This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some incoming messages end up with MIME content in message body (Exchange 2016, XG 17.5 MR4)

A small subset of incoming email messages are appearing in user inboxes in a strange format which I'd characterise as "MIME not decoded properly" format. For example, the first few lines of one message:

Content-Type: multipart/alternative;

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64


There doesn't seem to be any pattern to this yet; or at least none I've identified. There are no other MTAs involved - just Office 365, Sophos in MTA mode, and the internal Exchange server. Since most messages are working, I'm not even sure where to start with this or what other information will help, so any suggestions are welcomed.

Edit: There appears to be a significant difference in the SMTP headers. The "broken" email I have shows headers like this:

Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Compare that to a working email from the same sender to the same recipients:

Content-Type: multipart/related;
MIME-Version: 1.0

Is it possible the Sophos is breaking it apart and reassembling poorly during scanning? There doesn't appear to be anything obviously "strange" in the re-sent copy that worked.

This thread was automatically locked due to age.
  • Same problem here; 17.5 MR4-1.

    Most messages have no issues; some have a broken content (attachment scan issue?)


    Content-Type: multipart/alternative;




    Content-Type: text/plain; charset="us-ascii"

    Content-Transfer-Encoding: quoted-printable


    [#8781751] support ticket

  • Hi

    I have the exact same problem with SFOS 17.5.4 MR-4-1 on Sophos XG 135 device with MTA mode. Random messages will come through garbled and corrupt looking very similar to the above. 

    Help Please

    [#8783646] Web support query

  • This problem has existed since 17.5 and has not been solved by the authorities. It seems to be the problem of anti-virus

  • Had this issue today for the first time... So no update on this? If it is a problem of av, which engine then? Sophos av engine?

    Regards, Jelle

    Sophos XG210-HA (SFOS 17.5.8) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • As far as I can see the first mail was catched by sandstorm. Evaluation took about 11 minutes. As that mail was not usable because of the issue the mail was resent by the sender. This time the email passed sandstorm as the attachments were known to XG and it came to the users postbox without any issue.


    Who else with this issue has sandstorm active?

    Regards, Jelle

    Sophos XG210-HA (SFOS 17.5.8) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • Coincidentally or not, I too use sandstorm, however I get this corruption on emails with and without attachments.

    I personally suspect the anti virus sub system, because I have one particular sender which we trust explicitly for which I have a policy to bypass everything except for anti virus, and I still get random emails from them being corrupted by my XG.

    To this point I have been engaged by level 1 and level 2 Sophos support agents with logs pulled and requests for remote support assistance, but they have now gone dark on the matter and I have not had interaction on it for a while now 

  • Installed a XG135 HA Cluster last Wednesday for a customer. No Sandstorm subscription but they report the same issue. Using SFOS 17.5.4 MR-4-1.

    The header of the email is converted to:

    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    The email is received from Office 365. If the sender resends the email it usually gets through without problems.

    Dual scanning is enabled and a requirement from the customer. File Protection and Data Protection are both turned OFF.

  • So SFOS 17.5.5 MR-5 is out and no mention whatsoever of a fix for this....

  • Hi All,

    Apologies for any inconvenience caused, there is currently an open ID related to this (NC-44646) that our team is investigating. If you think you are also affected, please raise a support case referencing this ID, and send me a PM for tracking purposes.

     I reviewed the activities within your support case (#8783646), please reply back to the latest email with the requested logs and samples so that further investigation can be performed.

     Please reply back to the latest email (#8781751) with your availability for a remote troubleshooting session.

    Please don't hesitate to PM me directly if you had any questions or concerns.


    Florentino Sanchez
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
  • Hi Everyone,

    I have had this issue and received a patch that fixes it.

    The tech let me know that this is fixed in v17.5MR6.  

    If you are receiving the email but the content is jumbled/malformed, copy it to a base64 decoder and it should output the email fine.  This is just for urgent emails where you need to have the content.

    Apparently MR6 will be out end of May.  I would suggest that if you cannot wait, log a case and refer to the bug ID  has put in.

    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link