Filter Files in Blank Plain Text Message

Wed, 06 May 2009 12:14:06 Z

I've got a strange issue with my file filter. I've been getting a lot of blank message body spam over the past two days that have an attachement that meets an at*.png filter that I have created. When testing, if I send a message with one of the attachments, it is blocked (as it should be). But for some reason, it does not seem to catch them if the message is sent in plain text.

Can you think of any reason why this would happen? Further, is there any way to block blank message body spam that is sent in plain text? I've seen a few threads talking about it, but no real definitive answer.

I appreciate any thoughts anyone can provide.

Thank you!

Filter Files in Blank Plain Text Message

Wed, 06 May 2009 16:37:50 Z

Hi,

I would recommend that, during a quite period for the server, you repeat your tests but with the additional realtime diagnostics enabled and the before/after achiving enabled. This will tell Antigen to write additional data to the programlog.txt file and also place a copy of every message before and after scan within the archive folder. PLEASE DISABLE BOTH OF THESE IMMEDIATELY AFTER YOUR EMAILS HAVE PASSED THROUGH, as both of these option can quickly use your hard disk space.

The additional realtime diagnostics will log every action that antigen performs on a message and the subsequent return code. It is then usually a case of comparing the differences between the successful test and the unsuccesful test. The same with the archived messages. If you see any differences and would like help in explaining these, please post your findings here and I will try to help you. I would also recommend that you make a note of the time/date, sender, recipient, and that you make sure that the subject line is populated with something that will allow you to find the relevent entries within the programlog as this will help you with your troubleshooting.

I hope this helps
Alex

Filter Files in Blank Plain Text Message

Wed, 06 May 2009 20:03:40 Z

Alex,

Thanks for the suggestion. I will look into it, though I can't seem to replicate the issue on my own. My test mails get caught (both plain text and html), but the spammer messages were making it through.

The only good news to report is that it seems like SpamCure may be catching them now without my filter. So the issue is resolved, but I have no way to figure out why they weren't caught in the first place.

Perhaps if we get another round of the same type of messages, I'll be able to try your suggestion and figure out exactly what is going wrong.

Thank you again!

Filter Files in Blank Plain Text Message

Thu, 07 May 2009 12:04:11 Z

Hi,

The archive function can be quite good to troubleshoot these types of issues as when the message enters exchange its format is changed and information removed which can be useful in troubleshooting.

Alex

Filter Files in Blank Plain Text Message

Tue, 12 May 2009 13:21:44 Z

Well, looks like the issue has returned. The spammer changed the files to a different format (randomized name.png). I've adjusted my filter to filter *.png<=16KB. Once again, the filter acts weird, it catches some of the messages and others it skips.  There are two strange issues, first is sometimes it doesn't even SEE the attachment on the message. The second is, sometimes it sees the attachment and just lets it go.

DOES NOT SEE MESSAGE ATTACHMENT

: Begin scanning SMTP message"
: Begin scanning SMTP Inbound message named: Snex Mistakes That Men Make"
: Check allowed senders is scanning the sender address "surmised@wormsercorp.com" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: Check allowed senders has finished scanning the sender address "surmised@wormsercorp.com" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000) ulBypassTypes(0x00000000)"
: The IMS scanner is performing the AseScan test on the message named "Snex Mistakes That Men Make" located in the "Inbound" folder"
: The IMS scanner has finished the AseScan test with hResult(0x00000000)"
: The IMS scanner is performing the RBL test on the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS scanner has finished the RBL test with hResult(0x00000000)"
: The IMS Content Filter scanner is scanning the sender name "Englert Brangers " from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the sender name from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS Content Filter scanner is scanning the sender address "surmised@wormsercorp.com" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the sender address "surmised@wormsercorp.com" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS Content Filter scanner is scanning the subject line from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the subject line from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"
: The IMS scanner is performing the Keyword Scanning on the file named "Body of Message" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS scanner has finished the Keyword Scanning with hResult(0x00000000)"
: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder"
: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder with hResult(0x000C0100)"
: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Snex Mistakes That Men Make" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x00000000)"
: Done scanning SMTP Inbound message named: Snex Mistakes That Men Make"

