MailScanner: Could not analyze message

Sat Sep 15 08:34:11 IST 2012

Check the logs for any clues, but it could be sone sort of odd reaction
from file on the content types.

Anything in the header either post processing

Ideally you need to get a sample message and run this in mailscanners debug
mode

On Friday, 14 September 2012, Duncan, Brian M. wrote

>  Can anyone help me out with a problem we have just started having people
> report?****
>
> ** **
>
> We don’t use Mailscanner to scan for viruses, or for dangerous email, at
> least I did not think we were.  We DO use the Spam features with Spam
> Assassin though through MailScanner.****
>
> ** **
>
> My versions are:****
>
> ** **
>
> mailscanner-4.83.5-1****
>
> spamassassin-3.3.1-3****
>
> ** **
>
> ** **
>
> My key settings  that I believe might influence this that are from the
> main conf:****
>
> ** **
>
> Maximum processing Attempts = 0****
>
> Expand TNEF =  no****
>
> Use TNEF Contents = no****
>
> Deliver Unparsable TNEF = yes****
>
> Find UU-Encoded Files = no****
>
> Maximum Message Size = 0****
>
> Maximum Attachment Size = -1****
>
> Minimum Attachment Size = 1****
>
> Maximum Archive  Depth = 0****
>
> Finding Archives By Content = no****
>
> Unpack Microsoft Documents = no****
>
> Zip Attachments = no****
>
> Add Text Of Doc = no****
>
> Unzip Maximum Files Per Archive = 0****
>
> Virus Scanning = no****
>
> Virus Scanners = none****
>
> Still Deliver Silent Viruses = yes****
>
> Block Encrypted Messages = no****
>
> Block Unencrypted Messages = no****
>
> Allow Password-Protected Archives = yes****
>
> Check Filenames In Password-Protected Archives = no****
>
> Dangerous Content Scanning = no****
>
> Allow Partial Messages = yes****
>
> Allow External Message Bodies = yes****
>
> Find Phishing Fraud = no****
>
> Allow IFrame Tags = disarm****
>
> Allow Form Tags = disarm****
>
> Allow Script Tags = disarm****
>
> Allow WebBugs = disarm****
>
> Allow Object Codebase Tags = disarm****
>
> Convert Dangerous HTML To Text = no****
>
> Convert HTML To Text = no****
>
> ** **
>
> I have recently begun having users complain that they are receiving
> messages from our Mailscanner system like this:****
>
> ** **
>
> From: xxxxx [xxxx at xxxx.com <javascript:_e({}, 'cvml', 'xxxx at xxxx.com');>]
> Sent: Friday, September 14, 2012 3:31 AM
> To: Smith, John
> Subject: Online Content - September 2012
>
> This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail message contained potentially dangerous content, which
> has been removed for your safety.
> The content is dangerous as it is often used to spread viruses or to gain
> personal or confidential information from you, such as passwords or credit
> card numbers.
> Due to limitations placed on us by the Regulation of Investigatory Powers
> Act 2000, we were unable to keep a copy of the original attachment.
> The content filters found this:
>   MailScanner: Could not analyze message
>
> --
> Postmaster
> Katten Muchin Rosenman LLP
> www.kattenlaw.com****
>
> ** **
>
> All the logs show for the above message is: Sep 14 05:30:44 venus
> MailScanner[16268]: Cleaned: Delivered 1 cleaned messages****
>
> ** **
>
> Based on my settings in my mailscanner.conf file, I thought I had
> everything set to NOT have try to analyze messages for anything but Spam.*
> ***
>
> ** **
>
> I have narrowed it down to one host that this is happening with, but since
> I don’t have a copy of any of these emails that cause this I  have nothing
> to go on. ****
>
> ** **
>
> Was more curious now if anyone know why this might trigger if I have
> everything turned off accept Spam scanning.  ****
>
> ** **
>
> This sender is a mailing list, that sends out mailing I believe for many
> organizations.  So there are days when I have a couple hundred of these to
> many different people here.****
>
> ** **
>
> Thanks!****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com <javascript:_e({}, 'cvml',
> 'brian.duncan at kattenlaw.com');> / www.kattenlaw.com
>   ****
>
> ** **
>
> ===========================================================
> CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
> Service, any tax advice contained herein is not intended or written to be used and cannot be used
> by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
> ===========================================================
> CONFIDENTIALITY NOTICE:
> This electronic mail message and any attached files contain information intended for the exclusive
> use of the individual or entity to whom it is addressed and may contain information that is
> proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you
> are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or
> distribution of this information may be subject to legal restriction or sanction.  Please notify
> the sender, by electronic mail or telephone, of any unintended recipients and delete the original
> message without making any copies.
> ===========================================================
> NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
> elected to be governed by the Illinois Uniform Partnership Act (1997).
> ===========================================================
>
>

-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120915/ee1a6f9a/attachment.html 