Some incoming messages end up with MIME content in message body (Exchange 2016, XG 17.5 MR4)

A small subset of incoming email messages are appearing in user inboxes in a strange format which I'd characterise as "MIME not decoded properly" format. For example, the first few lines of one message:

--_011_SG2PR03MB27978A7DFBD4A8CA199558A49D550SG2PR03MB2797apcp_
Content-Type: multipart/alternative;
        boundary="_000_SG2PR03MB27978A7DFBD4A8CA199558A49D550SG2PR03MB2797apcp_"

--_000_SG2PR03MB27978A7DFBD4A8CA199558A49D550SG2PR03MB2797apcp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

U3VyZQ0KVGhhbmtzDQpQaWVybw0KDQoNCkZyb206IFphcmVlbiBQcmFzYWQgPFphcmVlblBAZ3Nh
aWIuY29tLmF1Pg0KU2VudDogVHVlc2RheSwgMiBBcHJpbCAyMDE5IDEwOjA4IEFNDQpUbzogUGll
cm8gQnVhIDxwYnVhQGZyZWRvbi5jb20uYXU+DQ

There doesn't seem to be any pattern to this yet; or at least none I've identified. There are no other MTAs involved - just Office 365, Sophos in MTA mode, and the internal Exchange server. Since most messages are working, I'm not even sure where to start with this or what other information will help, so any suggestions are welcomed.

Edit: There appears to be a significant difference in the SMTP headers. The "broken" email I have shows headers like this:

Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <CAE841EFD23DD34192139305BBCFBF4D@internal.domain.name>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Compare that to a working email from the same sender to the same recipients:

Content-Type: multipart/related;
	boundary="_011_87BAF6626415BF45BAFCAE4854537C6AFFF2EFDAGASSIN01gadintr_";
	type="multipart/alternative"
MIME-Version: 1.0

Is it possible the Sophos is breaking it apart and reassembling poorly during scanning? There doesn't appear to be anything obviously "strange" in the re-sent copy that worked.

  • Same problem here; 17.5 MR4-1.

    Most messages have no issues; some have a broken content (attachment scan issue?)

    --_004_AM0PR0702MB37477FF4312B3E09860B2F4BC6250AM0PR0702MB3747_

    Content-Type: multipart/alternative;

                    boundary="_000_AM0PR0702MB37477FF4312B3E09860B2F4BC6250AM0PR0702MB3747_"

     

    --_000_AM0PR0702MB37477FF4312B3E09860B2F4BC6250AM0PR0702MB3747_

    Content-Type: text/plain; charset="us-ascii"

    Content-Transfer-Encoding: quoted-printable

     

    [#8781751] support ticket

  • Hi

    I have the exact same problem with SFOS 17.5.4 MR-4-1 on Sophos XG 135 device with MTA mode. Random messages will come through garbled and corrupt looking very similar to the above. 

    Help Please

    [#8783646] Web support query

  • This problem has existed since 17.5 and has not been solved by the authorities. It seems to be the problem of anti-virus

  • In reply to Ben ni:

    Had this issue today for the first time... So no update on this? If it is a problem of av, which engine then? Sophos av engine?

  • In reply to Jelle:

    As far as I can see the first mail was catched by sandstorm. Evaluation took about 11 minutes. As that mail was not usable because of the issue the mail was resent by the sender. This time the email passed sandstorm as the attachments were known to XG and it came to the users postbox without any issue.

     

    Who else with this issue has sandstorm active?

  • In reply to Jelle:

    Coincidentally or not, I too use sandstorm, however I get this corruption on emails with and without attachments.

    I personally suspect the anti virus sub system, because I have one particular sender which we trust explicitly for which I have a policy to bypass everything except for anti virus, and I still get random emails from them being corrupted by my XG.

    To this point I have been engaged by level 1 and level 2 Sophos support agents with logs pulled and requests for remote support assistance, but they have now gone dark on the matter and I have not had interaction on it for a while now 

  • In reply to Louis Swanepoel:

    Installed a XG135 HA Cluster last Wednesday for a customer. No Sandstorm subscription but they report the same issue. Using SFOS 17.5.4 MR-4-1.

    The header of the email is converted to:

    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    The email is received from Office 365. If the sender resends the email it usually gets through without problems.

    Dual scanning is enabled and a requirement from the customer. File Protection and Data Protection are both turned OFF.

  • So SFOS 17.5.5 MR-5 is out and no mention whatsoever of a fix for this....

  • In reply to Louis Swanepoel:

    Hi All,

    Apologies for any inconvenience caused, there is currently an open ID related to this (NC-44646) that our team is investigating. If you think you are also affected, please raise a support case referencing this ID, and send me a PM for tracking purposes.

     I reviewed the activities within your support case (#8783646), please reply back to the latest email with the requested logs and samples so that further investigation can be performed.

     Please reply back to the latest email (#8781751) with your availability for a remote troubleshooting session.

    Please don't hesitate to PM me directly if you had any questions or concerns.

    Regards,

  • Hi Everyone,

    I have had this issue and received a patch that fixes it.

    The tech let me know that this is fixed in v17.5MR6.  

    If you are receiving the email but the content is jumbled/malformed, copy it to a base64 decoder and it should output the email fine.  This is just for urgent emails where you need to have the content.

    Apparently MR6 will be out end of May.  I would suggest that if you cannot wait, log a case and refer to the bug ID  has put in.

  • In reply to Jelle:

    Thank you Jelle. I raised a case. Waiting for the fix now.

  • In reply to J_d_G:

    The patch was applied last Friday. The customer is now testing funcitonality.

  • In reply to FloSupport:

    Hi

    When do you rollout 17.5 MR6? You wrote end of may.

    Somebody also wrote that the Patch is testing . Thats over a month ago.

    My Case: #8874601

    Regards,
    Markus