Here is one where it sees the attachment, but lets it through

: Begin scanning SMTP message"
: Begin scanning SMTP Inbound message named: Fkertilization After 40"
: Check allowed senders is scanning the sender address "groans@ros.si" from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine"
: Check allowed senders has finished scanning the sender address "groans@ros.si" from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000) ulBypassTypes(0x00000000)"
: The IMS scanner is performing the AseScan test on the message named "Fkertilization After 40" located in the "Inbound" folder"
: The IMS scanner has finished the AseScan test with hResult(0x00000000)"
: The IMS scanner is performing the RBL test on the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS scanner has finished the RBL test with hResult(0x00000000)"
: The IMS Content Filter scanner is scanning the sender name "Salesky Rickel " from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the sender name from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS Content Filter scanner is scanning the sender address "groans@ros.si" from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the sender address "groans@ros.si" from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS Content Filter scanner is scanning the subject line from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the subject line from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS scanner detected a FileType of 61 (FOBTYPE_PNGFILE)"
: The IMS Virus scanner is scanning the file named "Salesky.png" from the message named "Fkertilization After 40" located in the "Inbound" folder"
: The IMS Virus scanner has finished scanning the file named "Salesky.png" from the message named "Fkertilization After 40" located in the "Inbound" folder with hResult(0x000C0100)"
: The IMS File Filter scanner is scanning the file named "Salesky.png" from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS File Filter scanner has finished scanning the file named "Salesky.png" from the message named "Fkertilization After 40" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x00000000)"
: Done scanning SMTP Inbound message named: Fkertilization After 40"

And here is an example where it actually works

: Message( Tantra fjor Beginners): IsInbound is checking the IP address: 10.1.1.2 in the SMTPExternalHosts list"
: Message( Tantra fjor Beginners): IsInbound determined message is sent by SMTP External Hosts, tagging message as "inbound""
: Message( Tantra fjor Beginners): IsInbound is checking the IP address: 87.1.77.138 in the InternalAddress list"
: The Smtp Event Sink determined that the mail msg is Outbound based on the recipient's SMTP address: user@companyname.com"
: Begin scanning SMTP message"
: Begin scanning SMTP Inbound message named: Tantra fjor Beginners"
: Check allowed senders is scanning the sender address "schizogonous@nandor.com" from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine"
: Check allowed senders has finished scanning the sender address "schizogonous@nandor.com" from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000) ulBypassTypes(0x00000000)"
: The IMS scanner is performing the AseScan test on the message named "Tantra fjor Beginners" located in the "Inbound" folder"
: The IMS scanner has finished the AseScan test with hResult(0x00000000)"
: The IMS scanner is performing the RBL test on the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS scanner has finished the RBL test with hResult(0x00000000)"
: The IMS Content Filter scanner is scanning the sender name "Liverance Segee " from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the sender name from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS Content Filter scanner is scanning the sender address "schizogonous@nandor.com" from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the sender address "schizogonous@nandor.com" from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS Content Filter scanner is scanning the subject line from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS Content Filter scanner has finished scanning the subject line from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000)"
: The IMS scanner detected a FileType of 61 (FOBTYPE_PNGFILE)"
: The IMS Virus scanner is scanning the file named "Liverance.png" from the message named "Tantra fjor Beginners" located in the "Inbound" folder"
: The IMS Virus scanner has finished scanning the file named "Liverance.png" from the message named "Tantra fjor Beginners" located in the "Inbound" folder with hResult(0x000C0100)"
: The IMS File Filter scanner is scanning the file named "Liverance.png" from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine"
: The IMS File Filter scanner has finished scanning the file named "Liverance.png" from the message named "Tantra fjor Beginners" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x031C0101)"
: Internet scan found virus:
   Folder: SMTP Messages\Inbound
   Message: Tantra fjor Beginners
   File: Liverance.png
   Incident: FILE FILTER= LMI FILE SPAM: *.png<16KB
   State: Purged"
: The IMS scanner is attempting to delete the file named "Liverance.png""
: Done scanning SMTP Inbound message named: Tantra fjor Beginners"

I can tell you that I have verified that the messages that make it through are not on our whitelist and all attachments were .png with a filesize less than 15KB. So they all should be caught, but they are unfortunately not. I see, on average, about 4-8 of these messages make it through the filter per day. But I can't really tell when they will show up.

Any help, as always, is appreciated!