Messaging Gateway

We're running version 10.5.4-4 of Messaging gateway with the Disarm feature enabled. It appears the feature is not working for .docm format. We have received several emails and the Macro is not removed.

Is Docm supported under this feature?

Thank You.

We´re running 10.6.0-7 and have the same problem. The reason is that the SMG classified some messages as "malformed MIME" and for this messages, the SMG don´t use the Disarm Function. Fatally, the user can open this message with his mail client with no problems (Outlook), and can open the attachment also. Under this circumstances, the SMG ist completely useless. Because we have also other problems with the SMG (i.e. Disarm destroyed some PDF´s) i think about an alternative product.

Have you thought about using features like "Inbound unscannable due to malformed MIME policy" ...?

Thomas

That´s not the solution. The only way to use this policy is "hold message in spam quarantine". I can´t scan the message, also i can´t "disarm" the message or strip suspect attachments.

Please think about it - if a message is malformed how should a program scan the content?

You receive encoded messages, eg iso8859-1, utf-8, etc - from this point of view you will "see" nothing else that characters.

Usually html content, attachments, ... are also coded in boundaries and therefor to extract them Smtp-RFC-compliancy is necessary to extract the content.

Depending on the client reading the mails content is interpreted readable or not. Eg outlook is ignoring bare linefeeds (while exchange by default not) and a mail looks ok, but it is not rfc compliant.

Spamers know about these weaks and try to use them.

Therefore, just drop malformed mime.

What are you doing with encrypted messages or attachments?

Currently we see a lot of replies coming in, inline of the message always the same text ... "your password" and attached some sort of malware.

Thomas

We receive every day hundred of messages with "malformed MIME". The most of them are "clean" messages from users to users - not spam or malware. We are a trading company and cannot simply drop the messages of our customers, containing oders etc.

I appreciate that the SMG 10.6-07 is too paranoid with "malformed MIME".

We holds the encrypted messages in the quarantine and release them manually.But these are far less as "malformed MIME"-mails. Actually i spend 1-2 hours a day to view the quarantine and release the misrecognized mails. This is not acceptable.

Hi Rolf,

Just to give you an idea of how we face the situation: Yesterday, March 3 we saw

230k Connections, 85k Ham

120 messages got verdict malformed, but only approx 15 were valid.

We handle them as suspected spam, add a header, SCL and deliver them to the users junk folder.

From my experience, SMG looks like hiving a problem at extracting/uuencoding all kind of mails.

Especially if we come to virus detection you should know what i mean.

Since past september i try to prove that.

Regards

Thomas

Hi,

actually, we have a serious problem with the SMG: we receive some e-mails with a "DOC" attachment. The attachment is infected with a macro virus. But the "disarm"-Function don´t recognize and remove the Doc-Macro and our customers receive this e-mail.

Usually, the "disarm" can catch and remove macro viruses - but in this specific e-mail it won´t work.

What can I do?

Regards

Rolf

P.S. The Virus is described here:

http://www.ecommercekmu.de/index.php/achtung-spam-mail-auftragsbestaetigung-844384-standskizze-zur-freigabe/

I have found this is because the Disarm Function only works on office files > 97 format.  To avoid this many have been using the older formats of office.  We disable these via group policy as outlined in the STIG for Word.

https://www.stigviewer.com/stig/microsoft_word_2013/2015-04-13/finding/V-26658

We also use a content filter with a custom attachment list to select downlevel document types and quarantine them.  We use the true type file instead of the extension.