"Banned Content" question - a related problem

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Wed Jan 12 07:57:45 GMT 2005 

We are seeing on our MailScanner-4.35.11-1 gateways a curious problem.
It seems to have appeared sometime after I installed 4.35.11-1.

Some of the mail that passes through them is being delivered with an
empty or corrupted body. In all cases the messages seem to be multipart
MIME. Most often the HTML part is corrupt or empty but the text part is
OK. However sometimes that may be empty as well. The only common factors
are:

1. The original messages was probably sent as RTF format, and
2. I see in the logs for each failed message the MailScanner warning:

"Content Checks: Detected and will disarm HTML message in jBAtTRU022337"

This can only apply to WebBugs that are detected since that is the only
time I use the "disarm" action. But there should be _no_ web bugs
present in these messages since most of the empty messages are from
colleagues who sent a one/two line message. They have all used
Outlook/Exchange to send theses messages.

We know that the messages are the correct size and format when they
reach the mail gateways. I suspect that a problem with RTF format
messages is at the heart of this beaviour but have not collected enough
consistent evidence yet.

Any suggestions about fixing the problem would be welcome.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 11 January 2005 15:34
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: "Banned Content" question
>
>If you have told it to disarm web bugs, it has to search the 
>message for
>them, at which point it will also disarm them. I think that's how it
>works... :-)
>
>Quentin Campbell wrote:
>
>>Julian
>>
>>If the only thing I have told MailScanner to "disarm" are web 
>bugs, then
>>why is it apparently finding web bugs in mail that contain no 
><Img> tags
>>in the HTML?
>>
>>The mail in question probably orginates as RTF from Outlook clients.
>>
>>Quentin
>>---
>>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>>                           University of Newcastle,
>>                           Newcastle upon Tyne,
>>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>>--------------------------------------------------------------
>----------
>>"Any opinion expressed above is mine. The University can get its own."
>>
>>
>>
>>>-----Original Message-----
>>>From: MailScanner mailing list
>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>Sent: 11 January 2005 15:15
>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>Subject: Re: "Banned Content" question
>>>
>>>It will disarm those features you told it to. The "disarm 
>HTML" in the
>>>message means it will be trying to disarm the requested bits of the
>>>HTML. If you didn't specify "disarm" then it won't do it, it 
>will only
>>>disarm the bits you told it to.
>>>
>>>Hope that answers your question. Given a question "a or b" the answer
>>>cannot easily be "yes" :-)
>>>
>>>Quentin Campbell wrote:
>>>
>>>
>>>
>>>>Most of the "dangerous content" checks that I carry out with
>>>>
>>>>
>>>MailScanner
>>>
>>>
>>>>are controlled via rules files. In all cases the actions of
>>>>
>>>>
>>>the rules is
>>>
>>>
>>>>to either "deliver", "delete", "striphtml" or "attachment".
>>>>
>>>>I do not use "disarm" with one exception. In MailScanner.conf I have
>>>>
>>>> Allow WebBugs = disarm
>>>>
>>>>If I see in the logs "Content Checks: Detected and will disarm HTML
>>>>message in jBAtTRU022337" does this _only_ refer to the 
>"disarming" of
>>>>web bugs or can it also refer to actions taken over other
>>>>
>>>>
>>>content which
>>>
>>>
>>>>did not involve the specific "disarm" action?
>>>>
>>>>Looking at the log records for other "dangerous content" actions the
>>>>empirical answer to the above question is "yes". Could this
>>>>
>>>>
>>>be confirmed
>>>
>>>
>>>>please.
>>>>
>>>>Thanks
>>>>
>>>>Quentin
>>>>---
>>>>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>>>>                          University of Newcastle,
>>>>                          Newcastle upon Tyne,
>>>>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>>>>--------------------------------------------------------------
>>>>
>>>>
>>>----------
>>>
>>>
>>>>"Any opinion expressed above is mine. The University can 
>get its own."
>>>>
>>>>------------------------ MailScanner list ------------------------
>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>'leave mailscanner' in the body of the email.
>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>>Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>Buy the MailScanner book at www.MailScanner.info/store
>>>
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>>
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>>
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list