This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some incoming messages end up with MIME content in message body (Exchange 2016, XG 17.5 MR4)

A small subset of incoming email messages are appearing in user inboxes in a strange format which I'd characterise as "MIME not decoded properly" format. For example, the first few lines of one message:

--_011_SG2PR03MB27978A7DFBD4A8CA199558A49D550SG2PR03MB2797apcp_
Content-Type: multipart/alternative;
        boundary="_000_SG2PR03MB27978A7DFBD4A8CA199558A49D550SG2PR03MB2797apcp_"

--_000_SG2PR03MB27978A7DFBD4A8CA199558A49D550SG2PR03MB2797apcp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

U3VyZQ0KVGhhbmtzDQpQaWVybw0KDQoNCkZyb206IFphcmVlbiBQcmFzYWQgPFphcmVlblBAZ3Nh
aWIuY29tLmF1Pg0KU2VudDogVHVlc2RheSwgMiBBcHJpbCAyMDE5IDEwOjA4IEFNDQpUbzogUGll
cm8gQnVhIDxwYnVhQGZyZWRvbi5jb20uYXU+DQ

There doesn't seem to be any pattern to this yet; or at least none I've identified. There are no other MTAs involved - just Office 365, Sophos in MTA mode, and the internal Exchange server. Since most messages are working, I'm not even sure where to start with this or what other information will help, so any suggestions are welcomed.

Edit: There appears to be a significant difference in the SMTP headers. The "broken" email I have shows headers like this:

Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <CAE841EFD23DD34192139305BBCFBF4D@internal.domain.name>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Compare that to a working email from the same sender to the same recipients:

Content-Type: multipart/related;
	boundary="_011_87BAF6626415BF45BAFCAE4854537C6AFFF2EFDAGASSIN01gadintr_";
	type="multipart/alternative"
MIME-Version: 1.0

Is it possible the Sophos is breaking it apart and reassembling poorly during scanning? There doesn't appear to be anything obviously "strange" in the re-sent copy that worked.



This thread was automatically locked due to age.
Parents
  • This problem has existed since 17.5 and has not been solved by the authorities. It seems to be the problem of anti-virus

  • Had this issue today for the first time... So no update on this? If it is a problem of av, which engine then? Sophos av engine?

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • As far as I can see the first mail was catched by sandstorm. Evaluation took about 11 minutes. As that mail was not usable because of the issue the mail was resent by the sender. This time the email passed sandstorm as the attachments were known to XG and it came to the users postbox without any issue.

     

    Who else with this issue has sandstorm active?

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • Coincidentally or not, I too use sandstorm, however I get this corruption on emails with and without attachments.

    I personally suspect the anti virus sub system, because I have one particular sender which we trust explicitly for which I have a policy to bypass everything except for anti virus, and I still get random emails from them being corrupted by my XG.

    To this point I have been engaged by level 1 and level 2 Sophos support agents with logs pulled and requests for remote support assistance, but they have now gone dark on the matter and I have not had interaction on it for a while now 

Reply
  • Coincidentally or not, I too use sandstorm, however I get this corruption on emails with and without attachments.

    I personally suspect the anti virus sub system, because I have one particular sender which we trust explicitly for which I have a policy to bypass everything except for anti virus, and I still get random emails from them being corrupted by my XG.

    To this point I have been engaged by level 1 and level 2 Sophos support agents with logs pulled and requests for remote support assistance, but they have now gone dark on the matter and I have not had interaction on it for a while now 

Children
  • Installed a XG135 HA Cluster last Wednesday for a customer. No Sandstorm subscription but they report the same issue. Using SFOS 17.5.4 MR-4-1.

    The header of the email is converted to:

    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    The email is received from Office 365. If the sender resends the email it usually gets through without problems.

    Dual scanning is enabled and a requirement from the customer. File Protection and Data Protection are both turned OFF.