Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Mail sent using KOC blocked by Blackspider & F-Secure
  •  
gerco

Messages: 39
Karma: 0
Send a private message to this user
I have this problem sending to a recipient using blackspider outsourced antivirus.

Blackspider uses multiple different vendor's products and the error given is:

Quote:


The quarantine disposition "format [long-words]" refers to an email where there is an unbroken string of 196 characters or more in one of the mail headers, including the To: or Cc: fields, as well as the attachment MIME headers.

The reason the message is quarantined is that it potentially allows malicious code execution a variety of mail clients, for example some versions of Microsoft Outlook and Microsoft Outlook Express (see http://www.microsoft.com/technet/security/Bulletin/MS00-043. mspx).



The mail header that I assume the KOC has added which causes this email to be blocked by blackspider is:

Content-Type: application/pdf; name="Butten Island.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; size="63 kB";filename="Butten Island.pdf"
X-MAPI: QkFTRTY0OiIvdGFncy8zMDA3MDA0MCIgIlNZU1RJTUUgYzg2ZGM4ZGMgMDFj NjllYTkiICIvdGFncy8zMDA4MDA0MCIgIlNZU1RJTUUgYzg3ZTc5NTIgMDFj NjllYTkiICIvdGFncy8zNzAzMDAxZiIgIlNUUklOR1cgfi5wZGZ


Kerio may not see this as a bug to be fixed but I do. My customer is not going to want to relax his antivirus and we cannot send him mail. Is there a way to stop this long X-Mapi header item being added, what it it's purpose..?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I would say they should relax their AV settings. The vulnerability they "protecting" against was fixed 6 years ago.

Scott
  •  
gerco

Messages: 39
Karma: 0
Send a private message to this user

I agree completely but hey are council offices & as well as no being very savvy they don't want to relax the AV.

Does anyone know what the X-Mapi info is for & if it is required. Composing mesages via webmail does not include his item in the header...
  •  
gerco

Messages: 39
Karma: 0
Send a private message to this user
I agree completely but hey are council offices & as well as no being very savvy they don't want to relax the AV.

Does anyone know what the X-Mapi info is for & if it is required. Composing mesages via webmail does not include his item in the header...
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
Something to keep in mind, what's more of a problem: The viruses, or the anti-virus? So many times anti-virus programs cause many more problems that the average user will ever see from a true virus. And, in today's environment, the best anti-virus is proper PC usage. While I'm not saying that you need to get rid of the anti-virus, turning it's functions down is a very good way to keep your users trouble free. If you are using the Kerio's full e-mail suite with anti-virus, you already have protection in e-mail anyway. That with a normal real-time file scan, there is really no need to have desktop e-mail antivirus turned on. If you really need a triple check, just use Kerio's server ability for two anti-virus checks on the server. That will keep your desktops free of over-zealous protection that is in the end, really no protection at all.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Quote:

If you are using the Kerio's full e-mail suite with anti-virus, you already have protection in e-mail anyway. That with a normal real-time file scan, there is really no need to have desktop e-mail antivirus turned on.


That is such a bad philosophy. Just because the mail gets scanned at the mail server doesn't mean you don't need desktop protection. I've seen several cases (especially with the built in McAfee) where viruses got through the mail server to be caught on the desktop. There are also cases where a virus can get through before the definition files are updated, then you have no protection if the mail was already downloaded via something like POP3. And, this also assumes that the only way you can get a virus is via e-mail. We all know there are many more ways to catch a virus than e-mail.

Scott
  •  
gerco

Messages: 39
Karma: 0
Send a private message to this user
I have been told this is a bug - 17681
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
sedell wrote on Wed, 05 July 2006 15:28


That is such a bad philosophy. Just because the mail gets scanned at the mail server doesn't mean you don't need desktop protection. I've seen several cases (especially with the built in McAfee) where viruses got through the mail server to be caught on the desktop. There are also cases where a virus can get through before the definition files are updated, then you have no protection if the mail was already downloaded via something like POP3. And, this also assumes that the only way you can get a virus is via e-mail. We all know there are many more ways to catch a virus than e-mail.


You only prove my point that it's not a bad philosophy. Too much protection is no protection at all and is all too often worse. If a virus beats the anti-virus definition updates, it will most likely beat both the e-mail and the desktop. And again, if you have real-time file scanning in place, there is no need for e-mail scanning. You're example with POP3 is invalid. Either with or without e-mail scanning on the desktop, the virus has already been delivered to your system, and a real-time file scanning will find it upon delivery to the hard drive, even before it is opened. Scanning each message on the desktop is over kill to an n-th degree.

I provided a better solution anyway. Kerio allows dual virus scanning on the e-mail server. That is 100 times more benificial than over-protection on the desktop. Plus you get the added protection that you state is needed. This keeps the desktop cleaner and much more trouble free.

Every piece of software you install on a desktop machine is a liability to the operation of that machine. Anti-virus is a big example of how one piece of software can cause many headaches. Choose your anti-virus carefully, and engage only the needed parts of the anti-virus and you'll find you spend a LOT less time debugging issues on the desktop. As far as the "it found it here, but not there" is a complete crap shoot for anti-virus. Examples can be found time and time again where one found a virus at any given point in time where another didn't. Modern e-mail bound viruses are most deadly before any anti-virus company has made a fix. It's best to teach your users to never open attachments if they don't know the sender and/or reason for the attachment.

[Updated on: Wed, 05 July 2006 16:13]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Quote:

You're example with POP3 is invalid. Either with or without e-mail scanning on the desktop, the virus has already been delivered to your system, and a real-time file scanning will find it upon delivery to the hard drive, even before it is opened.


Not necessarily. All anti-virus products I've used have problems with PST files. They can't open the PSTs to scan them when Outlook is running. On the remote chance that they can, they can't clean or delete the mail within the PST. I've also seen this with scheduled scans when the files are not in use. The only way to keep the infected mail from getting into the PST is to have e-mail scanning catch it before it enters the PST, or have a plug-in for Outlook that will allow the AV scanner to scan the mail folders.

Scott
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
gerco wrote on Wed, 05 July 2006 15:45

I have been told this is a bug - 17681


This is not quite correct. Workaround for too strict behavior of Blackspider is tracked as suggestion 17681, not as a bug. Email header has no restriction for its length (as stated in RFC). Such headers are perfecly valid.

[Updated on: Wed, 05 July 2006 17:39]

  •  
Kerio_jthomas

Messages: 511
Karma: 1
Send a private message to this user
This is not related to the bug, but to the desktop/perimiter antivirus discussion.

The concept of putting layered defenses in against an attack - such as a firewall on the edge of the network AND each desktop - is known as Defense In Depth (http://en.wikipedia.org/wiki/Defense_in_depth) and is currently considered to be "best practice" for IT security professionals.

As a trivial example, a laptop introduced to the network with a virus would bypass all the perimiter antivirus controls and could easily infect unprotected internal systems.

Cheers,
Joshua Thomas

[Updated on: Wed, 05 July 2006 18:56]


Joshua Thomas
Technical Support Manager
2350 Mission College Blvd, Suite 400
Santa Clara, CA 95054
Phone: (408) 496-4500
Fax: (408) 496-6902
http://www.kerio.com/support.html

  •  
gerco

Messages: 39
Karma: 0
Send a private message to this user
Can someone tell me the purpose of the X-Mapi header & if it possible to edit KOC to stop it being added...?

Previous Topic: Windows Mobile without a desktop computer
Next Topic: Kepping messages movable.
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 17 22:23:20 CET 2017

Total time taken to generate the page: 0.00541 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.