Messaging Gateway

Hi ,

we have one case where the archieve file will be stripped away from the message, this is not what we want as the rules configured in the content filtering policy that it should strip only the executable file and true type executable files and not strip the archieve/container file , is there possibility that at the  the archive file (.tgz in this case) has malformed MIME at the first time and hence the SBG just stripped the archive file completely from the message?

thanks,

Harris

-----------
Message Data
    ID:    cb5c564f-b7cf0ae00000400a-26-4cd7b52f2a4a
    Message-ID:    <1984509141.120571.1289205039185.javamail.root@***>
    Accepted From:    203.***.***.***
    Scanners:    Symantec Brightmail (Business Email)
    Time accepted:    Monday, Nov 08, 2010 04:30:39 PM MYT
    Direction:    Outbound
    Sender:    w***@***
    Authenticated username:    (none)
    Original recipients:    s***@***
    Original Subject:    compiere packets.
    Full attachment list:    compiere.packets.tgz
    Suspect attachments:    compiere.packets.tgz
Recipient Data
    Intended recipient:    s***@***
    
    Verdict:    
Verdict     Filter Policy     Policy Group     Details
Unscannable      unscannable: modify subject line (default)      default      Malformed MIME
Content Filtering violation: LGA_Policy_Inbound_Outbound(default)      lga_policy_inbound_outbound(default)      default      None
    
    Tracker:    AAAAAQAAAZE=
    
    Actions taken:    Strip attachment lists, Strip attachment lists, Strip attachment lists, Strip attachment lists, Modify the subject line
    
    Delivery:    
Delivered To     Delivery Time     Recipient     
203.***.***.***      Monday, Nov 08, 2010 04:30:40 PM MYT          
    
    Untested verdicts:     Message was sent from a suspect spammer, Symantec Global Good Senders, Symantec Global Bad Sender, System denied IP, System allowed IP, System allowed email address or domain, System denied email address or domain, System allowed third party domain, System denied third party domain, User allow, User reject, Virus attack, Directory Harvest Attack, Connection Classification, Blocked language, Known language
    
    Other recipients:
----------

What is the action set to be taken on the Content Filtering rule?

Hi JDavis,

the action will be taken is should be  just to strip the attachment file away only if the attachment is in the default executable and true type executable  attachment list, and not drop the whole container/compressed file

Thanks

The interesting part is. when i tried to duplicate the issue using the same attachment file, i got different results, if i'm using email client , Mozilla Thunderbird,  i'm not getting any error message but the subject of the email will be changed to "[WARNING - UNSCANNABLE ATTACHMENT NOT VIRUS SCANNED] due to malformed MIME and the subject itself" and the attachment file is still there

but if i'm using zimbra webmail and send it,  the subject will be changed to "[WARNING - UNSCANNABLE ATTACHMENT NOT VIRUS SCANNED] and the subject itself"  +

notification msg

"Some parts of this message were removed because they violated your mail server's policies.


compiere.packets.tgz was removed from the message because it violates your mail server's policy."

+ SBG will dropped the container/compressed file completely

here's the email headers;

using webmail

----------------------------------------------------------------------------------------------------

Return-Path: harris.h@lgatelecom.net
Received: from zmta02.***.***.sg (LHLO zmta02.***.***.sg) (203.***.***.108) by
 zmbox02.***.***.sg with LMTP; Thu, 11 Nov 2010 18:35:18 +0800 (SGT)
Received: from localhost (localhost [127.0.0.1])
    by zmta02.***.***.sg (Postfix) with ESMTP id 1F45C78162
    for <harris.h@***.net>; Thu, 11 Nov 2010 18:35:18 +0800 (SGT)
Received: from zmta02.***.***.sg ([127.0.0.1])
    by localhost (zmta02.***.***.sg [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id v4C7yXKQu5Up for <harris.h@***.net>;
    Thu, 11 Nov 2010 18:35:18 +0800 (SGT)
Received: from av02.***.***.sg (av02.***.***.sg [203.***.***.79])
    by zmta02.***.***.sg (Postfix) with ESMTP id 0948878160
    for <harris.h@***.net>; Thu, 11 Nov 2010 18:35:18 +0800 (SGT)
Date: Thu, 11 Nov 2010 18:35:17 +0800
X-AuditID: cb5c564f-b7cf0ae00000400a-b6-4cdbc6e5002a
From: Harris Haryanto <harris.h@***.net>
To: Harris Haryanto <harris.h@***.net>
Subject: [WARNING - UNSCANNABLE ATTACHMENT NOT VIRUS SCANNED] test via zimbra webmail
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====mte=boundary=number=80====="
X-Brightmail-Tracker: AAAAAQAAAZE=
Message-Id: <20101111103518.0948878160@zmta02.***.***.sg>


--=====mte=boundary=number=80=====
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit


Some parts of this message were removed because they violated your mail server's policies.


compiere.packets.tgz was removed from the message because it violates your mail server's policy.


