Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 15 replies
  • Subscribers 11 subscribers
  • Views 37432 views
  • Users 0 members are here
Options
Suggested

MTA Mode corrupting attachments

Benjamin Payne

Hey Hey,

 

I haven't had the time to completely test this yet but I've discovered MTA mode in 17.5 has been corrupting attachments in messages (when accessed via both OWA & Outlook). So far I've witnessed the following behaviour:

1. PDF files are being corrupted with Malware scanning enabled (dual anti-virus, primary engine Sophos)

  a) PDF files do not get corrupted when Malware scanning is diabled in the MTA policy.

2. Document files (namely .docx, .xlsx, etc.) are being corrupted regardless of Malware or File protection settings being enabled or disabled in the policy.

 

The corruption of files stopped after reverting firmware back to 17.1.3. More info to come when I get some more time to test.

Parents
  • 0

    Hi All,


    Thanks for all of the responses so far! Logs are still to come.

    Further testing completed this morning with the following standard variables:

    • Exchange 2010 (sending via OWA)
    • MTA Mode
    • SHA1 hashes used when running file comparisons
    • 17.5 build 280

    Malware Protection enabled, File Protection enabled, Dual AV, Primary Engine Sophos:

    • Attachments (routed through Sophos)
      • .docx files are shrinking (~20KB on a 1.5MB test file) and file hash changes
      • .pdf files are shrinking (original file is 63.0KB, when sent via Sophos is shrinks to 62.2KB) and file hash changes

    Malware Protection enabled, File Protection disabled, Dual AV, Primary Engine Sophos:

    • Same results as above (including file hashes post Sophos)

    Malware Protection enabled, File Protection disabled, Dual AV, Primary Engine Avira:

    • Same results as above (including file hashes post Sophos)

    Malware Protection enabled, File Protection disabled, Single AV, Primary Engine Avira:

    • Same results as above (including file hashes post Sophos)

    Malware Protection disabled, File Protection disabled:

    • Same results as above (including file hashes post Sophos)

     

    To re-iterate there is no problem with the files when routed internally or directly to the internet. The problem only occurs when routing mail through the Sophos.

  • 0 in reply to Benjamin Payne

    Thanks for further information,

    please harvest /log/smtpd* /log/avd.log, also good to have the input files being used in test which is being corrupted (.eml with attachments)  

    please fire command  "service smtpd:debug -ds nosync" before taking logs  

  • 0 in reply to SPandya

    Hi UTMGeek,

    Thanks for following up - I'll zip up those files and send them through in a PM shortly.

    Kind Regards,

    Ben

  • 0 in reply to Benjamin Payne

    Hello  

    Thanks for further information... We have analyzed the samples provided (which you shared directly to me and the samples you might have shared via sophos support).

     

    1. We found some of the emails not routed via XG 17.5 firewall on based on missing 'Received-by' header. 
    2. With last sample we found that email processed via sophos but nothing indicated 'attachment corruption'/byte loss in XG logs.
      1. We found attachment corruption also on those emails which had not passed thru XG
    3. I wish to cross validate this theory if you could provide the prefiltered (before XG scan) samples.  

     

    Table 1: Samples shared via Sophos Support 

     

    Sample No.

    Sample Name

    Sample attachments Type

    Findings

    1

    attachment1.eml

    .pdf

    1)      We found this email was routed via XG 17.5, as we found received-by header which indicates the mail passed via XG – Exim

    2)      We don’t have XG logs (/log/smtpd*) for this incident to validate 

    3)      We are able to open .pdf file in browser

    (seems file is create using word to pdf convertor)

    4)      .pdf doesn’t get open via Adobe Acrobat Reader DC v2019

    2

    attachment1(1).eml

    .rtf

    1)      This mail was not routed via XG as received-by header was not found in mail.

    3

    attachment1(1)(1).eml

    .docx

    1)      Mail was not routed via XG as received-by header was not found in mail.

     

    Table 2: Sample shared on IM

    • Zip File: Sophos.zip

    Sample No.

    Sample Name

    Sample attachments Type

    Finding

    1

    Test PDF Attachment.msg

    .pdf

    1)      We found this email was routed via XG 17.5, as we found received-by header which indicates the mail passed via XG – Exim

    2)      We found XG has forwarded entire email with full attachment with additional spam scanning headers.

    3)      We believe XG has not change the content of attachments as we hasn't observed any data loss based on logs,  but still we were unable to open the pdf file (we believe XG gets the corrupted file in incoming mail)

     

    Please share the original sample file to cross validate this investigation.

     

    So to summarize the issue, the attachments (.rtf & .docx ) in table 1, which were not passed through XG but still they are corrupted , in same way there could be chance where .pdf file (contained in Sophos.zip) got also corrupted by sending MTA/client. We saw email traverse many MTAs in your case.

     

    We recommend the have live troubleshooting session to find out the root cause behind the issue.

  • 0 in reply to SPandya

    I am having the same issue with 17.5 beta 2.   Please let me know how I can help to resolve this.   PDF routing through the MTA are being corrupted.  

     

    Thank you

     

    -Matt Hymowitz

    GMP Networks, LLC

     

  • 0 in reply to MattH Hymowitz

    Thanks for escalations.

     

    This issue has been identified as a defect and is solved in the next release.

Reply Children
No Data
Unfiltered HTML