MailScanner: Could not analyze message

Achim J. Latz achim+mailwatch at qustodium.net
Tue Mar 29 15:39:09 IST 2011


In case I was not clear enough, I also use version 4.79.11 like the 
original poster (from the Debian repositories), and a sample message 
looks like this (including the 4 dashes at the end):


Received: from o1.heroku.sendgrid.net (o1.heroku.sendgrid.net 
[67.228.50.54])
         by mail.domain.tld (Postfix) with SMTP id 64C31100B59
         for <recipient at domain.tld>; Tue, 29 Mar 2011 12:57:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=date:from
         :to:message-id:subject:mime-version:content-type
         :content-transfer-encoding:sender; s=smtpapi; bh=cjVxj8SvXqfJ+OD
         0qUgOCS/ZHMk=; b=lMMNyUB/AD8iwYNLB7J1466jdpZt9PD8aE1G270rqblp5OE
         Z+nnMvIxDP7bXPZ51k6ur8Qcot8Fg6YsQbsYKtQh4+dO3ncoZWrQr8y/YmiPUoKI
         KLajypfLIBHzF3FvKlb1WvtPI1/Xg27c/njC9BkYj/bxlBuYXdrEVMMVSBqo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sendgrid.info; h=date:from
         :to:message-id:subject:mime-version:content-type
         :content-transfer-encoding:sender; q=dns; s=smtpapi; b=tt7Xxp5bx
         +hVEMhzOMZTtnD+loZcvTHTqopuSZb14cr54FqU7bvWupRYJPqHzgn/ceiv35QBY
         ki90PTJnOecJaneKHTaTMYB3IgGS/Mj3AqSisxnjd2PP8/GasL5FRfH8cF/phPMQ
         SypEcAQWSAL5Ii2vcesHlWlx4U6mUvdiTA=
Date: Tue, 29 Mar 2011 03:57:19 -0700
From: recipient <no-reply at recipient.eu>
To: recipient at domain.tld
Message-ID: <4d91bb0f59202_75034194989558c at railgun64.53306.mail>
Subject: New inquiry from your website
Mime-Version: 1.0
Content-Type: multipart/alternative
Content-Transfer-Encoding: 7bit
X-Sendgrid-EID: 
fg9kZZpXkJUwMfpjPNokyRcJeLbgGU+lau0B86ToVheEbpM2VsYILCZyk/AwQFhbDumpBXedgS9rtQaAAdDd7yFRvdye8ScGSNRG5dePguMLKXugPBLSMvx6+tHMZxOm0YMP2Tp1jpPuopwwCEEn7w==
Sender: recipient <no-reply=recipient.eu at sendgrid.info>

This is a multi-part message in MIME format...
----


On 29/03/2011 16:23, Achim J. Latz wrote:
> Good afternoon:
>
> Did this issue get resolved? I am seeing exactly the same issue today
> with emails that are generated by sendgrid.info. I found a couple of
> support articles [1, 2], but they address MailScanners anti-phishing
> rather than the MIME parser.
>
> At the same time, I tried to disable all content checks (first via rules
> file, now completely like so):
>
> Dangerous Content Scanning = no
>
> and still the messages get scanned and ultimately bounced with "Could
> not analyze message".
>
> Is there a way to fix this, or at least turn the checks off? Is
> "Dangerous Content Scanning" perhaps the wrong setting for this behaviour?
>
> Thanks, Achim
>
> [1]
> <http://support.sendgrid.com/entries/360112-mailscanner-has-detected-a-possible-fraud-attempt>
>
> [2]
> <https://www.interspire.com/support/kb/questions/1104/Recipients+are+seeing+phrases+like+%22MailScanner+has+detected+a+possible+fraud+attempt+from...%22>
>
>
> On 21/05/2010 15:55, Julian Field wrote:
>> You can get it if you have Raw Queue Files switched on, straight from
>> the quarantine.
>>
>> On 21/05/2010 14:44, Gary Faith wrote:
>>> I can get the message in the spam quarantine folder but how do I get
>>> the raw message? Do I need to shutdown MailScanner and only have
>>> sendmail running until after they say it was sent or is there some
>>> other way to get it?
>>> Gary
>>>
>>> >>> Julian Field <MailScanner at ecs.soton.ac.uk> 5/21/2010 5:33 AM >>>
>>> Can you send me a URL of a sample message (raw queue files preferred) so
>>> that I can try this out for you please?
>>>
>>> Jules.
>>>
>>> On 19/05/2010 21:12, Gary Faith wrote:
>>> > I have some e-mail being sent by one individual to MailScanner
>>> running ver 4.79.11 and the messages are getting tagged as {Dangerous
>>> Content?}. I am running MailScanner with clamav& sanesecurity
>>> signatures, scamnailer, razor, pyzor& dcc. Mailwatch reports that it
>>> isn't a virus it is "Other Infection":
>>> >
>>> > Anti-Virus/Dangerous Content Protection
>>> > Virus: N
>>> > Blocked File: N
>>> > Other Infection: Y
>>> > Report:MailScanner: Could not analyze message
>>> >
>>> > The message has contains this:
>>> >
>>> > Warning: This message has had one or more attachments removed
>>> > Warning: (the entire message).
>>> > Warning: Please read the "XXX-Attachment-Warning.txt" attachment(s)
>>> for more information.
>>> >
>>> > This is a message from the MailScanner E-Mail Virus Protection Service
>>> > ----------------------------------------------------------------------
>>> > The original e-mail message contained potentially dangerous content,
>>> > which has been removed for your safety.
>>> >
>>> > At Wed May 19 15:36:22 2010 the content filters said:
>>> > MailScanner: Could not analyze message
>>> >
>>> > The sender uses Maximizer to generate the e-mail with a PDF
>>> attachment. I had the sender use Maximizer and send only the message
>>> without the attachment and it comes in fine. I had them send only the
>>> attachment via Outlook and it comes in fine. It seems the problem is
>>> with Mazimizer but I am not sure why.
>>> >
>>> > I can send the quarantined message or whatever is needed to
>>> determine the problem off list.
>>> >
>>> > I need help in tracking down where the problem is and getting it
>>> fixed.
>>> >
>>> > Thanks,
>>> >
>>> > Gary Faith
>
>


-- 
Achim J. Latz, Qustodium Internet Security
achim.latz at qustodium.net · http://www.qustodium.net
Data Encryption · Backup Automatisation · E-Mail Protection


More information about the MailScanner mailing list