--=====mte=boundary=number=80=====
Content-Type: message/rfc822

X-AuditID: cb5c564f-b7cf0ae00000400a-b6-4cdbc6e5002a
X-Invalid-Recipients:
Received: from zsmtp02.***.***.sg ( [203.***.***.79])
    by av02.***.***.sg (Symantec Brightmail Gateway) with SMTP id 1A.B8.16394.5E6CBDC4; Thu, 11 Nov 2010 18:35:17 +0800 (MYT)
Received: from zmbox02.***.***.sg (zmbox02.***.***.sg [203.***.***.122])
    by zsmtp02.lga.net.sg (Postfix) with ESMTP id 448C7783F6
    for <harris.h@***.net>; Thu, 11 Nov 2010 18:35:17 +0800 (SGT)
Date: Thu, 11 Nov 2010 18:35:17 +0800 (SGT)
From: Harris Haryanto <harris.h@***.net>
To: Harris Haryanto <harris.h@***.net>
Message-ID: <1629301645.148486.1289471717128.JavaMail.root@zmbox02>
In-Reply-To: <1903366343.148483.1289471714326.JavaMail.root@zmbox02>
Subject: test via zimbra webmail
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_148485_276598079.1289471717127"
X-Originating-IP: [203.***.***.113]
X-Mailer: Zimbra 6.0.8_GA_2661 (ZimbraWebClient - FF3.0 (Mac)/6.0.8_GA_2661)

------=_Part_148485_276598079.1289471717127
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

test via zimbra webmail
------=_Part_148485_276598079.1289471717127--

--=====mte=boundary=number=80=====--

using email client

----------------------------------------------------------------------------------------------------

Return-Path: harris.h@***.net
Received: from zmta02.***.***.sg (LHLO zmta02.***.***.sg) (203.***.***.108) by
 zmbox02.***.***.sg with LMTP; Thu, 11 Nov 2010 18:32:27 +0800 (SGT)
Received: from localhost (localhost [127.0.0.1])
    by zmta02.***.***.sg (Postfix) with ESMTP id 303CF78162
    for <harris.h@***.net>; Thu, 11 Nov 2010 18:32:27 +0800 (SGT)
Received: from zmta02.***.***.sg ([127.0.0.1])
    by localhost (zmta02.***.***.sg [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id Cw2tCufIq5a3 for <harris.h@***.net>;
    Thu, 11 Nov 2010 18:32:27 +0800 (SGT)
Received: from av01.***.***.sg (av01.***.***.sg [203.***.***.67])
    by zmta02.***.***.sg (Postfix) with ESMTP id 0264578160
    for <harris.h@***.net>; Thu, 11 Nov 2010 18:32:27 +0800 (SGT)
X-AuditID: cb5c5643-b7bd9ae0000035db-b6-4cdbc63aed05
Received: from zsmtp02.***.***.sg (av01.***.***.sg [203.92.86.67])
    by av01.***.***.sg (Symantec Brightmail Gateway) with SMTP id F3.49.13787.A36CBDC4; Thu, 11 Nov 2010 18:32:26 +0800 (MYT)
Received: from Harris-Haryantos-MacBook-Pro.local (unknown [203.***.***.66])
    by zsmtp02.***.***.sg (Postfix) with ESMTPSA id 34BA7783F6
    for <harris.h@***.net>; Thu, 11 Nov 2010 18:32:26 +0800 (SGT)
Message-ID: <4CDBC639.508@***.net>
Date: Thu, 11 Nov 2010 18:32:25 +0800
From: Harris Haryanto <harris.h@***.net>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: harris.h@***.net
Subject: [WARNING - UNSCANNABLE ATTACHMENT NOT VIRUS SCANNED] test via thinderbird
Content-Type: multipart/mixed;
 boundary="------------080607050509080009000107"
X-Brightmail-Tracker: AAAAAA==

This is a multi-part message in MIME format.
--------------080607050509080009000107
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

test via thunderbird

--------------080607050509080009000107
Content-Type: application/x-gzip;
 name="compiere.packets.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="compiere.packets.tgz"

H4sIAKi010wAA+xdB2AT1f9/l6QrHZRpEYFQGS3QNkknhQKhTUuhi7ag4Khpm9KUtilJSlu0
UHZZZSsyZIiCLEUZDgRZiooIVgVBAZXhQBFEQVT4f78vySV3vR5T/vizaNLk8u7zvu+73/e9
u8sxFpUY9CZ9VokuZ5jeYg4hd/6fUqmMDA9X0L8R1r9KdZj1r+2fQqUKiwiPDFWr1ZEKpSo8
NDKcKML/AVrq/Cs1W3QmIKWwtKhMZyjJr68dNMvLE8GxjYP9+y/5l8OXv/1AcJ7OUKjPvRN9
AD8ibKypK/9QdWREpMomf3VohDpcoVQrQyOURKG8E51f799/XP6f7np1mYTI2O/XrhHCwN+U
Fw4lffK9G0mFz/gizR6ftyWBeAV6t3nCnWgJ0VT/3Zv0btyl5J1Vko3wih7XnYSToFZHT7dh
rBDwz92uTdLCoTppsd4iMQ8l5AHCIHzwRTfSAxr1oN3iP2sn7q6EcSeuMgCh3xHcCodd1R0C
Yk0FrM7wuTOfVDuWxPqdIrCoeOacS06DpG1sVNBBLthJSFXjlmuwNT03HIYZtHDI6TZjqm5o
<snip>

----------------------------------------------------------------------------------------------------

it's not only occurs with the email with malformed MIME on it,a normal tgz file(non malformed MIME) also   cannot go through our Brightmail without rule specified to block that tgz file, i'm opening ticket now as we also received another complain from user with pgp file as well..