Sophos issues

Julian Field mailscanner at ecs.soton.ac.uk
Tue Jan 28 21:33:18 GMT 2003 

If it gained a winmail.dat then an Exchange Server is involved somewhere en 
route, or else he was using Outlook with "Rich Text Format" enabled.

Please can you try a route that does not involve any winmail.dat files.

The version that came to you was perfectly intact, so that route is working 
(which I assume involved MailScanner somewhere).

At 21:27 28/01/2003, you wrote:
>Julian,
>
>I upgraded to 3.66 and asked a user to send me the test file that caused
>problems last week.
>
>Turns out the problem is still there!  He sent me a file with an XML
>extension (no trace of this one in filename.rules.conf) and put his own
>email address in cc:.
>
>I received the file OK and have been able to load it in Mozilla.
>
>He received an error message with the subject changed to include {VIRUS}
>and the following error message:
>Could not check winmail.dat (corrupt)
>
>Strange thing: his message had no winmail.dat in it (there was none in
>the copy I received), just the S812.CHOIXET.XML file.
>
>He also received a second message saying that his PC was probably
>infected and should be checked...  again, the message included:
>Could not check winmail.dat (corrupt)
>
>Any ideas what is going on?
>
>Denis
>
>Le mar 28/01/2003 à 04:52, Julian Field a écrit :
> > Can I suggest you upgrade to the latest 3.66 release of Sophos.
> > I have been sent a few files which 3.62 and other releases complains are
> > corrupt.
> > 3.66 happily scans them.
> >
> > At 17:59 27/01/2003, you wrote:
> > >--On Monday, January 27, 2003 4:34 PM +0000 Julian Field
> > ><mailscanner at ECS.SOTON.AC.UK> wrote:
> > >
> > >>>   The files are already
> > >>>"corrupt" by the time that Sophos sees it (basically, it can't see both
> > >>>the start of the file and the end of the file, is what I was told).  I
> > >>>asked about the RAR archives, and she said that Sophos currently can't
> > >>>scan RAR version 3 archives, but that will be available in the next
> > >>>release.  She suggested that I quarantine messages and release the files
> > >>>that get labeled corrupted, or in the case of the RAR files, maybe put
> > >>>the file extension on a whitelist, basically.
> > >>
> > >>When it finds a file is corrupt, MailScanner removes it, right?
> > >
> > >Actually no... It looks like the attachments come through okay, though,
> > >the files are indeed corrupted.  I am still trying to get the original
> > >fines from the authors to see if they started that way or not... So, I
> > >can't know for sure what happens, but the attachment doesn't appear to be
> > >removed, just a warning message inserted into the body of the message
> > >indicating that the file is corrupted.
> > >
> > >>Is it happening often enough that you could archive all mail for a little
> > >>while until it happens? If so, we can actually get a test case together
> > >>to prove exactly what is happening to the message. Until I can get my
> > >>hands on a test case, it is very difficult to work out what is happening.
> > >
> > >I don't think so... We get several hundred emails going through our system
> > >a minute... We have enough problems trying to stay afloat with CPU 
> load and
> > >(especially) disk I/O.  When we turned on quarantining for about a 10 hour
> > >time period, we had about 1.5GB of disk space consumed... so, it makes me
> > >a bit afraid to do anything on our production server like that :-)
> > >
> > >>Are they suggesting that the file put into the quarantine is actually
> > >>okay, but the file being scanned is not? That would be a neat trick...
> > >
> > >That is a good point... My concern was with regards of a message coming
> > >in that was fine and somehow MailScanner or Sophos was corrupting the
> > >message and that was what got put into the attachment... but that seems
> > >a bit less likely at this point, and I feel like the file is starting out
> > >corrupt.  If I had to guess right now, Sophos is expecting documents to
> > >be exactly compliant with those document standard formats (i.e. DOC files
> > >must follow Microsoft Word Document format, PDF files follow Adobe PDF
> > >file formats etc).  There doesn't appear to be much room in the way of
> > >flexibility.  I have seen other programs, like Star Office, write their
> > >documents that are mostly compliant, but not quite, and maybe those would
> > >be flagged by Sophos as being corrupted.  Anyways, those are guesses.
> > >
> > >>>What would be really helpful, at this point, is a way for me to set an
> > >>>option to allow corrupted files to pass through MailScanner without 
> being
> > >>>flagged as viruses and without being touched.  The same goes for 
> scanning
> > >>>of external MIME attachments (which is another thread).  There should be
> > >>>an option to not flag those as viruses and to allow the messages to pass
> > >>>through untouched.  Both of these issues are generated support calls for
> > >>>us right now.
> > >>
> > >>The "external bodies" switch will be in the next version. I'll have to
> > >>take a look at how easy it would be to add a switch for the other bit.
> > >
> > >Great!  I will let the users know about this (the external bodies thing).
> > >
> > >>How come this is only happening with Sophos? No-one else is reporting any
> > >>problems, only the people using Sophos.
> > >
> > >That is a good point... If I knew our system could support another virus
> > >scanner, such as ClamV or something like that, I would put it on.... 
> as is,
> > >we are now running without spam checking just so we can get some benefit
> > >of MailScanner doing virus checking on messages... when we start to fall
> > >behind in the mail queues, even that gets turned off.
> > >
> > >On average, we get several hundred messages a minute.  When we get spammed
> > >(usually by our own university departments), we get way more than that :)
> > >
> > >Scott
> > >--
> > >+-----------------------------------------------------------------------+
> > >      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
> > >   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
> > >        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
> > >+-----------------------------------------------------------------------+
> > >     PGP Public Key available at
> > > http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
>--
>Denis Beauchemin, analyste
>Université de Sherbrooke, S.T.I.
>T: 819.821.8000x2252 F: 819.821.8045

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list