from quarantine.
(In reply to comment #159)
> Also see 260539 - a warning when this happens, so the user can retrieve the
> inbox from quarantine.

I managed to sucessfully retrieve tha mailbox from quarenteen many times, but if
the user has large mailboxes it can become a pain in the a**e.

I'm going to apply the patch to the latest mozilla and see where I get from there.

With regard to maildir, as I have pointed out before, this causes problems when
the file system hasn't been created for this, eg Maildir will use lots of inodes
to store a medium size mailbox. This could result in the FS running out of
inodes. If enought inodes are created then the FS will become slow for normal
operations.

I think the current save to temp file first is a good option.
*** Bug 280052 has been marked as a duplicate of this bug. ***
Comment on attachment 170512 [details] [diff] [review]
add (currently) hidden pref "mailnews.downloadToTempFile" which makes pop3 download each message to a file before appending to inbox

How about simplifiying the wording for the text. I don't think end users need
to be informed about the temporary file.

%brandname% encountered an error trying to download the following message: \n  
  From: \n%S Subject: %S\n

This message may contain a virus or there is not enough disk space. Skip this
message?

(Note the spaces before the From so we can indent the message info a little
bit).

When getting the prompt service in HandleTempDownloadFailed, shouldn't we just
get the  nsIPromptService, passing in the dom window from nsIMsgWindow. Or are
we supposed to go through the docshell? I'm not sure.
Attachment #170512 - Flags: superreview?(mscott) → superreview+
I'll change the message...re the doc shell window, your way does seem the
"right" way, passing in the true parent, etc, though I think it's more code :-)
I'll switch over to it anyway...the code I copied was probably older code.
patch checked in - the hidden pref is "mailnews.downloadToTempFile". If you set
it to true in prefs.js or user.js, pop3 mail will get downloaded to a temp file
first. If anyone wants to try it out with a virus checker and virus e-mails, and
let me know how it goes, that would be great. If it works OK, adding a UI for
this would be the next step (probably under advanced?)
Flags: blocking-aviary1.1?
I tried the new pref and it causes some problems when trying to download more
than one mail at once. For each mail following the first one I receive the error
message as decribed in bug 166111.
Sven, what platform are you running on?
I'll look into the problems with this pref set tomorrow.
(In reply to comment #167)
> I'll look into the problems with this pref set tomorrow.

Well, the problem is, the temp file is deleted in IncorporateComplete() after
handling the first message. But we only go through BeginMailDelivery() (where
the file is created) for each retrieve session, not for each message.
So when trying to write the first line of the second message
(WriteLineToMailbox() from IncorporateBegin()), we fail because the temp file
doesn't exist anymore.
(In reply to comment #168)
...
> Well, the problem is, the temp file is deleted in IncorporateComplete() after
> handling the first message. But we only go through BeginMailDelivery() (where
> the file is created) for each retrieve session, not for each message. ...

We really need separate temporary files for each message, as we don't want a
whole batch to be deleted or quarantined because one has a virus. So the problem
is not with the deletion, but that a new file is not created for each message.

thx, Christian. Yes, of course the idea is that we'd have a separate temp file
for every message. I just need to make sure it gets created for every message.
truncate temp file instead of deleting it after incorporate complete. We'll
still delete the temp file when done with mail delivery.
Attachment #173650 - Flags: superreview?(mscott)
Attachment #173650 - Flags: superreview?(mscott) → superreview+
There is another case this patch will not fix. Take a user whose virus
definitions auto update and does an automatic system scan weekly. If the user
gets an infected email before the new virus definition, his inbox still gets
nuked at the end of the week. 

The same happens to users who only scan weekly instead of every incoming email,
either because of misconfigured software or expired subscription. This is the
users fault but still makes Mozilla look like the bad guy.
(In reply to comment #172)
I think this issue can not be fixed 'cause of the internal design - all messages
are stored in UNIX mailbox format, which is a single file per folder.
(In reply to comment #172)
> There is another case this patch will not fix. Take a user whose virus
> definitions auto update and does an automatic system scan weekly. If the user
> gets an infected email before the new virus definition, his inbox still gets
> nuked at the end of the week. 
> 
> The same happens to users who only scan weekly instead of every incoming email,
> either because of misconfigured software or expired subscription. This is the
> users fault but still makes Mozilla look like the bad guy.

