Could not check ... (corrupt)

Scott Adkins adkinss at OHIO.EDU
Wed Jan 22 15:46:36 GMT 2003 

Did you get a message similar to the following:

  The original e-mail attachment "not named"
  was believed to be infected by a virus and has been replaced by
  this warning message.

  At Fri Jan 17 13:15:11 2003 the virus scanner said:
     External message bodies cannot be scanned and are removed

We are getting complaints that our virus scanning is removing perfectly
valid attachments known not to have viruses in them.  This will become a
very hot topic if we don't figure it out soon and resolve it.  I don't
know if it is Sophos doing it or if it is MailScanner doing it.  We are
trying to get copies of these people's emails so that we can look at the
warning message to find out if it is similar to the above.

If this is MailScanner, is there an option to turn it off?  If for some
reason an attachment can't be scanned, my inclination is to play it safe
and deliver it normally, not nuke it into obvlivion.  We aren't doing
quaranting here, and we have already received messages about the fact
that these attachments are removed and we don't save them for later
recovery.  Our policy won't change, but I can understand their issues.

Scott

--On Wednesday, January 22, 2003 4:35 PM +0100 Ewald Beekman 
<E.H.Beekman at AMC.UVA.NL> wrote:

> Saw this message a couple of time since we're running production,
> most of the time it's because of DSN's which include the original
> attachment sent (where the original message is one mime-part and the
> original attachment is not a separate mime-part in the DSN messag because
> the mime boundaries are different).
> But i also got it on a "correct" message:
>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="part1_181.15952dd4.2b5fd091_boundary" ...
> --part1_181.15952dd4.2b5fd091_boundary
> Content-Type: text/plain; charset="US-ASCII"
> Content-Transfer-Encoding: 7bit
> ....
> --part1_181.15952dd4.2b5fd091_boundary
> Content-Type: application/octet-stream; name="Notulen COB 13-01-03.doc"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Notulen COB 13-01-03.doc"
>
> 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAALAAAAAAA
> etc.
>
> Any ideas why it coudn't extract the attachment? I did it by hand using
> perl -MMIME::Base64 -ne 'print decode_base64($_)' < file > x.doc
> and that worked ok, and the document contained no virusses.
> Could it be the spaces?
>
> We are using mailscanner-4.11-1 on RedHat-8 with Sophos.
> These are the logs:
>
> Jan 22 11:47:08 MailScanner[10703]: Could not check
> ./h0MAl3er016081/Notulen COB 13-01-03.doc (corrupt) Jan 22 11:47:09
> MailScanner[10703]: Saved entire message to
> /var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 Jan 22 11:47:09
> MailScanner[10703]: Saved infected "Notulen COB 13-01-03.doc (corrupt)" to
> /var/spool/MailScanner/quarantine/20030122/h0MAl3er016081
>
> thanx in advance,
> Ewald...
>
>
> --
> Ewald Beekman, Security Engineer, Academic Medical Center,
> dept. ADB/ICT Computer & Network Services, The Netherlands
>## Your mind-mint is:
> Don't you wish you had more energy... or less ambition?


-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/f914dd19/attachment.bin

More information about the MailScanner mailing list