Re: [Assp-user] ASSP and X-Assp headers

Tue, 12 Apr 2016 01:50:15 -0700 

IMHO this part is wrong

x-references: 
m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039

--- Sandbox result ---
2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
--- Sandbox result end ---

original tey may look as follows

x-references: 
m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039
--- Sandbox result ---
2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
--- Sandbox result end ---

but even this is wrong because line 2 to 4 must be intented if they are 
related to 'x-references'
If they are not related to this headerline - they are absolutely wrong and 
may misinterpreted by the mail server and/or client as boundary.

Whitespaces are not allowed in headertag names.
An headertag name has to be terminated by ':'
Continued header lines have to be intended by one single SPACE or TAB.
RAW whitespaces are not allowed in boundary definition - boundary 
definitions with whitespaces have to be double quoted.
.
These are some simple rules for MIME header lines. Looking at the three 
lines added by sophos, they are wrong in every case - for what ever they 
are used in therms of MIME.

Thomas



Von:    James Brown <[email protected]>
An:     For Users of ASSP <[email protected]>
Datum:  12.04.2016 08:47
Betreff:        Re: [Assp-user] ASSP and X-Assp headers



I had the same thing happen to me a few days ago. Raw text of email:

X-Mailer: PBBI e-Messaging Solution
X-Priority: HIGH
Charset: UTF-8
x-references: 
m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039

--- Sandbox result ---
2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
--- Sandbox result end ---
MIME-Version: 1.0
Content-Type: multipart/mixed; 
                 boundary="----=_Part_2068942_178508621.1460078388674"
X-Assp-ID: mail.bordo.com.au id-78530-11079
X-Assp-Session: 7F849D967740 (mail 1)

We have just started to use the new Sandstorm feature of Sophos UTM. This 
email’s attachment was flagged as suspicious, uploaded to Sophos, checked 
as OK and released. ASSP then picked it up and processed as normal.

When the email arrived in my mailbox, bits of the header was in the body 
due to the extra new line after the x-references line. I assumed that 
Sophos had mistakenly put the new line in, but maybe it was ASSP?

The Sophos guys couldn’t see what would be adding the extra line (I didn’t 
mention ASSP).

Perhaps it was ASSP not Sophos Sandstorm?

Running 2.5.2(16100)

James.