This scenario seems less likely to look like Mozilla/Tbird is the guilty party,
since the deletion happens as a direct result of the virus scan.  The data loss
I hit due to this bug was worst when a wave of several back-to-back virus
arrivals caused a month of inbox data to get shuffled to Norton's quarantine
area in chunks: the inbox was quarantined, new inbox was auto-created, mail
arrived, inbox was quarantined, new inbox was created, mail arrived, etc.

If the scan is a once-per-X (week, day, month) incident, it is unlikely to have
a 2nd incoming virus lead to inbox files getting repeatedly quarantined or even
overwritten (depending on how recklessness the antivirus software is). 
Hopefully, a user would notice the disappearing inbox before the next
full-system scan.

If, on the other hand, they are scanning all incoming email, but are just
getting updates on a once-per-week basis, they'll get the scanner update, lose
their virus-laden inbox, then they'll start losing each infected temp file.

Last, anyone relying on weekly virus updates is getting close to unsupportable
for being too far from following best practices.  While fixing that issue might
be possible, it's a much more pressing issue to create support/KB documents that
talk users through reconfiguring A/V software or using a different A/V package.

But hey, that's just my opinion-- I'm probably wrong.  Oh, and 1e6 *KUDOS* for
the design/development of the tempfile workaround!!!
*** Bug 282898 has been marked as a duplicate of this bug. ***
Quick question.

Does the final patch save a per e-mail temporary file or a per retrieve
temporary file. If the first is true then that is all good, if the second is the
case then surely the whole retrieval will be lost if any virus is found in any
of the downloading mails.

Also I agree with the comment that the person who scans once a week is outside
of supportability. If you scan once a week, then you know that you stand a
chance (a very high one these days) of getting infected in that week and having
to do some cleaning up. If a person is doing this they are probably aware of the
risks and also probably know what they are doing with the AV as they will
regularly encounter viral files.

Thanks for the fix mind, looks like I will be revisiting mozilla/thunderbird as
a mail client again :)
Sorry brain dead moment.

Regarding the pref, could it be made to default to true, or provide a UI dialog
at some realistic point in the future.
I just feel this feature would be useful to the homoe users.

Thanks
we create a temp file per message. Or to put it another way, there's never more
than one message in the temp file. Yes, a UI for this would be useful. I was
hoping to get some testing with the hidden pref first...
(In reply to comment #178)
> we create a temp file per message. Or to put it another way, there's never more
> than one message in the temp file. Yes, a UI for this would be useful. I was
> hoping to get some testing with the hidden pref first...

No problem I'll test it on some of the systems I have access to and give feed
back  after a week of running or so.
Well it's now running on a system I have with AV and there were no problems
getting mail. Havn't had anything for the AV to shout and scream about so far,
but seems good enough.

Mark



Geez! Some debate going here! I'm afraid it's too much tech talk for me, but
perhaps you're able to help us?

I still haven't deleted my email bow, however Kaspersky AVP has detected a nest
of worms in : 
C:\WINDOWS\Profiles\max\Application
Data\Thunderbird\Profiles\default.pac\Mail\mail.esmedia.cz\Inbox/[From "Rita 

I've deleted the independent emails from my email, however they still show in
the virus scan, and it seem like they are spreading. I'm not happy about
deleting the intire inbox of a few 1000 mails, just because of a few infected
mails...besides; they keep coming every week, so it's an ongoing problem for all
of us?!

I've also mailed Kaspersky, as I'm not sure whether it's the anti-virus
programmers who should improve, or whether it's a specific [silly] Mozilla issue...
Any ideas?  The worms are: Email-Worm.Win32.NetSky.x,
Email-Worm.Win32.NetSky.af, Email-Worm.Win32.Bagle.at, Email-Worm.Win32.Mydoom.m....

Thank you for your interest!
Max
Max, you need to compact the folder in question to actually remove the deleted
e-mails, right click on the folder and pick "compact this folder"
(In reply to comment #178)
> we create a temp file per message. Or to put it another way, there's never more
> than one message in the temp file. Yes, a UI for this would be useful. I was
> hoping to get some testing with the hidden pref first...

