Thanks for your detailed reply Thomas.
Sophos have got back saying that the problem is their end:
According to RFC2822, section 3.5 the first line containing only CRLF marks the
boundary between the header and the body section.
As such, this was clearly a bug on our side, that whole result section
shouldn't have been included in the delivered mail in the first place. This
behavior was obscured by the fact that since the 'Sandbox result' part is
appended to the end of the header section which contains a 'Content-Type:
multipart/...' header since the mail has at least one attachment that was sent
for Sandstorm scanning: The 'Sandbox result' part is treated as the beginning
of the body, however as it is placed before the first MIME boundary (the
beginning of the original body), it isn't displayed. In your case however, as
the topmost Content-Type is text/plain, the 'Sandbox result' improperly (or
rather, properly :) ) acts as the beginning of the mail body.
You can expect a fix to this issue soon.
So, as you say, nothing to do with ASSP.
James.
> On 12 Apr 2016, at 6:46 PM, Thomas Eckardt <[email protected]> wrote:
>
> IMHO this part is wrong
>
> x-references:
> m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039
>
> --- Sandbox result ---
> 2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
> --- Sandbox result end ---
>
> original tey may look as follows
>
> x-references:
> m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039
> --- Sandbox result ---
> 2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
> --- Sandbox result end ---
>
> but even this is wrong because line 2 to 4 must be intented if they are
> related to 'x-references'
> If they are not related to this headerline - they are absolutely wrong and
> may misinterpreted by the mail server and/or client as boundary.
>
> Whitespaces are not allowed in headertag names.
> An headertag name has to be terminated by ':'
> Continued header lines have to be intended by one single SPACE or TAB.
> RAW whitespaces are not allowed in boundary definition - boundary
> definitions with whitespaces have to be double quoted.
> .
> These are some simple rules for MIME header lines. Looking at the three
> lines added by sophos, they are wrong in every case - for what ever they
> are used in therms of MIME.
>
> Thomas
>
>
>
> Von: James Brown <[email protected]>
> An: For Users of ASSP <[email protected]>
> Datum: 12.04.2016 08:47
> Betreff: Re: [Assp-user] ASSP and X-Assp headers
>
>
>
> I had the same thing happen to me a few days ago. Raw text of email:
>
> X-Mailer: PBBI e-Messaging Solution
> X-Priority: HIGH
> Charset: UTF-8
> x-references:
> m...@bordo.com.au.20160408091948.15582C5AD5A75443A821F709D7D5F039
>
> --- Sandbox result ---
> 2efed5f8-e490-4c34-80c0-bdf3a1a61e4b invoice_77038926.pdf
> --- Sandbox result end ---
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_Part_2068942_178508621.1460078388674"
> X-Assp-ID: mail.bordo.com.au id-78530-11079
> X-Assp-Session: 7F849D967740 (mail 1)
>
> We have just started to use the new Sandstorm feature of Sophos UTM. This
> email’s attachment was flagged as suspicious, uploaded to Sophos, checked
> as OK and released. ASSP then picked it up and processed as normal.
>
> When the email arrived in my mailbox, bits of the header was in the body
> due to the extra new line after the x-references line. I assumed that
> Sophos had mistakenly put the new line in, but maybe it was ASSP?
>
> The Sophos guys couldn’t see what would be adding the extra line (I didn’t
> mention ASSP).
>
> Perhaps it was ASSP not Sophos Sandstorm?
>
> Running 2.5.2(16100)
>
> James.
>
>
>
>> On 12 Apr 2016, at 3:49 PM, Anton <[email protected]> wrote:
>>
>> Good day.
>>
>> I have installed ASSP on our mail system and it works fine but we have
> some strange issue.
>>
>> There are several old web sites which send email from web-form via php
> mail() function.
>> If this messages routed without ASSP then mail can be read but when this
> mails pass
>> through ASSP then ASSP inserts its X-headers + *new line chars* and
> mails can not be read
>> correctly. I suspect that php code sending mail is not perfect. I can
> not correct this
>> code.
>>
>> example of headers without ASSP:
>> --------------------------------------------------------
>> Return-Path: <[email protected]>
>> X-Original-To: [email protected]
>> Delivered-To: [email protected]
>> Received: from mail.mydomain.ru (localhost [127.0.0.1])
>> by mail.mydomain.ru (Postfix) with ESMTP id A7D8BF23A17
>> for <[email protected]>; Tue, 12 Apr 2016 10:17:58 +0600
> (NOVT)
>> Received: by mail.mydomain.ru (Postfix, from userid 1002)
>> id A0FF3F2395D; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
>> Received: from client.mydomain.ru (client.mydomain.ru [*.*.0.66])
>> by mail.mydomain.ru (Postfix) with ESMTP id 98394F238BC
>> for <[email protected]>; Tue, 12 Apr 2016 10:17:58 +0600
> (NOVT)
>> Received: by client.mydomain.ru (Postfix, from userid 70)
>> id 94BE673004; Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
>> To: [email protected]
>> Subject:
>>
> =?utf-8?b?0J/QuNGB0YzQvNC+INC+0YIg0JvQvtGB0LrRg9GC0L7QsiDQlNC80LjRgtGA0LjQuSDQkNC70LXQutGB0LDQvdC00YDQvtCy0LjRhywgaWQ9MjkyMDAwOTUgKNC40Lcg0LvQuNGH0L3QvtCz0L4g0LrQsNCx0LjQvdC10YLQsCk=?=
>> X-PHP-Originating-Script: 1020:msg_to_abon.php MIME-Version: 1.0
>> Content-type: text/html; charset=utf-8
>> From: inform<[email protected]>
>> Message-Id: <[email protected]>
>> Date: Tue, 12 Apr 2016 10:17:58 +0600 (NOVT)
>> X-Virus-Scanned: ClamAV using ClamSMTP
>>
>> Here is test message!
