I had the same thing happen to me a few days ago. Raw text of email:
X-Mailer: PBBI e-Messaging Solution
X-Priority: HIGH
Charset: UTF-8
x-references: m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039
--- Sandbox result ---
2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
--- Sandbox result end ---
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_2068942_178508621.1460078388674"
X-Assp-ID: mail.bordo.com.au id-78530-11079
X-Assp-Session: 7F849D967740 (mail 1)
We have just started to use the new Sandstorm feature of Sophos UTM. This
email’s attachment was flagged as suspicious, uploaded to Sophos, checked as OK
and released. ASSP then picked it up and processed as normal.
When the email arrived in my mailbox, bits of the header was in the body due to
the extra new line after the x-references line. I assumed that Sophos had
mistakenly put the new line in, but maybe it was ASSP?
The Sophos guys couldn’t see what would be adding the extra line (I didn’t
mention ASSP).
Perhaps it was ASSP not Sophos Sandstorm?
Running 2.5.2(16100)
James.
> On 12 Apr 2016, at 3:49 PM, Anton <[email protected]> wrote:
>
> Good day.
>
> I have installed ASSP on our mail system and it works fine but we have some
> strange issue.
>
> There are several old web sites which send email from web-form via php mail()
> function.
> If this messages routed without ASSP then mail can be read but when this
> mails pass
> through ASSP then ASSP inserts its X-headers + *new line chars* and mails can
> not be read
> correctly. I suspect that php code sending mail is not perfect. I can not
> correct this
> code.
>
> example of headers without ASSP:
> --------------------------------------------------------
> Return-Path: <[email protected]>
> X-Original-To: [email protected]
> Delivered-To: [email protected]
> Received: from mail.mydomain.ru (localhost [127.0.0.1])
> by mail.mydomain.ru (Postfix) with ESMTP id A7D8BF23A17
> for <[email protected]>; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> Received: by mail.mydomain.ru (Postfix, from userid 1002)
> id A0FF3F2395D; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> Received: from client.mydomain.ru (client.mydomain.ru [*.*.0.66])
> by mail.mydomain.ru (Postfix) with ESMTP id 98394F238BC
> for <[email protected]>; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> Received: by client.mydomain.ru (Postfix, from userid 70)
> id 94BE673004; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> To: [email protected]
> Subject:
> =?utf-8?b?0J/QuNGB0YzQvNC+INC+0YIg0JvQvtGB0LrRg9GC0L7QsiDQlNC80LjRgtGA0LjQuSDQkNC70LXQutGB0LDQvdC00YDQvtCy0LjRhywgaWQ9MjkyMDAwOTUgKNC40Lcg0LvQuNGH0L3QvtCz0L4g0LrQsNCx0LjQvdC10YLQsCk=?=
> X-PHP-Originating-Script: 1020:msg_to_abon.php MIME-Version: 1.0
> Content-type: text/html; charset=utf-8
> From: inform<[email protected]>
> Message-Id: <[email protected]>
> Date: Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> X-Virus-Scanned: ClamAV using ClamSMTP
>
> Here is test message!
>
> --------------------------------------------------------
>
> and example of the same message passed through APPP:
> --------------------------------------------------------
> Return-Path: <[email protected]>
> X-Original-To: [email protected]
> Delivered-To: [email protected]
> Received: from mail.mydomain.ru (localhost [127.0.0.1])
> by mail.mydomain.ru (Postfix) with ESMTP id BFFC4F25F5E
> for <[email protected]>; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> Received: by mail.mydomain.ru (Postfix, from userid 1002)
> id B6041F25D9C; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> Received: from mx1.mydomain.ru (mx1.mydomain.ru [*.*.57.36])
> by mail.mydomain.ru (Postfix) with ESMTP id 529A1F23A17
> for <[email protected]>; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> Received: from client.mydomain.ru ([*.*.0.66] helo=client.mydomain.ru) by
> mx1.mydomain.ru with SMTP (2.5.1); 12 Apr 2016 11:07:14 +0600
> Received: by client.mydomain.ru (Postfix, from userid 70)
> id 3083973006; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> To: [email protected]
> Subject:
> =?utf-8?b?0J/QuNGB0YzQvNC+INC+0YIg0JvQvtGB0LrRg9GC0L7QsiDQlNC80LjRgtGA0LjQuSDQkNC70LXQutGB0LDQvdC00YDQvtCy0LjRhywgaWQ9MjkyMDAwOTUgKNC40Lcg0LvQuNGH0L3QvtCz0L4g0LrQsNCx0LjQvdC10YLQsCk=?=
> X-PHP-Originating-Script: 1020:msg_to_abon.php MIME-Version: 1.0
> Message-Id: <[email protected]>
> Date: Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> From: [email protected]
> X-Virus-Scanned: ClamAV using ClamSMTP
>
> Content-type: text/html; charset=utf-8
>
> From: mydomain<[email protected]>
> Message-Id: <[email protected]>
> Date: Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> X-Assp-ID: mx1.mydomain.ru m1-37634-03701
> X-Assp-Session: 7F592A4921C8 (mail 1)
> X-Assp-Envelope-From: [email protected]
> X-Assp-Intended-For: [email protected]
> X-Assp-Version: 2.5.1(16100) on mx1.mydomain.ru
> X-Assp-Delay: not delayed (*.*.0.66 in whitebox (PBWhite));
> 12 Apr 2016 11:07:14 +0600
> X-Assp-Message-Score: 20 (No Spoofing Allowed '[email protected]' in
> 'mailfrom')
> X-Assp-IP-Score: 20 (No Spoofing Allowed '[email protected]' in
> 'mailfrom')
> X-Assp-Received-SPF: temperror ip=*.*.0.66 [email protected]
> helo=client.mydomain.ru
> X-Original-Authentication-Results: mx1.mydomain.ru; spf=temperror
> X-Assp-Message-Score: 5 (SPF temperror)
> X-Assp-IP-Score: 5 (SPF temperror)
> X-Assp-Message-Score: -15 (In Penalty White Box)
> X-Assp-Spam-Level: ***
>
> Yet another test message!
>
> --------------------------------------------------------
>
> I think that problem is in
> "
> Content-type: text/html; charset=utf-8
>
> "
>
> Is this write that ASSP inserts new line chars ?
>
> IMHO this is wrong place for X-Assp headers because ASSP runs before final
> virus scan but
> X-Assp headers are placed after "X-Virus-Scanned: ClamAV using ClamSMTP". We
> do not use
> ClamAV on ASSP but on mail server. post.mydomain.ru and mail.mydomain.ru are
> the same
> host in our installation.
>
> For now I use manual route to avoid passing this mail through ASSP but this
> is ugly
> solution.
>
> How this problem can be solved ?
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