Ok had a week of testing and nothing seems to have fallen over.
Mails have been fetched ok and I purposely sent a copy of on of the various
netsky worms to one of the machines without the inbox being deleted.

So far looks good from where I am. Unfortuanately the Test PC is going to be
rebuilt soon, so that's about all the testing I can do for now
I believe this is normal and expected function.

When NAV finds a virus (etc), it can only work at the file level. Emails are 
stored in a single, large file, not individually.  So, NAV can't simply remove 
the one affected email.  It has to remove the entire file which in this case is 
the entire, full, mail folder (one example, the INBOX file).
I thought this one was working fine, but now today my inbox is gone!

PLEASE FIX ASAP!!!!!!!
I thought this one was working fine, but now today my inbox is gone!

PLEASE FIX ASAP!!!!!!!

Thunderbird 20050309
> I thought this one was working fine, but now today my inbox is 
> gone!

Did your anti-virus software simply delete or quarantine your 
Inbox file, or did it confuse Mozilla and cause Mozilla to wipe 
out some data (including preventing restoring a quarantined
file)?
 


(Note that if it's that your anti-virus software is configured 
to simply delete files it thinks are infected, there's not much 
Mozilla can do about it (besides going to an unrecognized and 
less-standard file format).  Besides, that's a pretty bad way to 
configure anti-virus software (deleting instead of quarantining 
or whatever)--complain to your system administrator, software 
vendor, or yourself.

If the case is that your anti-virus software is configured to 
quarantine files it thinks are infected, then clean the file if 
possible and unquarantine it.  If the anti-virus software can't 
clean it, then try to configure your anti-virus software to 
exclude the Inbox file from checking.  (You'll also need to
exclude the Trash folder's file and probably the Junk folder's
file too.)  If you can't change the anti-virus software's 
configuration so that you can use the original application
(Mozilla) to remove the virus (delete the mail message carrying 
the virus), that's an irresponsible restriction too--complain 
to your system administrator (or software vendor).  

However, if the anti-virus software quarantines the file, 
causes Mozilla to get confused, and Mozilla does something that 
prevents the anti-virus software from restoring the file (e.g., 
Mozilla creates a corrupted partial copy of the Inbox file), 
then that is clearly something that Mozilla could handle better. 

(I wouldn't argue that it's a full Mozilla bug (Mozilla's fault),
since no software (e.g., the anti-virus software) should ever be 
f***ing around with and deleting private files out from under a 
running application in the first place.  (Few applications accept
the burden of running without problems if their files are 
asynchronously deleted.)  However, since Mozilla does seem
to get confused and possibly prevent restoring of a 
quarantined file, I would call it a robustness bug.)
 

Daniel

(In reply to comment #187)
> ...
> 
> However, if the anti-virus software quarantines the file, 
> causes Mozilla to get confused, and Mozilla does something that 
> prevents the anti-virus software from restoring the file..., 
> then that is clearly something that Mozilla could handle better. 
> 
> (... I would call it a robustness bug.)
>  
I wonder if Sasquatch's problem is related to what I wrote in comment 82 to this
bug. This problem is that in at least one case, compaction, when Mozilla cannot
read an inbox because it has been locked or quarantined by anti-virus software,
Mozilla deletes that inbox. I don't think this part of this bug has been fixed,
or addressed at all. And, while arguably it is not Mozilla's problem, it is
indeed a robustness issue, and also one of public relations: if Sasquatch's
problem gets wide publicity, Mozilla's reputation could be seriously damaged.

The fix should be a fairly simple one, but maybe at some deep level in the code:
if a file which Mozilla expects to find exists but is unreadable, it should
never be deleted or overwritten, but probably the activity should be aborted
with an error message.
(In reply to comment #186)
> I thought this one was working fine, but now today my inbox is gone!
> 
> PLEASE FIX ASAP!!!!!!!
> 
> Thunderbird 20050309

Is this patch included in any builds of Thunderbird, as the bug appears to be
marked as NEW and not confirmed or resolved.


I think part of the problem is that the NAV and Thunderbird are both working at
the same time. The mail comes in, one with a virus gets picked up, then the
inbox gets deleted, then another bunch come in (making a new inbox!), then
another virus gets the inbox deleted again, etc.

