Anyone ever see this with PHPList?

[MrBottomTooth]

I have a buddy that I setup PHPlist for. A recent message I sent for him consisted of a letter that I copy and pasted from a Word file.

The email showed up fine for everyone that can view html, but I found out the message had the following code attached to it. (you could only see it in the message if you were viewing in plain text, or if you looked at the source code):

(I'll just post the first part, since there is a shitload of it)

�/////////// SEARCH ///////////
var g_aEng;
var g_loc;

// Initialize namespace, use existing context
var searchshield = searchshield || {};

searchshield.clockUrl;

// constants
searchshield.SCORE_SS_SAFE = 1;
searchshield.SCORE_SS_CAUTION = 2;
searchshield.SCORE_SS_WARNING = 3;
searchshield.SCORE_SS_BLOCK = 4;
searchshield.SCORE_SS_VERISIGN = 7;

searchshield.BLOCK_NONE = 0;
searchshield.BLOCK_NORMAL = 1;
searchshield.BLOCK_PHISH = 2;
searchshield.BLOCK_YAHOO = 3;

searchshield.XPLCHECK_RESULT_SEV_NONE = 0;
searchshield.XPLCHECK_RESULT_SEV_LOW = 1;
searchshield.XPLCHECK_RESULT_SEV_MED = 2;
searchshield.XPLCHECK_RESULT_SEV_BLOCK = 3;

searchshield.VERISIGN_SPLIT_NOTEST = 0;
searchshield.VERISIGN_SPLIT_TESTA = 1;
searchshield.VERISIGN_SPLIT_TESTB = 2;

searchshield.needLivePhishCheck = false;
searchshield.allowedSites = [];
searchshield.enabled = function (doc)
{
var result = searchshield.avgCallFunc(doc, 'GetSearchEnabled');
return (result == '1' ? 1 : 0);
};
searchshield.init = function (doc)
{
if ((doc == null) || (doc.location == null) ||
(doc.location.href.search(/about:/) != -1))
return;

if (!searchshield.enabled(doc))
return;

if (!g_aEng)
g_aEng =
searchshield.Search.prototype.detectEngine(doc.loc ation.href);

if (!g_aEng)
return;

// init search object (not declared or is null)
if (typeof xplSearch === 'undefined')
{
// global
xplSearch = new searchshield.Search();

// reset the links added flag
xplSearch.new_links = false;

xplSearch.doc = doc;
xplSearch.href = xplSearch.doc.location.href;
xplSearch.uri = searchshield.parseLink(xplSearch.href);

xplSearch.engine = new
searchshield[g_aEng+'SearchEngine'](xplSearch)
xplSearch.addEngine(xplSearch.engine);

searchshield.launch(doc);
}

if (doc.location.href != g_loc)
{
g_loc = doc.location.href;
if ((typeof xplSearch !== 'undefined') && (xplSearch != null))
searchshield.launch(doc);
}
};
searchshield.launch = function (doc)
{
// IE specific check
searchshield.quirksMode = (self.top.document.compatMode ==
'BackCompat');
searchshield.docMode =
parseInt(navigator.userAgent.split('MSIE')[1]);

if ((self === top) && (self.document === doc))
{
if (!xplSearch.engine)
return;

// set verdict display config
xplSearch.engine.setRatingsConfig(doc);

// init the alert popup
searchshield.initPopupAlert(doc);

if (xplSearch.engine.type != 'inline')
{
// save function reference for memory clean up later
var fn = function(event){avglsflyover.hide(null)};

//hide flyover if these events occur
window.detachEvent('onscroll', fn);
window.attachEvent('onscroll', fn);

doc.detachEvent('onkeydown', fn);
doc.attachEvent('onkeydown', fn);
}

// only start monitor on top doc
searchshield.avgPageMonitor.start(doc);

__________________________________________________ _______

What the hell is that crap? Is it just because I pasted from word without converting to plain text first? Or has the script been hacked? I scrolled through all the code and it doesn't look malicious, almost looks like some sort of antivirus log file.

[oscer]

Looks like AVG doesnt like the embeded HTML in the email ?

Thats what it looks like to me

Quote:

Originally Posted by MrBottomTooth

I have a buddy that I setup PHPlist for. A recent message I sent for him consisted of a letter that I copy and pasted from a Word file.