>>
>> --------------------------------------------------------
>>
>> and example of the same message passed through APPP:
>> --------------------------------------------------------
>> Return-Path: <[email protected]>
>> X-Original-To: [email protected]
>> Delivered-To: [email protected]
>> Received: from mail.mydomain.ru (localhost [127.0.0.1])
>> by mail.mydomain.ru (Postfix) with ESMTP id BFFC4F25F5E
>> for <[email protected]>; Tue, 12 Apr 2016 11:07:14 +0600
> (NOVT)
>> Received: by mail.mydomain.ru (Postfix, from userid 1002)
>> id B6041F25D9C; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
>> Received: from mx1.mydomain.ru (mx1.mydomain.ru [*.*.57.36])
>> by mail.mydomain.ru (Postfix) with ESMTP id 529A1F23A17
>> for <[email protected]>; Tue, 12 Apr 2016 11:07:14 +0600
> (NOVT)
>> Received: from client.mydomain.ru ([*.*.0.66] helo=client.mydomain.ru)
> by
>> mx1.mydomain.ru with SMTP (2.5.1); 12 Apr 2016 11:07:14 +0600
>> Received: by client.mydomain.ru (Postfix, from userid 70)
>> id 3083973006; Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
>> To: [email protected]
>> Subject:
>>
> =?utf-8?b?0J/QuNGB0YzQvNC+INC+0YIg0JvQvtGB0LrRg9GC0L7QsiDQlNC80LjRgtGA0LjQuSDQkNC70LXQutGB0LDQvdC00YDQvtCy0LjRhywgaWQ9MjkyMDAwOTUgKNC40Lcg0LvQuNGH0L3QvtCz0L4g0LrQsNCx0LjQvdC10YLQsCk=?=
>> X-PHP-Originating-Script: 1020:msg_to_abon.php MIME-Version: 1.0
>> Message-Id: <[email protected]>
>> Date: Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
>> From: [email protected]
>> X-Virus-Scanned: ClamAV using ClamSMTP
>>
>> Content-type: text/html; charset=utf-8
>>
>> From: mydomain<[email protected]>
>> Message-Id: <[email protected]>
>> Date: Tue, 12 Apr 2016 11:07:14 +0600 (NOVT)
>> X-Assp-ID: mx1.mydomain.ru m1-37634-03701
>> X-Assp-Session: 7F592A4921C8 (mail 1)
>> X-Assp-Envelope-From: [email protected]
>> X-Assp-Intended-For: [email protected]
>> X-Assp-Version: 2.5.1(16100) on mx1.mydomain.ru
>> X-Assp-Delay: not delayed (*.*.0.66 in whitebox (PBWhite));
>> 12 Apr 2016 11:07:14 +0600
>> X-Assp-Message-Score: 20 (No Spoofing Allowed '[email protected]'
> in
>> 'mailfrom')
>> X-Assp-IP-Score: 20 (No Spoofing Allowed '[email protected]' in
>> 'mailfrom')
>> X-Assp-Received-SPF: temperror ip=*.*.0.66
> [email protected]
>> helo=client.mydomain.ru
>> X-Original-Authentication-Results: mx1.mydomain.ru; spf=temperror
>> X-Assp-Message-Score: 5 (SPF temperror)
>> X-Assp-IP-Score: 5 (SPF temperror)
>> X-Assp-Message-Score: -15 (In Penalty White Box)
>> X-Assp-Spam-Level: ***
>>
>> Yet another test message!
>>
>> --------------------------------------------------------
>>
>> I think that problem is in
>> "
>> Content-type: text/html; charset=utf-8
>>
>> "
>>
>> Is this write that ASSP inserts new line chars ?
>>
>> IMHO this is wrong place for X-Assp headers because ASSP runs before
> final virus scan but
>> X-Assp headers are placed after "X-Virus-Scanned: ClamAV using
> ClamSMTP". We do not use
>> ClamAV on ASSP but on mail server. post.mydomain.ru and mail.mydomain.ru
> are the same
>> host in our installation.
>>
>> For now I use manual route to avoid passing this mail through ASSP but
> this is ugly
>> solution.
>>
>> How this problem can be solved ?
>>
>>
> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications
> Manager
>> Applications Manager provides deep performance insights into multiple
> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> _______________________________________________
>> Assp-user mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/assp-user
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