Not good.
(In reply to comment #190)
> I think part of the problem is that the NAV and Thunderbird are both working at
> the same time. The mail comes in, one with a virus gets picked up, then the
> inbox gets deleted, then another bunch come in (making a new inbox!), then
> another virus gets the inbox deleted again, etc.
> 
> Not good.

Ther eis a patch attached which saves the mail to a temporary file which then
allows the AV to do it's evil and not delete the entire inbox.

From the symptoms your getting I would say that whatever build of T-Bird  your
using doesn't have this patch applied. I don't know if it has actually made it
into nightly builds yet, so you may need to check out of cvs or patch the source
& build it yourself. I know this isn't much help, but it's all I can think of at
the moment.

The patch doesn't fix what was already described in comment #52 (virus already
in your inbox and (days) later the virus scanner finds it). The only way
to fix this would be to change the mailbox storage format to maildir instead of
mbox (quite a major change but not impossible). This is best discussed by the
drivers or those with authority on the future of thunderbird/mozilla. - IMHO I'd
rather go maildir to fix this and other issues. I think this horse was whipped
some time ago but I'm not sure where I read it (as to mbox vs maildir).

Would someone on the thunderbird/mozilla mail team like to comment and put us all
in our place?  ;-)
I believe the better option is to provide alternative storage methods, than
replacing mbox with something else. 

Pegasus supports two alternative storage methods - its default system or mbox. 

Note further that there are four different incompatible mbox formats
http://en.wikipedia.org/wiki/Mbox
, so mbox is not only one standard supported by all linux formats...

My recommendation would be to make mailbox formats plugin based, giving room for
all types of formats.

Thunderbird to have at least two alternative box formats. Note that there are
not only one common mbox format, but four different incompatible mbox formats!

I think the better option of this reason would be to make storage formats plugin
based adding two plugins by default - one for the current mbox format and one
that would store each message in individual files - for example as a file-based
xml database. This way we add flexibility for adding new formats with unique
capabilites - some maybe storing the mail on a server and only maintaining a
local index for quick searches, some encrypted mailboxes, some compressed
formats, and whatever other mailbox format people are willing to make a plugin for. 
*** Bug 256043 has been marked as a duplicate of this bug. ***
Whiteboard: [asaP1]
sounds like the work for this fix is completed.  blocking1.1-  

renominate if this is incorrect.
The patch does work for me, and I have no reason to believe that moz/TB can be
expected to do anythign about a virus that has come in and got through the AV
and is later deleted by the AV.

This fix prevents Moz from looking bad, by having it trash the inbox when a
virus comes in. I addition it also focuses the problem back onto the AV vendors
who should not be carrying out whole file deletes/quarantine for a commonly used
file format.

Anyway fingers crossed this work around should protect anyone with an up to date
AV where a mail happens to get past the now common mail proxy systems.
This is still not marked as fixed. Is it or isn't it fixed? Thanks.
u can tell this has been resolved by going to privacy>anti-virus. now, av can
delete individual messages instead of the whole mailbox. this should be marked
fixed.
OK, marking fixed. We've already got a bug open for supporting maildir.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
(In reply to comment #198)
> u can tell this has been resolved by going to privacy>anti-virus. now, av can
> delete individual messages instead of the whole mailbox. this should be marked
> fixed.

I turned on on the option to quarantine individual messages, and now when I am
prompted to skip a message that might have a virus in it, I sometimes get this
error:

Unable to write the email to the mailbox. Make sure the file system allows you
write privileges, and you have enough disk space to copy the mailbox.

It doesn't happen all the time, but when it happens, it stops downloading all
other messages as well. I have tons of disk space available, and I do have write
privs to that folder.
Using Thunderbird 20050413. Just got bit by this again, and this time I had
"Allow anti-virus clients to quarantine individual incoming messages" turned on.

Virus came in, my entire Inbox got quarantined.

I don't think this is really fixed.
(In reply to comment #201)
> Using Thunderbird 20050413. Just got bit by this again, and this time I had
> "Allow anti-virus clients to quarantine individual incoming messages" turned on.
> 
> Virus came in, my entire Inbox got quarantined.
> 
> I don't think this is really fixed.


same thing for me with the last build and "Allow anti-virus clients to
quarantine individual incoming messages" turned on too.
huge problem for professional use.
Flags: blocking-aviary1.1?
*** Bug 296043 has been marked as a duplicate of this bug. ***
Is it worth reopening this bug to avoid a flood of duplicates.

