"Banned Content" question - a related problem

Wed Jan 12 10:26:59 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Check you are using the correct "Lock Type" in MailScanner.conf. If
running sendmail 8.13 or later, you need Lock Type = posix.

Quentin Campbell wrote:

>We are seeing on our MailScanner-4.35.11-1 gateways a curious problem.
>It seems to have appeared sometime after I installed 4.35.11-1.
>
>Some of the mail that passes through them is being delivered with an
>empty or corrupted body. In all cases the messages seem to be multipart
>MIME. Most often the HTML part is corrupt or empty but the text part is
>OK. However sometimes that may be empty as well. The only common factors
>are:
>
>1. The original messages was probably sent as RTF format, and
>2. I see in the logs for each failed message the MailScanner warning:
>
>"Content Checks: Detected and will disarm HTML message in jBAtTRU022337"
>
>This can only apply to WebBugs that are detected since that is the only
>time I use the "disarm" action. But there should be _no_ web bugs
>present in these messages since most of the empty messages are from
>colleagues who sent a one/two line message. They have all used
>Outlook/Exchange to send theses messages.
>
>We know that the messages are the correct size and format when they
>reach the mail gateways. I suspect that a problem with RTF format
>messages is at the heart of this beaviour but have not collected enough
>consistent evidence yet.
>
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>Sent: 11 January 2005 15:34
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: "Banned Content" question
>>
>>If you have told it to disarm web bugs, it has to search the
>>message for
>>them, at which point it will also disarm them. I think that's how it
>>works... :-)
>>
>>Quentin Campbell wrote:
>>
>>
>>
>>>Julian
>>>
>>>If the only thing I have told MailScanner to "disarm" are web
>>>
>>>
>>bugs, then
>>
>>
>>>why is it apparently finding web bugs in mail that contain no
>>>
>>>
>><Img> tags
>>
>>
>>>in the HTML?
>>>
>>>The mail in question probably orginates as RTF from Outlook clients.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: MailScanner mailing list
>>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>>Sent: 11 January 2005 15:15
>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>Subject: Re: "Banned Content" question
>>>>
>>>>It will disarm those features you told it to. The "disarm
>>>>
>>>>
>>HTML" in the
>>
>>
>>>>message means it will be trying to disarm the requested bits of the
>>>>HTML. If you didn't specify "disarm" then it won't do it, it
>>>>
>>>>
>>will only
>>
>>
>>>>disarm the bits you told it to.
>>>>
>>>>Hope that answers your question. Given a question "a or b" the answer
>>>>cannot easily be "yes" :-)
>>>>
>>>>Quentin Campbell wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Most of the "dangerous content" checks that I carry out with
>>>>>
>>>>>
>>>>>
>>>>>
>>>>MailScanner
>>>>
>>>>
>>>>
>>>>
>>>>>are controlled via rules files. In all cases the actions of
>>>>>
>>>>>
>>>>>
>>>>>
>>>>the rules is
>>>>
>>>>
>>>>
>>>>
>>>>>to either "deliver", "delete", "striphtml" or "attachment".
>>>>>
>>>>>I do not use "disarm" with one exception. In MailScanner.conf I have
>>>>>
>>>>>Allow WebBugs = disarm
>>>>>
>>>>>If I see in the logs "Content Checks: Detected and will disarm HTML
>>>>>message in jBAtTRU022337" does this _only_ refer to the
>>>>>
>>>>>
>>"disarming" of
>>
>>
>>>>>web bugs or can it also refer to actions taken over other
>>>>>
>>>>>
>>>>>
>>>>>
>>>>content which
>>>>
>>>>
>>>>
>>>>
>>>>>did not involve the specific "disarm" action?
>>>>>
>>>>>Looking at the log records for other "dangerous content" actions the
>>>>>empirical answer to the above question is "yes". Could this
>>>>>
>>>>>
>>>>>
>>>>>
>>>>be confirmed
>>>>
>>>>
>>>>
>>>>
>>>>>please.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!