MailScanner: Could not analyze message

Martin Hepworth maxsec at gmail.com
Tue Mar 29 16:12:29 IST 2011


upgrade to the latest version (and SA latest version) and see if it's still
a problem

-- 
Martin Hepworth
Oxford, UK


On 29 March 2011 15:39, Achim J. Latz <achim+mailwatch at qustodium.net> wrote:

> In case I was not clear enough, I also use version 4.79.11 like the
> original poster (from the Debian repositories), and a sample message looks
> like this (including the 4 dashes at the end):
>
>
> Received: from o1.heroku.sendgrid.net (o1.heroku.sendgrid.net[67.228.50.54])
>        by mail.domain.tld (Postfix) with SMTP id 64C31100B59
>        for <recipient at domain.tld>; Tue, 29 Mar 2011 12:57:22 +0200 (CEST)
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=date:from
>        :to:message-id:subject:mime-version:content-type
>        :content-transfer-encoding:sender; s=smtpapi; bh=cjVxj8SvXqfJ+OD
>        0qUgOCS/ZHMk=; b=lMMNyUB/AD8iwYNLB7J1466jdpZt9PD8aE1G270rqblp5OE
>        Z+nnMvIxDP7bXPZ51k6ur8Qcot8Fg6YsQbsYKtQh4+dO3ncoZWrQr8y/YmiPUoKI
>        KLajypfLIBHzF3FvKlb1WvtPI1/Xg27c/njC9BkYj/bxlBuYXdrEVMMVSBqo=
> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sendgrid.info; h=date:from
>        :to:message-id:subject:mime-version:content-type
>        :content-transfer-encoding:sender; q=dns; s=smtpapi; b=tt7Xxp5bx
>        +hVEMhzOMZTtnD+loZcvTHTqopuSZb14cr54FqU7bvWupRYJPqHzgn/ceiv35QBY
>        ki90PTJnOecJaneKHTaTMYB3IgGS/Mj3AqSisxnjd2PP8/GasL5FRfH8cF/phPMQ
>        SypEcAQWSAL5Ii2vcesHlWlx4U6mUvdiTA=
> Date: Tue, 29 Mar 2011 03:57:19 -0700
> From: recipient <no-reply at recipient.eu>
> To: recipient at domain.tld
> Message-ID: <4d91bb0f59202_75034194989558c at railgun64.53306.mail>
> Subject: New inquiry from your website
> Mime-Version: 1.0
> Content-Type: multipart/alternative
> Content-Transfer-Encoding: 7bit
> X-Sendgrid-EID:
> fg9kZZpXkJUwMfpjPNokyRcJeLbgGU+lau0B86ToVheEbpM2VsYILCZyk/AwQFhbDumpBXedgS9rtQaAAdDd7yFRvdye8ScGSNRG5dePguMLKXugPBLSMvx6+tHMZxOm0YMP2Tp1jpPuopwwCEEn7w==
> Sender: recipient <no-reply=recipient.eu at sendgrid.info>
>
> This is a multi-part message in MIME format...
> ----
>
>
>
> On 29/03/2011 16:23, Achim J. Latz wrote:
>
>> Good afternoon:
>>
>> Did this issue get resolved? I am seeing exactly the same issue today
>> with emails that are generated by sendgrid.info. I found a couple of
>> support articles [1, 2], but they address MailScanners anti-phishing
>> rather than the MIME parser.
>>
>> At the same time, I tried to disable all content checks (first via rules
>> file, now completely like so):
>>
>> Dangerous Content Scanning = no
>>
>> and still the messages get scanned and ultimately bounced with "Could
>> not analyze message".
>>
>> Is there a way to fix this, or at least turn the checks off? Is
>> "Dangerous Content Scanning" perhaps the wrong setting for this behaviour?
>>
>> Thanks, Achim
>>
>> [1]
>> <
>> http://support.sendgrid.com/entries/360112-mailscanner-has-detected-a-possible-fraud-attempt
>> >
>>
>> [2]
>> <
>> https://www.interspire.com/support/kb/questions/1104/Recipients+are+seeing+phrases+like+%22MailScanner+has+detected+a+possible+fraud+attempt+from...%22
>> >
>>
>>
>> On 21/05/2010 15:55, Julian Field wrote:
>>
>>> You can get it if you have Raw Queue Files switched on, straight from
>>> the quarantine.
>>>
>>> On 21/05/2010 14:44, Gary Faith wrote:
>>>
>>>> I can get the message in the spam quarantine folder but how do I get
>>>> the raw message? Do I need to shutdown MailScanner and only have
>>>> sendmail running until after they say it was sent or is there some
>>>> other way to get it?
>>>> Gary
>>>>
>>>> >>> Julian Field <MailScanner at ecs.soton.ac.uk> 5/21/2010 5:33 AM >>>
>>>> Can you send me a URL of a sample message (raw queue files preferred) so
>>>> that I can try this out for you please?
>>>>
>>>> Jules.
>>>>
>>>> On 19/05/2010 21:12, Gary Faith wrote:
>>>> > I have some e-mail being sent by one individual to MailScanner
>>>> running ver 4.79.11 and the messages are getting tagged as {Dangerous
>>>> Content?}. I am running MailScanner with clamav& sanesecurity
>>>> signatures, scamnailer, razor, pyzor& dcc. Mailwatch reports that it
>>>> isn't a virus it is "Other Infection":
>>>> >
>>>> > Anti-Virus/Dangerous Content Protection
>>>> > Virus: N
>>>> > Blocked File: N
>>>> > Other Infection: Y
>>>> > Report:MailScanner: Could not analyze message
>>>> >
>>>> > The message has contains this:
>>>> >
>>>> > Warning: This message has had one or more attachments removed
>>>> > Warning: (the entire message).
>>>> > Warning: Please read the "XXX-Attachment-Warning.txt" attachment(s)
>>>> for more information.
>>>> >
>>>> > This is a message from the MailScanner E-Mail Virus Protection Service
>>>> > ----------------------------------------------------------------------
>>>> > The original e-mail message contained potentially dangerous content,
>>>> > which has been removed for your safety.
>>>> >
>>>> > At Wed May 19 15:36:22 2010 the content filters said:
>>>> > MailScanner: Could not analyze message
>>>> >
>>>> > The sender uses Maximizer to generate the e-mail with a PDF
>>>> attachment. I had the sender use Maximizer and send only the message
>>>> without the attachment and it comes in fine. I had them send only the
>>>> attachment via Outlook and it comes in fine. It seems the problem is
>>>> with Mazimizer but I am not sure why.
>>>> >
>>>> > I can send the quarantined message or whatever is needed to
>>>> determine the problem off list.
>>>> >
>>>> > I need help in tracking down where the problem is and getting it
>>>> fixed.
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Gary Faith
>>>>
>>>
>>
>>
>
> --
> Achim J. Latz, Qustodium Internet Security
> achim.latz at qustodium.net · http://www.qustodium.net
> Data Encryption · Backup Automatisation · E-Mail Protection
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110329/187bd817/attachment.html


More information about the MailScanner mailing list