It does appear that there is still an issue with the original fix.

I'm sorry, but is this one fixed in 1.0.6 (last official "release" version, right?)?

I just had someone who had this error in this version today. I've been using
trunk for a while, but my PC is in for repairs right now. I can't seem to find
the setting anywhere in 1.0.6. Is this trunk only, or am I missing something?

Thanks.
It happened to me for the 3d time now, PLEASE fix it properly (its over 1 year I
reported it) Stopped using Thunderbird for the moment.
I still don't understand why there can't be an option to add a file extension to
the mailbox.  This way to virus scanner could be configured to ignore the
mailboxes all together.

The solution of having a temp file simply doesn't make sense.  This is always
going to result in having the mailbox quarantined at some point.  Unless you
subscribe to the conspiracy theory that anti virus companies write the the
viruses, it should seem pretty obvious that the temp file solution is not going
to work in the long term (or in some cases the short term).  

After all, scanners can only check for viruses after they are known.  Therefore
there is a window between when you can receive the virus and when the virus
scanner will detect the virus.  If the virus comes in during this window, your
entire mailbox will get quarantined.  This seems rather obvious to me and lot
less sensible then simply excluding the mailboxes all together.
To: junk@path.berkeley.edu

Most virus scanners use huristic scanning which will try to detect new viruses 
based on previous viruses. Sure, this won't catch all, but this is the way life 
goes. We won't be able to change this and so there's no point dwelling on it.

Some virus scanners allow you to exclude entire directories. Why not try 
excluding your mail directory. This way it's safe. Then, when you try gaining 
access to an attachment, it'll be saved to a temporary location and your virus 
scanner will then pick up on it.

Cheers,
Jeremy
Marking this one to block any future possible branch builds. This is a dataloss
and possibly could even be considered a security issue.
Flags: blocking-aviary2.0-
Flags: blocking-aviary1.0.7?
> Some virus scanners allow you to exclude entire directories. Why not try 
> excluding your mail directory. This way it's safe. Then, when you try gaining 
> access to an attachment, it'll be saved to a temporary location and your virus 
> scanner will then pick up on it.

The reason why is because I manage a large number of workstations.  The virus
scanning is centrally managed.  Yes I can exempt specific directories, however,
since the mail directories change on a per machine/user basis I would have to
handle exclusions for all the machines individually.  With a file extension
based scheme, I can globally tell the virus checker to ignore the files across
all machines.  In addition, I would not consider excluding an entire directory
the best practice.  It gives viruses a very easy place to hide.

I'm of the opinion that most viruses should be stopped before the user's machine
if possible anyway.  Our site uses virus scanning at the mail server, and in
addition uses attachment file renaming and mime retyping for things like .exe,
.scr, .pif, etc.  Most viruses don't make it to the machines, and of the ones
that do, almost all of them are neutralized.  In order for a user to execute a
virus, they have to save it and rename it thus forcing them to think about it
instead of just clicking on them.

Granted it's not great to have viruses sitting in the mailbox, however, it's not
too bad if they can't be clicked on and executed.  Having the mailbox
quarantined, however, is unacceptable.  This issue is preventing me from
deploying Thunderbird on a wide scale within my organization (something I'd
really like to do because of it's cross platform compatability, junk filtering
capabilities...and it's not outlook).

> Most virus scanners use huristic scanning which will try to detect new viruses 
> based on previous viruses. Sure, this won't catch all, but this is the way life 
> goes. We won't be able to change this and so there's no point dwelling on it.

Exactly.  This is why the current solution is no solution.


(In reply to comment #210)
...
> The reason why is because I manage a large number of workstations.  The virus
> scanning is centrally managed.  Yes I can exempt specific directories, however,
> since the mail directories change on a per machine/user basis I would have to
> handle exclusions for all the machines individually.  


This is even more pronounced because of these bugs:
Bugzilla Bug 247973
Bugzilla Bug 233746 (if it also applies to Thunderbird=?)