> On 12 Apr 2016, at 3:49 PM, Anton <[email protected]> wrote:
> 
> Good day.
> 
> I have installed ASSP on our mail system and it works fine but we have 
some strange issue.
> 
> There are several old web sites which send email from web-form via php 
mail() function.
> If this messages routed without ASSP then mail can be read but when this 
mails pass
> through ASSP then ASSP inserts its X-headers + *new line chars* and 
mails can not be read
> correctly. I suspect that php code sending mail is not perfect. I can 
not correct this
> code.
> 
> example of headers without ASSP:
> --------------------------------------------------------
> Return-Path: <[email protected]>
> X-Original-To: [email protected]
> Delivered-To: [email protected]
> Received: from mail.mydomain.ru (localhost [127.0.0.1])
>        by mail.mydomain.ru (Postfix) with ESMTP id A7D8BF23A17
>        for <[email protected]>; Tue, 12 Apr 2016 10:17:58 +0600 
(NOVT)
> Received: by mail.mydomain.ru (Postfix, from userid 1002)
>        id A0FF3F2395D; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> Received: from client.mydomain.ru (client.mydomain.ru [*.*.0.66])
>        by mail.mydomain.ru (Postfix) with ESMTP id 98394F238BC
>        for <[email protected]>; Tue, 12 Apr 2016 10:17:58 +0600 
(NOVT)
> Received: by client.mydomain.ru (Postfix, from userid 70)
>        id 94BE673004; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> To: [email protected]
> Subject:
> 
=?utf-8?b?0J/QuNGB0YzQvNC+INC+0YIg0JvQvtGB0LrRg9GC0L7QsiDQlNC80LjRgtGA0LjQuSDQkNC70LXQutGB0LDQvdC00YDQvtCy0LjRhywgaWQ9MjkyMDAwOTUgKNC40Lcg0LvQuNGH0L3QvtCz0L4g0LrQsNCx0LjQvdC10YLQsCk=?=
> X-PHP-Originating-Script: 1020:msg_to_abon.php MIME-Version: 1.0
> Content-type: text/html; charset=utf-8
> From: inform<[email protected]>
> Message-Id: <[email protected]>
> Date: Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
> X-Virus-Scanned: ClamAV using ClamSMTP
> 
> Here is test message!
> 
> --------------------------------------------------------
> 
> and example of the same message passed through APPP:
> --------------------------------------------------------
> Return-Path: <[email protected]>
> X-Original-To: [email protected]
> Delivered-To: [email protected]
> Received: from mail.mydomain.ru (localhost [127.0.0.1])
>        by mail.mydomain.ru (Postfix) with ESMTP id BFFC4F25F5E
>        for <[email protected]>; Tue, 12 Apr 2016 11:07:14 +0600 
(NOVT)
> Received: by mail.mydomain.ru (Postfix, from userid 1002)
>        id B6041F25D9C; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> Received: from mx1.mydomain.ru (mx1.mydomain.ru [*.*.57.36])
>        by mail.mydomain.ru (Postfix) with ESMTP id 529A1F23A17
>        for <[email protected]>; Tue, 12 Apr 2016 11:07:14 +0600 
(NOVT)
> Received: from client.mydomain.ru ([*.*.0.66] helo=client.mydomain.ru) 
by
>        mx1.mydomain.ru with SMTP (2.5.1); 12 Apr 2016 11:07:14 +0600
> Received: by client.mydomain.ru (Postfix, from userid 70)
>        id 3083973006; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> To: [email protected]
> Subject:
> 
=?utf-8?b?0J/QuNGB0YzQvNC+INC+0YIg0JvQvtGB0LrRg9GC0L7QsiDQlNC80LjRgtGA0LjQuSDQkNC70LXQutGB0LDQvdC00YDQvtCy0LjRhywgaWQ9MjkyMDAwOTUgKNC40Lcg0LvQuNGH0L3QvtCz0L4g0LrQsNCx0LjQvdC10YLQsCk=?=
> X-PHP-Originating-Script: 1020:msg_to_abon.php MIME-Version: 1.0
> Message-Id: <[email protected]>
> Date: Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> From: [email protected]
> X-Virus-Scanned: ClamAV using ClamSMTP
> 
> Content-type: text/html; charset=utf-8
> 
> From: mydomain<[email protected]>
> Message-Id: <[email protected]>
> Date: Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
> X-Assp-ID: mx1.mydomain.ru m1-37634-03701
> X-Assp-Session: 7F592A4921C8 (mail 1)
> X-Assp-Envelope-From: [email protected]
> X-Assp-Intended-For: [email protected]
> X-Assp-Version: 2.5.1(16100) on mx1.mydomain.ru
> X-Assp-Delay: not delayed (*.*.0.66 in whitebox (PBWhite));
>        12 Apr 2016 11:07:14 +0600
> X-Assp-Message-Score: 20 (No Spoofing Allowed '[email protected]' 
in
>        'mailfrom')
> X-Assp-IP-Score: 20 (No Spoofing Allowed '[email protected]' in
>        'mailfrom')
> X-Assp-Received-SPF: temperror ip=*.*.0.66 
[email protected]
>        helo=client.mydomain.ru
> X-Original-Authentication-Results: mx1.mydomain.ru; spf=temperror
> X-Assp-Message-Score: 5 (SPF temperror)
> X-Assp-IP-Score: 5 (SPF temperror)
> X-Assp-Message-Score: -15 (In Penalty White Box)
> X-Assp-Spam-Level: ***
> 
> Yet another test message!
> 
> --------------------------------------------------------
> 
> I think that problem is in 
> "
> Content-type: text/html; charset=utf-8
> 
> "
> 
> Is this write that ASSP inserts new line chars ?
> 
> IMHO this is wrong place for X-Assp headers because ASSP runs before 
final virus scan but
> X-Assp headers are placed after "X-Virus-Scanned: ClamAV using 
ClamSMTP". We do not use
> ClamAV on ASSP but on mail server. post.mydomain.ru and mail.mydomain.ru 
are the same
> host in our installation.
> 
> For now I use manual route to avoid passing this mail through ASSP but 
this is ugly
> solution.
> 
> How this problem can be solved ?
> 
> 
------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications 
Manager
> Applications Manager provides deep performance insights into multiple 
tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications 
Manager
Applications Manager provides deep performance insights into multiple 
tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to