FW: Other Bad Content Detected

Glenn Steen glenn.steen at gmail.com
Mon Jun 4 14:17:06 IST 2007


On 04/06/07, Nigel Kendrick <support-lists at petdoctors.co.uk> wrote:
> Hi Folks,
>
> I have posted about this before but not got much farther yet and when I had
> a brief look at the raw message file I wasn't really sure what I might be
> looking for:
>
> -----Original Message-----
> From: MailScanner [Greendale] [mailto:postmaster at WhereIam]
> Sent: Monday, June 04, 2007 1:35 PM
> To: postmaster@[WhereIam]
> Subject: Other Bad Content Detected
> Importance: High
>
> The following e-mails were found to have: Other Bad Content Detected
>
>     Sender: [munged]
> IP Address: [munged]
>  Recipient: [munged]
>    Subject: Proof of Delivery
>  MessageID: 9AE922F0033.E01FF
> Quarantine: /var/spool/MailScanner/archive/,
> /var/spool/MailScanner/quarantine/20070604/9AE922F0033.E01FF
>     Report: MailScanner: Could not analyze message
>
> Full headers are:
>
>  Received: from relay1.mail.uk.clara.net (relay1.mail.uk.clara.net
> [80.168.70.181])
>         by greendale.home.local (Postfix) with ESMTP id 9AE922F0033
>         for <[munged]>; Mon,  4 Jun 2007 13:34:41 +0100 (BST)
>  Received: from [munged] ([[munged]] helo=CBSQL02)
>         by relay1.mail.uk.clara.net with esmtp (Exim 4.62)
>         (envelope-from <[munged]>)
>         id 1HvBlg-0002Ej-PH; Mon, 04 Jun 2007 13:34:41 +0100
>  From: "Diamond Logistics pod (point of delivery)" <[munged]>
>  Subject: Proof of Delivery
>  To: [munged]
>  Cc:  [munged]
>  Content-Type: multipart/mixed
>  MIME-Version: 1.0
>  Date: Mon, 4 Jun 2007 13:35:25 +0100
>  Message-Id: <20070604123441.9AE922F0033 at greendale.home.local>
>
>
> Consensus is that the emails I am receiving are malformed in some way but
> with my limited knowledge of mail formats I have not been able to spot
> anything obvious. The emails are autogenerated by a courier delivery
> tracking system and tend to be very simple - if I postcat the archived
> message I get this:
>
> Received: from relay1.mail.uk.clara.net (relay1.mail.uk.clara.net
> [80.168.70.181])
>         by greendale.home.local (Postfix) with ESMTP id 9AE922F0033
>         for <[munged]>; Mon,  4 Jun 2007 13:34:41 +0100 (BST)
> Received: from [munged] ([[munged]] helo=CBSQL02)
>         by relay1.mail.uk.clara.net with esmtp (Exim 4.62)
>         (envelope-from <[munged]>)
>         id 1HvBlg-0002Ej-PH; Mon, 04 Jun 2007 13:34:41 +0100
> From: "Diamond Logistics pod (point of delivery)" <[munged]>
> Subject: Proof of Delivery
> To: [munged]
> Cc:  [munged]
> Content-Type: multipart/mixed
> MIME-Version: 1.0
> Date: Mon, 4 Jun 2007 13:35:25 +0100
> Message-Id: <20070604123441.9AE922F0033 at greendale.home.local>
>
> Please find POD details for your completed booking, reference 5541490
> Booked by: Pet Doctors House  Contact: Ian Vincent  Reference 1: London 2
>     Pick: [munged]
> [munged] 19
> [munged] Road
> [munged]
> Completed: 13:35:24 04/06/2007
>
> Pick: [munged] (SHEEN)
> [munged] 15
> [munged]
> SW14 [munged]
> Completed: 13:35:24 04/06/2007
>
> Drop: [munged]
> [munged] ESTATE
> [munged]
> WOKING
> [munged]
> Completed: 13:35:00 04/06/2007
> Signed by: P WESCHE
>
>       Thank you for your custom!
>
>
> In previous discussions, there was talk of putting the archived message
> somewhere - or emailing it - where a kind soul could have a quick look at
> the raw mail file to see what might be amiss?
>
> Any takers?

Maybe tomorrow, today isn't a great day (my main MS box committed
suicide.... I'm trying to resurrect it now... Bl**dy fsck hanging in
the middle of everything isn't exactly helping:-).

One thing is that your mail snippet above say it is "multipart/mixed"
for content type... Where is the attachment, one wonders?
Do you delete them?

Very likely somewhere there is the problem... If there is actually
some really bad attachment...
Try catch a few queue files _before_ MailScanner... You can easily do
that by stopping MailScanner, ensuring that postfix is running (and
queueing into your hold queue directory), then just copy the relevant
one from there .... This is the one that you should do "forensics" on.
Another option is to use the Archive Mail setting in MailScanner ...

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list