> all machines.  In addition, I would not consider excluding an entire directory
> the best practice.  It gives viruses a very easy place to hide.

So does a filename extension...

Sry for this agression, but wtf is going on here?

There is an extremely heavy bug in Thunderbird, that makes it unusable and stops
it from getting the chance to ever run in a corporate environment.
Just marking this bug as fixed doesn't make it true.
It's a fact, that if your virus definitions get updatet after you recieved a
virus-infected mail, your mailbox gets deleted. That's not acceptable, so this
bug is definitely not fixed.
It's a fact that very few virus-scanners implement a feature to exclude a
directory, but nearly every one of them has an "exclude extension" feature.
Everyone here knows, that the profile-paths include the username, so it is
impossible to set up a virus-scanner to exlude all the profile-directorys for a
whole company.

It's not our problem if the solution is secure or not, because it's the problem
of the anti-virus supplier. They seem to believe in the sercurity of their
"exclude extension" feature, otherwise they wouldn't include it in their
scanners. If they want a more secure solution, they will have to build in
support for every mailbox format out there. But as said before, that's not our
problem.

So why can't just someone give the mailbox files an extension, so thunderbird
can finally compete with other email-clients in corporate environenments?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
re comment #211: Those bugs have got nothing to do with this

re comment #213: So exclude the whole of %appdata%\Thunderbird\Profiles (or
wherever the profiles are stored for your machine/company), or simply disable
the scanning of mime-encoded files. Or get better AV software.

re the issues of adding an extension or switching to maildir: If they aren't
already, file enhancement requests. They are beyond the scope of this bug.

Anyone who still wants to moan about the way this has been fixed: read
https://bugzilla.mozilla.org/etiquette.html
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Flags: blocking-aviary2.0-
Flags: blocking-aviary1.0.7?
Resolution: --- → FIXED
Excellent. So pointing out that a bug marked as FIXED isn't really fixed is now
considered "moaning?" The point is that the "save each message as a temporary
file so the AV software can scan it and potentially quarantine it" approach
still results in the entire In box getting quarantined on occassion. 

Given this:

> It's a fact that very few virus-scanners implement a feature to exclude a
> directory, but nearly every one of them has an "exclude extension" feature.

Your solution is this:

> exclude the whole of %appdata%\Thunderbird\Profiles (or
> wherever the profiles are stored for your machine/company), or simply disable
> the scanning of mime-encoded files. Or get better AV software.

? 

If you want Thunderbird to be taken seriously in the corporate world, you can't
seriously expect everyone to upgrade their AV software simply so they can use
your software. 

Actually, if you want Thunderbrid to be taken seriously in the consumer world,
you can't expect that either.

This bug is extremely serious because it appears to be (and in some ways is)
data loss. There's no indication that your In box get eaten by your AV software.
It looks like Thunderbird lost it. 

Refusing to fix this bug isn't going to help anyone. I mean, look at Comment
#206. You've already lost one user. And that person was helping to test.

Done.  I did a search and didn't find it so I added it.
https://bugzilla.mozilla.org/show_bug.cgi?id=305354

I honestly am surpised at this attitude.  I cannot understand how anyone could
consider the temp file fix to be a real fix to this problem, and thus making the
matter resolved.  It's obvious it isn't.

> re the issues of adding an extension or switching to maildir: If they aren't
> already, file enhancement requests. They are beyond the scope of this bug.
> 
> Anyone who still wants to moan about the way this has been fixed: read
> https://bugzilla.mozilla.org/etiquette.html


re comments 215, 2nd part of 216

Please remember that this entire problem is caused by bug(s) in certain AV
software. The fix checked in worksaround the problem for the case of a virus
being detected as it arrive, which is the most common complaint in this bug by
far. The real fix can only come from the makers of the affected AV software.

For the case of the AV software detecting a virus after it's been sitting on
your system for a while, I'd say you've got more serious problems.

A more comprehensive Mozilla 'fix' for this *AV* problem, would require
significantly more work, work that obviously isn't felt worth it at this moment
of time by the *2* people who currently do work on Thunderbird.

As always in open source - patches are welcome.
> For the case of the AV software detecting a virus after it's been sitting on
> your system for a while, I'd say you've got more serious problems.

