Unscannable Messages - Malformed MIME
Updated: 17 Oct 2010 | 7 comments
I'm looking for the best way to do this.
We have an internal application which sends out email based alert messages. SBG has been deleting them because they're malformed MIME and thus unscannable. My initial idea would be to create a new group on the SBG appliance comprised of the recipients for these messages, then change their unscannable message policy to something other than "Delete Message". I'm just wondering if anyone can think of a better way to pass these messages safely (other than having the application in question send proper MIME messages, trust me, that's not an option, unfortunately)
I've pasted an example message audit log entry for one of these messages below.
Thanks for the help!
| Message Data | ||||||||||
 |
ID: | c0a8cc06-b7c27ae000002466-f4-4b7bc8389fea | ||||||||
| Message-ID: | 7da0211.a2d0a4b@server | |||||||||
| Tracker: | AAAABAAAAWEK/wVSEtO+vBLUrNM= | |||||||||
| Accepted From: | 10.xxx.xx.xx | |||||||||
| Scanners: | XXXX Symantec Brightmail Gateway | |||||||||
| Time accepted: | Wednesday, Feb 17, 2010 02:43:04 AM PST | |||||||||
| Direction: | Inbound | |||||||||
| Sender: | xxxxmail@xxxx.com | |||||||||
| Original recipients: | rxxxxx.xxxxxx@xxxx.com | |||||||||
| Original Subject: | xxxx alert 56 bad return code. | |||||||||
| Full attachment list: | None | |||||||||
| Suspect attachments: | None | |||||||||
| Recipient Data | ||||||||||
| Intended recipient: | rxxxxx.xxxxxx@xxxx.com | |||||||||
| Verdict: |
|
|||||||||
| Actions taken: | Delete message | |||||||||
| Delivery: |
|
|||||||||
| Untested verdicts: | Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Bounce attack signature present, Known language | |||||||||
| Other recipients: | ||||||||||
Discussion Filed Under:
Comments
That is the first thing I
That is the first thing I thought of when you described the issue. Create another group and change their unscannable rule.
There is another option though. You can tell us to ignore malformed MIME. This is not suggested though.
Hi Mike, If the messages from
Hi Mike,
If the messages from the application are getting unscannable verdict due to the issue described in the following KB then there is a workaround available that might help:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/...
The workaround involves accessing the Hidden Advanced Settings page and since any setting there should not be changed unless advised by support, I can not paste the instructions to access that page here.
But I think the best solution is to handle it with the group policy you mentioned.
May be you can setup the policy group using the sender address (assuming the mail from address is fixed and from your domain), dsiable outbound email virus scanning for this group, and have the application send mail using the outbound interface (which may not be possible in your case) instead of inbound. This way the policy group is independent of the recipients and you would not have to update the policy group for each new added/deleted recipient.
Regards,
Adnan
Thanks, I've tried AdnanH's
Thanks,
I've tried AdnanH's second recommended solution there. I just have to wait for the application guy to make the configuration changes - I'll post my results afterwards.
Mike
Network Analyst
"Any sufficiently advanced technology is indistinguishable from magic!"
Modifying Policy didn't work
Hi, i got the same problem here...
I changed the default "Unscannable: Delete message (default)" policy to "Hold message in Spam Quarantine" instead of deleting the message.
But it didn't work, i have not sure about it, but i think, since the message is already malformed, Brightmail is not capable to save it, so it delete the message anyway.
I am thinking about enable the "Allow malformed MIME" in the hidden settings... does anyone ever tried this ? Any clues ?
Thank you !
Carlos Oliveira
We have a virus policy -
We have a virus policy - unscanable - delivery message normally. So other policy should work.
Arrow_203 : why are you ccommodating the application? Can you push back to get them to clean up their mime structures?
Because communication with
Because communication with the vendor is basically non existent
Mike
Network Analyst
"Any sufficiently advanced technology is indistinguishable from magic!"
We receive mail from various
We receive mail from various clients of ours who have their own apps that often compose "unscannable" messages.
It was impossible for us to use a group method and chase down every possible external address that could send us an unscannable email.
We just bit the bullet and Allowed malformed MIME.
Would you like to reply?
Login or Register to post your comment.