Could not analyze message

Paul Houselander housey at sme-ecom.co.uk
Tue Nov 7 13:54:08 GMT 2006 

Hi Martin

The situation is my customer has his incomming email scanned, the email
which is being quarantined is comming from one of his suppliers (i.e. they
dont smtp out via me). I dont really want to whitelist the IP as the email
comes via BT.

I was thinking along the lines of winmail.dat as the message comes via an MS
Exchange server, but the message is all just plain text. Heres the headers
(ive blanked out various addresses)

Return-Path: <xxxxxxxxxxx>
Delivered-To: 2-xxxxxxxxxxxxx
Received: (qmail 21307 invoked by uid 110); 3 Nov 2006 13:33:11 +0000
Delivered-To: 129-xxxxxxxxxxx
Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000
Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx)
  by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006
13:33:11 +0000
Received: from c2bthomr10.btconnect.com (c2bthomr10.btconnect.com
[194.73.73.226])
	by xxxxxxxxxxxxxxxxxx (8.13.1/8.13.1) with ESMTP id kA3DWXX9018872
	for <xxxxxxxxxxxxx>; Fri, 3 Nov 2006 13:32:38 GMT
Received: from xxxxxxxxxxxx (xxxxxxxxxxxxxxxx.in-addr.btopenworld.com
[xxxxxxxx])
	by xxxxxxxxxxxxxxxxx (MOS 3.7.4b-GA)
	with ESMTP id BVA31885;
	Fri, 3 Nov 2006 13:27:07 GMT
Received: from goldmaster ([192.168.0.10]) by xxxxxxxxxxxxxxxxxx with
Microsoft SMTPSVC(6.0.3790.1830);
	 Fri, 3 Nov 2006 13:32:29 +0000
From: "xxxxxxxxxxxxxxx" <xxxxxxxxxxxxxxxxx>
Subject: Proof of Delivery
To: xxxxxxxxxxxxxxxx
Content-type: text/plain; charset="ISO-8859-1"
Date: Fri, 3 Nov 2006 13:32:29 +0000
Message-ID: <GOLDMASTERwOzrJS1yJ000001e0 at goldmaster.gold01.com>
X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC)
FILETIME=[825D5570:01C6FF4C]

Any other ideals?

Cheers

Paul



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Martin
Hepworth
Sent: 07 November 2006 13:27
To: MailScanner discussion
Subject: Re: Could not analyze message


Paul Houselander wrote:
> Hi
>
> I dont think my messages last week regarding this made it to the list, ive
> just noticed that they got flagged as spam on my system :-)
>

If you're using Tim's Bogus virus rules for Spamassassin you need to
zero score the mailScanner ones (from back in the day when mailScanner
used to 'bounce' spam' and viruses by default)

> I have a message being sent to one of my customers which keeps getting
> quarantined with "Could not analyze message", its a plain text email with
no
> attachments.
>

I see you're using Outlook - could it be the TNEF expander isn't working
properly...

What I do is don't scan via SA for outgoing, only virus scan. I do this
by the 'from' ip-address range which can't be spoofed quite as easily as
the email address.

> I tried setting up a ruleset so any messages from this paticular address
did
> not get scanned (using the Scan Messages ruleset). Ive done this quite a
few
> times before so am confident the syntax im using is correct.
>
> Despire this the message still gets quarantined, Julian mentioned the
> envelope from/to addresses might be different to the ones ive got in my
> ruleset - I used the "Add Envelope From Header" and "Add Envelope To
Header"
> and was able to see from the headers that my ruleset addresses were
correct.
>
> Ive also tried using using the Scan Messages ruleset to just not scan
> incomming email for this paticular email address - again the message still
> gets quarantined.
>
> Any hints/tips etc.. as to what can cause "Could not analyze message) the
> server processes plenty of other email exactly as I would expect and it
only
> seems to be this one paticular message.
>
> Cheers
>
> Paul
>


--
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list