Um...virus comes in...virus definition comes in.  It doesn't have to be a while.
 In fact the time differential may be an hour or less.  There's not much that
can be done about that.  We're not talking about viruses that have been there a
month...or week...or even a day.

Got stung by this bug 2 more times this past week!!!!!

Mozilla Corp looks like fools.

 )-:
We can't fix this "properly" (this means a way to have only the infected mail
quarantized). That's correct - that's the job of the AV-supplier. BUT we CAN
give thunderbird the abillity to compete with other email clients, wich all
suffer from the same problem.
You understand? We can't fix it - all we need to do is to get on the same level
with the other email clients. This can be done by simply adding a file extension
to the mailboxes. And please don't tell me that this would be too much work.
(In reply to comment #220)
> We can't fix this "properly" (this means a way to have only the infected mail
> quarantized). That's correct - that's the job of the AV-supplier. BUT we CAN
> give thunderbird the abillity to compete with other email clients, wich all
> suffer from the same problem.
> You understand? We can't fix it - all we need to do is to get on the same level
> with the other email clients. This can be done by simply adding a file extension
> to the mailboxes. And please don't tell me that this would be too much work.

See comment #39, by the developer assigned to this bug. If you think you know
better than please submit a patch.

Please - no more comments in this bug!
*** Bug 264936 has been marked as a duplicate of this bug. ***
It seems someone had a similar problem with a nightly branch and "NOD".

http://forums.mozillazine.org/viewtopic.php?t=330908


Can't there be a new beta release to help these poor people? Anyone think
Thunderbird should release BEFORE Firefox?
What if the "message filter" feature be extended in such a way that an external program can scan individual emails and give yes or no answers according to whatever criterion it carries. Then we can do virus-scaning like this:

  if Message-Body  get-yes-when-scanned-by  "Virus-Scanning-Prog-A"
    move Message to "mail with virus" folder

Even better, it could be this (requires further extending, though):

  if Message-Body  get-yes-when-scanned-by  "Virus-Scanning-prog-A"
    process Message with "Virus-killing-prog-B"

I'm proposing this because message filtering can be run both on message retrieval and later on user demand ("Run filters on folder"). Users are given a chance to identify infected mails ALREADY IN THE MBOX FILE.

I really need this feature. I've used Thunderbird for more than a year without doing any virus scanning on mails until recently. (Yes I use linux and I'm very lucky.) I installed clamav only a few days ago to find 2 virus in my inbox. Without this feature I can't imagine a way to pick out the 2 infected mails from a 200M+ mbox.
This one seems to have come back recently with a 1.5 version of Thunderbird and Norton/Symantec anti-virus. 

Anyone else? 

I restore from the av software, and the inbox comes back, but then gets taken out again after a new scan.

Help!
(In reply to comment #225)
> This one seems to have come back recently with a 1.5 version of Thunderbird and
> Norton/Symantec anti-virus. 

You may see, for Thunderbird and the Mozilla Suite:

Antivirus software - MozillaZine Knowledge Base
http://kb.mozillazine.org/Antivirus_software

(with the sections "Keeping your antivirus software from deleting your Inbox", "Antivirus programs with compatibility problems", etc.).
The point is that I thought that quarantining individual message IS the fix, and that setting has been and still is checked off on the Thunderbird in question. The trouble is that it isn't working.
No.  The "fix" stores a copy of the message outside the inbox before adding it to the inbox to give a virus scanner the chance to scan the message before being put in the inbox.

As is mentioned many times earlier in this thread, this really isn't a fix at all because it depends on virus scanners being able to detect the message when it arrives.  If it gets detected later, it eats your inbox.

Thunderbird really needs a method of adding a file extension to mailboxes that can be exluded from a centralized virus scanner on a global level.  Exclusion is currently very difficult because profiles have random names and this makes deployment across many machines very difficult.

In your case you can probably tell the scanner to avoid your mail directory (kind of cripples the effectiveness of scanning though).
So then what is the point of quarantining individual messages? For that matter, what is the point of antivirus software if you can't run it on your email which is the most likely point of entry lately?
Good questions.  Ideally your virus scanner would understand the mbox format and quarantine only the infected messages.  Your (most) virus scanners are dumb and don't do this.  

