A small subset of incoming email messages are appearing in user inboxes in a strange format which I'd characterise as "MIME not decoded properly" format. For example, the first few lines of one message:
Content-Type: text/plain; charset="utf-8"
There doesn't seem to be any pattern to this yet; or at least none I've identified. There are no other MTAs involved - just Office 365, Sophos in MTA mode, and the internal Exchange server. Since most messages are working, I'm not even sure where to start with this or what other information will help, so any suggestions are welcomed.
Edit: There appears to be a significant difference in the SMTP headers. The "broken" email I have shows headers like this:
Content-Type: text/plain; charset="iso-8859-1"
Compare that to a working email from the same sender to the same recipients:
Is it possible the Sophos is breaking it apart and reassembling poorly during scanning? There doesn't appear to be anything obviously "strange" in the re-sent copy that worked.
Same problem here; 17.5 MR4-1.
Most messages have no issues; some have a broken content (attachment scan issue?)
Content-Type: text/plain; charset="us-ascii"
[#8781751] support ticket
I have the exact same problem with SFOS 17.5.4 MR-4-1 on Sophos XG 135 device with MTA mode. Random messages will come through garbled and corrupt looking very similar to the above.
[#8783646] Web support query
This problem has existed since 17.5 and has not been solved by the authorities. It seems to be the problem of anti-virus
Had this issue today for the first time... So no update on this? If it is a problem of av, which engine then? Sophos av engine?
Sophos XG210-HA (SFOS 17.5.8) on SG210 appliances with Sandstorm and 1x AP55Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced
If a post solves your question use the 'This helped me' link.
As far as I can see the first mail was catched by sandstorm. Evaluation took about 11 minutes. As that mail was not usable because of the issue the mail was resent by the sender. This time the email passed sandstorm as the attachments were known to XG and it came to the users postbox without any issue.
Who else with this issue has sandstorm active?
Coincidentally or not, I too use sandstorm, however I get this corruption on emails with and without attachments.
I personally suspect the anti virus sub system, because I have one particular sender which we trust explicitly for which I have a policy to bypass everything except for anti virus, and I still get random emails from them being corrupted by my XG.
To this point I have been engaged by level 1 and level 2 Sophos support agents with logs pulled and requests for remote support assistance, but they have now gone dark on the matter and I have not had interaction on it for a while now
Installed a XG135 HA Cluster last Wednesday for a customer. No Sandstorm subscription but they report the same issue. Using SFOS 17.5.4 MR-4-1.
The header of the email is converted to:
Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable
The email is received from Office 365. If the sender resends the email it usually gets through without problems.
Dual scanning is enabled and a requirement from the customer. File Protection and Data Protection are both turned OFF.
So SFOS 17.5.5 MR-5 is out and no mention whatsoever of a fix for this....
Apologies for any inconvenience caused, there is currently an open ID related to this (NC-44646) that our team is investigating. If you think you are also affected, please raise a support case referencing this ID, and send me a PM for tracking purposes.
Louis Swanepoel I reviewed the activities within your support case (#8783646), please reply back to the latest email with the requested logs and samples so that further investigation can be performed.
PRC_N Please reply back to the latest email (#8781751) with your availability for a remote troubleshooting session.
Please don't hesitate to PM me directly if you had any questions or concerns.
I have had this issue and received a patch that fixes it.
The tech let me know that this is fixed in v17.5MR6.
If you are receiving the email but the content is jumbled/malformed, copy it to a base64 decoder and it should output the email fine. This is just for urgent emails where you need to have the content.
Apparently MR6 will be out end of May. I would suggest that if you cannot wait, log a case and refer to the bug ID FloSupport has put in.
KingChrisCommunity Support | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link