The email showed up fine for everyone that can view html, but I found out the message had the following code attached to it. (you could only see it in the message if you were viewing in plain text, or if you looked at the source code):

(I'll just post the first part, since there is a shitload of it)

�/////////// SEARCH ///////////
var g_aEng;
var g_loc;

// Initialize namespace, use existing context
var searchshield = searchshield || {};

searchshield.clockUrl;

// constants
searchshield.SCORE_SS_SAFE = 1;
searchshield.SCORE_SS_CAUTION = 2;
searchshield.SCORE_SS_WARNING = 3;
searchshield.SCORE_SS_BLOCK = 4;
searchshield.SCORE_SS_VERISIGN = 7;

searchshield.BLOCK_NONE = 0;
searchshield.BLOCK_NORMAL = 1;
searchshield.BLOCK_PHISH = 2;
searchshield.BLOCK_YAHOO = 3;

searchshield.XPLCHECK_RESULT_SEV_NONE = 0;
searchshield.XPLCHECK_RESULT_SEV_LOW = 1;
searchshield.XPLCHECK_RESULT_SEV_MED = 2;
searchshield.XPLCHECK_RESULT_SEV_BLOCK = 3;

searchshield.VERISIGN_SPLIT_NOTEST = 0;
searchshield.VERISIGN_SPLIT_TESTA = 1;
searchshield.VERISIGN_SPLIT_TESTB = 2;

searchshield.needLivePhishCheck = false;
searchshield.allowedSites = [];
searchshield.enabled = function (doc)
{
var result = searchshield.avgCallFunc(doc, 'GetSearchEnabled');
return (result == '1' ? 1 : 0);
};
searchshield.init = function (doc)
{
if ((doc == null) || (doc.location == null) ||
(doc.location.href.search(/about:/) != -1))
return;

if (!searchshield.enabled(doc))
return;

if (!g_aEng)
g_aEng =
searchshield.Search.prototype.detectEngine(doc.loc ation.href);

if (!g_aEng)
return;

// init search object (not declared or is null)
if (typeof xplSearch === 'undefined')
{
// global
xplSearch = new searchshield.Search();

// reset the links added flag
xplSearch.new_links = false;

xplSearch.doc = doc;
xplSearch.href = xplSearch.doc.location.href;
xplSearch.uri = searchshield.parseLink(xplSearch.href);

xplSearch.engine = new
searchshield[g_aEng+'SearchEngine'](xplSearch)
xplSearch.addEngine(xplSearch.engine);

searchshield.launch(doc);
}

if (doc.location.href != g_loc)
{
g_loc = doc.location.href;
if ((typeof xplSearch !== 'undefined') && (xplSearch != null))
searchshield.launch(doc);
}
};
searchshield.launch = function (doc)
{
// IE specific check
searchshield.quirksMode = (self.top.document.compatMode ==
'BackCompat');
searchshield.docMode =
parseInt(navigator.userAgent.split('MSIE')[1]);

if ((self === top) && (self.document === doc))
{
if (!xplSearch.engine)
return;

// set verdict display config
xplSearch.engine.setRatingsConfig(doc);

// init the alert popup
searchshield.initPopupAlert(doc);

if (xplSearch.engine.type != 'inline')
{
// save function reference for memory clean up later
var fn = function(event){avglsflyover.hide(null)};

//hide flyover if these events occur
window.detachEvent('onscroll', fn);
window.attachEvent('onscroll', fn);

doc.detachEvent('onkeydown', fn);
doc.attachEvent('onkeydown', fn);
}

// only start monitor on top doc
searchshield.avgPageMonitor.start(doc);

__________________________________________________ _______

What the hell is that crap? Is it just because I pasted from word without converting to plain text first? Or has the script been hacked? I scrolled through all the code and it doesn't look malicious, almost looks like some sort of antivirus log file.

[MrBottomTooth]

Ya, if you go through the rest of the code it looks like something generated by avg. Next time I will convert to plain text before I paste it in and double check the code before I send it out.

I don't think too many people seen it, only the odd person that only accepts plain text emails.

[oscer]

Quote:

Originally Posted by MrBottomTooth

Ya, if you go through the rest of the code it looks like something generated by avg. Next time I will convert to plain text before I paste it in and double check the code before I send it out.

I don't think too many people seen it, only the odd person that only accepts plain text emails.

We see stuff like this from customers .