IllegalMimeHeader file found sending notifications different than what is defined in "content sender (external)" notifications

Tue, 28 Apr 2009 16:15:48 Z

With the general option to purge illeagal mime headers, the notifications of this event seems to always go back to the external sender with a subject line of "Antigen Notification: {subject line}"

The notification definition for the content sender (external) is set as To:"%ESaddress%" and Subject: "%Message%" with a custom text body that does not include any macros (just a generic text).

The idea is to notify the external sender of content that is not allowed while NOT exposing the Antigen application by name.

This notification definition works for other content filters (file/subject etc), but this one setting in general seems to bypass that notification rule and go out on its own and reply with a default message.

Is there a way to control this outbound message (reg setting) or is turning off checking of illeagal mime headers the only solutions
Thanks

IllegalMimeHeader file found sending notifications different than what is defined in "content sender (external)" notifications

Thu, 07 May 2009 09:26:22 Z

Hi Harold,

As with many settings that are configurable through the SETTINGS->General Options panel, the "Illegal MIME Header - Internet" option counts as a virus detection (not a content detection). You should therefore be able to tailor the "Virus Sender (external)" Notification to achieve the desired effect.

Cheers, Andy

IllegalMimeHeader file found sending notifications different than what is defined in "content sender (external)" notifications

Thu, 07 May 2009 12:15:21 Z

Thanks Andy,
That made me look again to verify the settings for the notifications for the virus senders (external) and it IS disabled. I confirmed the server that actually caught the event (illegal mime…) and the time stamp and subject and it corresponds to the NDR we received back from the external domain (yahoo) with the reason for the NDR being a spoofed sender ID (user does not exist on the external domain). And in the NDR is the clear identifier of "Subject: Antigen Notification:......”. Being that the only external message we have configured is “content sender (external)” that is why I thought Antigen was not complying with that custom message. Being that this is considered a “virus sender (external)” and that notification is disabled, I am not quite sure why or how this message gets generated going outbound. The ONLY NDRs we get back (as caused by antigen replying to the external sender inbound) are from the illegal mime…events, no inbound virus events ever generate an outbound message and thus we never get an NDR from inbound virus events.

Any ideas would be appreciated.

Thanks
Harold

IllegalMimeHeader file found sending notifications different than what is defined in "content sender (external)" notifications

Tue, 12 May 2009 17:13:12 Z

Hi Harold,

What you are saying makes sense and normally I would need to delve deeper into your logs and settings to try to work this one out. We would need you to open a support case for that. Let me know if you wish to do this, but are not sure how.

One thing that may help is to turn on Additional Diagnostics->Internet from the General Options panel (for a short time only, if you are able to reproduce the issue). These diagnostics will return information about every message scanned to the programlog.txt. The diagnostics include lines about the sender determination (e.g. 'External') and some information about the notification as well (if and when sent). These may help to narrow down the cause of the issue.

Cheers, Andy

IllegalMimeHeader file found sending notifications different than what is defined in "content sender (external)" notifications

Tue, 12 May 2009 17:55:31 Z

Thanks Andy,
I'll see what I can capture with the additional logging and maybe have some insight to post. Otherwise I can try to open a case and the logs should give us a good head start. I'll see if I can capture an identical incident as what is logged right now is just minimal (found / purged).
Thanks again for the help
Harold