semi OT : Broken mail headers caused by Antivirus or Mail Client ?

Glenn Steen glenn.steen at gmail.com
Wed Jul 8 00:21:09 IST 2009 

2009/7/7 Mohd Hafiz Ramly <hafiz at variegate.biz>:
> Hi List,
> I have posted an issue earlier regarding "MailScanner: Could not analyze message"
> More info can be found here : http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118 http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118
> Further investigation on the issue, I found that the problematic mail is caused by broken mail headers (not sure if I get this term right).
> Inspecting the quarantine mail in MailScanner reveals that Content-Type has randomly misspelled or missing in some words.
> Example 1 :
> Content-Type: multipart/related;
>         bary="----=neXtPaRt_1244707265"
> The correct headers would be :
> Content-Type: multipart/related;
>
> boundary
> ="----=neXtPaRt_1244707265"
> Example 2:
> Content-Type: multipart/alternaboundary="----=neXtPaRt_1245338959"
> The correct headers would be :
> Content-Type: multipart/alternative;boundary="----=neXtPaRt_1245338959"
> Example 3:
> Content-Type: multipart/alternative;
>         boundarneXtPaRt_1246674293"
> The correct headers would be :
> Content-Type: multipart/alternative;
>         boundary
> ="----=
> neXtPaRt_1246674293"
> Using
> file
> command in my Linux server shows the message file is good
> [root at mail1 ~]# file /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message
> /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: RFC 822 mail text
> [root at mail1 ~]# file -i /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message
> /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: message/rfc822
> So I decide to edit the quarantine message file and fixed the headers to the correct entry and the mail went through just fine.
> MailScanner did not complains anything.
> [root at mail1 ~]# sendmail -toi <
> /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message
> I notice the client uses Outlook 11, Outlook Express 6 and SquirrelMail 1.4.10a as their mail editor.
> And all of those mail is scanned using FortiGuard antivirus.
> So what actually caused the mail headers to be broken ?
> Does it caused by the mail client or might be the antivirus at client ends ?
> My guess it could be caused by FortiGuard antivirus software which scans outgoing mail on clients PC.
You could enable the Archive Mail feature. That way you can see the
messages as they were before MailScanner touches them at all. If the
"problematic ones" are mangled there, you can be prety sure that
something between the sender and you is the culprit.
You don't seem to do any "before" filters (PF style), nor milters... Right?

> Anyone had this similar issue before ?
Not really, no.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list