Scanning the message when it comes in, gives you a chance to prevent quarantining the inbox.  If used with something that would exclude inboxes from being scanned it would be helpful.

In my opinion, you have to rely on user education once the message makes it past the scanner.  After all, if the scanner misses it (Even if it had the ability to quarantine individual messages instead of the whole box) the message will sit in the user's box until the scanner was updated.  Therefore the user has to know not to click it and to delete it, anyway.
I know this has been raised before (e.g., comment #2).  However, viruses do seem to be spread not in the body of messages but in their attachments.  This whole mess could be resolved by separating out the attachments the way some other E-mail clients do (e.g., Eudora).  Until this is at least an option, this problem will not go away.  

Note that Norton Anti-Virus notifies the user every two weeks to update the virus definitions if the user has not enabled automatic live update.  Except when there is a serious attack, daily updates are really not necessary.  Thus, the recently added capability to place new incoming messages in a separate temporary file will mean either a proliferation of such files until the next virus definition update or else a loss of the entire inbox upon the next update even if those temporary files were retained for a week.  

There is a recommendation to keep the inbox almost empty to avoid serious loss from this problem.  Be honest.  How many of you have fewer than 100 messages in your inbox?  (No, don't answer here.  Just think about it.)  I keep filing messages in other folders and deleting messages, but my inbox has over 400 messages.  In any case, it's possible that the loss of only one very important message could be catastrophic.  And anyway, this recommendation could merely shift the loss to other mail folders.  

I won't use Thunderbird for E-mail until a real fix is implemented.  


I personally hate that feature of Eudora.  It makes it difficult to migrate to another mail client, Eudora often loses its association between messages and attachments, and often when you delete the message the attachments stay.

Maildir is a much better option where each message is saved as a separate file.  I think implementing maildir in thunderbird would be a significant undertaking though.
Has it been seriously considered to develop an "Antivirus API" for Thunderbird? The minimal requirements for such an API would include being able to:

* Scan individual e-mail messages every time the user accesses them.

* Scan the raw e-mail as well as individual parts/attachments as they are parsed by Thunderbird.

* Add, read and modify certain headers in the messages.

* Remove individual parts/attachments.

* Modify individual parts/attachments, including changing the name and MIME type.

* Instruct Thunderbird to remove/delete the entire message (even based on scanning just one part/attachment of the message) and compact the folder.

* Instruct Thunderbird to block access to individual parts of the message or the entire message and inform the user of the reason (infected message).

I'm aware of the setting [Tools->Options->Privacy->Anti-virus], but neither a POP3/IMAP scanner nor individual spool files are a good solution.  (Why is this setting under Privacy and not Advanced?  What's the privacy implication?)

If you look at [http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software] then one of the recommendations are "[C]onsider waiting a while before opening the attachment. This gives your AV program's manufacturer a chance to provide a perhaps necessary new update."

To do this for the entire e-mail (since there is HTML/Javascript-based malware) the message would need to be rescanned every time it is accessed after a virus signature file update.  For that an API or a method to plug into / hook into Tunderbird is necessary.  Scanning the entire mbox is a waste of CPU and has performance issues if only a few e-mails in a large mailbox are being accessed.

We at FRISK Software are interested in developing an F-PROT Antivirus plugin for Thunderbird that would be a part of our product, similar to our current Microsoft Outlook plugin.

P.S.  Also posted to http://forums.mozillazine.org/viewtopic.php?p=2740502 and discussions on similar topics can be found in bugs 247223 and 369847.  Sorry for the spamming.
(In reply to comment #236)
> Has it been seriously considered to develop an "Antivirus API" for Thunderbird?...

> I'm aware of the setting [Tools->Options->Privacy->Anti-virus], but neither a
> POP3/IMAP scanner nor individual spool files are a good solution.  (Why is this
> setting under Privacy and not Advanced?  What's the privacy implication?)
...

Or a junk/virus/spam API.
The quickest, simplest, safest solution is to give all mbox files a ".pst" or ".dbx" file extension so that they are, by default, excluded by most old and new antivirus software.

With such a solution in place, can we later worry about evangelizing Thunderbird to the AV developers to fix their mbox scanner.
Product: Core → MailNews Core
Keywords: relnote
Blocks: 1144999
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: