Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 15 replies
  • Subscribers 11 subscribers
  • Views 37447 views
  • Users 0 members are here
Options
Suggested

MTA Mode corrupting attachments

Benjamin Payne

Hey Hey,

 

I haven't had the time to completely test this yet but I've discovered MTA mode in 17.5 has been corrupting attachments in messages (when accessed via both OWA & Outlook). So far I've witnessed the following behaviour:

1. PDF files are being corrupted with Malware scanning enabled (dual anti-virus, primary engine Sophos)

  a) PDF files do not get corrupted when Malware scanning is diabled in the MTA policy.

2. Document files (namely .docx, .xlsx, etc.) are being corrupted regardless of Malware or File protection settings being enabled or disabled in the policy.

 

The corruption of files stopped after reverting firmware back to 17.1.3. More info to come when I get some more time to test.

  • 0

    Hi Benjamin,

    Thank you for the feedback.

    Contacting to you on PM for further details.

     

    Regards,

    Deepti

  • 0

    Benjamin Payne said:

    1. PDF files are being corrupted with Malware scanning enabled (dual anti-virus, primary engine Sophos)

    I cannot reproduce this Behaviour on my XG17.5 Installation. I compared a PDF before and after sending by SHA1 Hash. They are identical. If you are going to analyze those File with a Hex Editor can you spot where there is anything changed in the Files? Can you maybe give some more information about your set-up and architecture? Maybe it's related somewhere there...

    Kind Regards
    Christian

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0 in reply to deeptibhavsar

    We too tried to reproduce your issue with pdf and all other types of files with suggested XG configuration. We could not reproduce the issue. Could you please share the logs (/log/smtpd*) to me on IM ?

  • 0 in reply to SPandya

    By the way... Same issue here with Bare-LFs as with FileProtection (See here https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v17-5-early-access/f/sophos-xg-17-5-early-access/108541/mta-if-mail-is-blocked-by-file-protection-error-message-is-missleading)

     

    Additionally, the Log Message is missleading. It's my Mailserver behind XG Firewall who does not accept BareLFs. Log Message shows as it would be blocked by XG and not by the Mailserver behind.

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0 in reply to HuberChristian

    Hi Christian,

     

    Bare LF thing on your thread was identified as issue and will come fix in next firmware.

     

    The issue reported by here Benjamin appears to be something else and which is not reproducible by multiple community users and engineering team. 

     

     Appreciate if you could provide us ssh access or logs for investigation. 

  • 0 in reply to HuberChristian

    Hi Christian,

     

    Thanks for testing it as well! Unfortunately, I couldn't do any further testing yesterday but I will have more time today and can provide logs/file hashes/etc.

     

    I'm running 17.5 on Hyper-V with 2 vCPU / 4GB RAM. All CPU / memory reservation is at 100% and it's running on SSDs.

     

    Kind Regards,

    Ben

  • 0

    Hi All,


    Thanks for all of the responses so far! Logs are still to come.

    Further testing completed this morning with the following standard variables:

    • Exchange 2010 (sending via OWA)
    • MTA Mode
    • SHA1 hashes used when running file comparisons
    • 17.5 build 280

    Malware Protection enabled, File Protection enabled, Dual AV, Primary Engine Sophos:

    • Attachments (routed through Sophos)
      • .docx files are shrinking (~20KB on a 1.5MB test file) and file hash changes
      • .pdf files are shrinking (original file is 63.0KB, when sent via Sophos is shrinks to 62.2KB) and file hash changes

    Malware Protection enabled, File Protection disabled, Dual AV, Primary Engine Sophos:

    • Same results as above (including file hashes post Sophos)

    Malware Protection enabled, File Protection disabled, Dual AV, Primary Engine Avira:

    • Same results as above (including file hashes post Sophos)

    Malware Protection enabled, File Protection disabled, Single AV, Primary Engine Avira:

    • Same results as above (including file hashes post Sophos)

    Malware Protection disabled, File Protection disabled:

    • Same results as above (including file hashes post Sophos)

     

    To re-iterate there is no problem with the files when routed internally or directly to the internet. The problem only occurs when routing mail through the Sophos.

  • 0 in reply to Benjamin Payne

    Thanks for further information,

    please harvest /log/smtpd* /log/avd.log, also good to have the input files being used in test which is being corrupted (.eml with attachments)  

    please fire command  "service smtpd:debug -ds nosync" before taking logs  

  • 0 in reply to SPandya

    Hi UTMGeek,

    Thanks for following up - I'll zip up those files and send them through in a PM shortly.

    Kind Regards,

    Ben

  • 0 in reply to Benjamin Payne

    Hello  

    Thanks for further information... We have analyzed the samples provided (which you shared directly to me and the samples you might have shared via sophos support).

     

    1. We found some of the emails not routed via XG 17.5 firewall on based on missing 'Received-by' header. 
    2. With last sample we found that email processed via sophos but nothing indicated 'attachment corruption'/byte loss in XG logs.
      1. We found attachment corruption also on those emails which had not passed thru XG
    3. I wish to cross validate this theory if you could provide the prefiltered (before XG scan) samples.  

     

    Table 1: Samples shared via Sophos Support 

     

    Sample No.

    Sample Name

    Sample attachments Type

    Findings

    1

    attachment1.eml

    .pdf

    1)      We found this email was routed via XG 17.5, as we found received-by header which indicates the mail passed via XG – Exim

    2)      We don’t have XG logs (/log/smtpd*) for this incident to validate 

    3)      We are able to open .pdf file in browser

    (seems file is create using word to pdf convertor)

    4)      .pdf doesn’t get open via Adobe Acrobat Reader DC v2019

    2

    attachment1(1).eml

    .rtf

    1)      This mail was not routed via XG as received-by header was not found in mail.

    3

    attachment1(1)(1).eml

    .docx

    1)      Mail was not routed via XG as received-by header was not found in mail.

     

    Table 2: Sample shared on IM

    • Zip File: Sophos.zip

    Sample No.

    Sample Name

    Sample attachments Type

    Finding

    1

    Test PDF Attachment.msg

    .pdf

    1)      We found this email was routed via XG 17.5, as we found received-by header which indicates the mail passed via XG – Exim

    2)      We found XG has forwarded entire email with full attachment with additional spam scanning headers.

    3)      We believe XG has not change the content of attachments as we hasn't observed any data loss based on logs,  but still we were unable to open the pdf file (we believe XG gets the corrupted file in incoming mail)

     

    Please share the original sample file to cross validate this investigation.

     

    So to summarize the issue, the attachments (.rtf & .docx ) in table 1, which were not passed through XG but still they are corrupted , in same way there could be chance where .pdf file (contained in Sophos.zip) got also corrupted by sending MTA/client. We saw email traverse many MTAs in your case.

     

    We recommend the have live troubleshooting session to find out the root cause behind the issue.

Unfiltered HTML