semi OT : Broken mail headers caused by Antivirus or Mail Client ?

Mohd Hafiz Ramly hafiz at variegate.biz
Tue Jul 7 04:41:10 IST 2009


Hi List,
I have posted an issue earlier regarding "MailScanner: Could not analyze message"
More info can be found here : http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118 http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118
Further investigation on the issue, I found that the problematic mail is caused by broken mail headers (not sure if I get this term right).
Inspecting the quarantine mail in MailScanner reveals that Content-Type has randomly misspelled or missing in some words.
Example 1 :
Content-Type: multipart/related;
        bary="----=neXtPaRt_1244707265"
The correct headers would be :
Content-Type: multipart/related;
       
boundary
="----=neXtPaRt_1244707265"
Example 2:
Content-Type: multipart/alternaboundary="----=neXtPaRt_1245338959"
The correct headers would be :
Content-Type: multipart/alternative;boundary="----=neXtPaRt_1245338959"
Example 3:
Content-Type: multipart/alternative;
        boundarneXtPaRt_1246674293"
The correct headers would be :
Content-Type: multipart/alternative;
        boundary
="----=
neXtPaRt_1246674293"
Using
file
command in my Linux server shows the message file is good
[root at mail1 ~]# file /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message
/var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: RFC 822 mail text
[root at mail1 ~]# file -i /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message
/var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: message/rfc822
So I decide to edit the quarantine message file and fixed the headers to the correct entry and the mail went through just fine.
MailScanner did not complains anything.
[root at mail1 ~]# sendmail -toi <
/var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message
I notice the client uses Outlook 11, Outlook Express 6 and SquirrelMail 1.4.10a as their mail editor.
And all of those mail is scanned using FortiGuard antivirus.
So what actually caused the mail headers to be broken ?
Does it caused by the mail client or might be the antivirus at client ends ?
My guess it could be caused by FortiGuard antivirus software which scans outgoing mail on clients PC.
Anyone had this similar issue before ?


More information about the MailScanner mailing list