Corrupt spam notification emails
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6016
Printed Date: 05 February 2025 at 10:52am
Topic: Corrupt spam notification emails
Posted By: lyndonje
Subject: Corrupt spam notification emails
Date Posted: 02 April 2007 at 5:04am
|
Hello all, I've developed our spam notification emails, so that recipients can accept & whitelist particular emails in their quarantine by clicking the relavent link without having to log into anything. Anyhow, some of these email notification are being detected as corrupt, either Outlook can't open some of them, or the backup software (Veritas) reports them as corrupt/bad during the backup run. I thought the problem was due to line length and thought i'd fixed it, but since my latest update there has since been another corrupt email detected. To take a look at the RAW email as it is stored in the database visit http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3392812 - http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3392812 This pulls the email from the SF database so what you see is exactly what is sent. You'll see that none of the lines in this email are over 76 characters long, so what else could the problem be? |
Replies:
Posted By: mikek
Date Posted: 02 April 2007 at 5:31am
|
Hi Your structure is: 1. multipart/related 1.1 multipart/alternative 1.1.1 text/plain 1.1.2 text/html 1.1.3 image/gif I don't know if this is the problem, but this structure would make more sense in my opinion: 1. multipart/alternative 1.1 text/plain 1.2 multipart/related 1.2.1 text/html 1.2.2 image/gif And with both structures, shouldn't the "multipart/alternative" and the "multipart/related" parts be using unique boundaries? Cheers Mike |
Posted By: lyndonje
Date Posted: 02 April 2007 at 6:40am
|
Hi Mike, How much experience do you have with MIME emails? To be honest I have none, this is the first MIME email I've created from code. I only ask because I got my references from http://mailformat.dan.info/headers/mime.html Which I think infers this is how the encoding should be - however I understand your logic. What do you think? |
Posted By: mikek
Date Posted: 02 April 2007 at 6:48am
|
I have some experience with MIME E-Mails... (wrote my own webmail client for our webserver)... Anyway: here's an example I just googled, which explains to pros and cons of the different cascades and confirms my theory that the boundaries must be unique... http://segate.sunet.se/cgi-bin/wa?A2=ind9903&L=mhtml& ;P=2248 |
Posted By: lyndonje
Date Posted: 02 April 2007 at 7:24am
|
Hi Mike, I've followed your link, and it looks like my formatting is the same as in example 9.1 (Multipart/alternative inside Multipart/related). I can't see where it mentions any con's in using 9.1? Not saying your wrong - because I don't know either way, I'm just a little confused :) |
Posted By: lyndonje
Date Posted: 02 April 2007 at 7:35am
|
Mike, just to clarify, what were you refering to when you mentioned the boundaries needed to be unique? I know they need to be, but thought mine would be? How do you know if they are/arn't unique? |
Posted By: mikek
Date Posted: 02 April 2007 at 8:14am
The "multipart/alternative" and the "multipart/related" parts have to use different boundary strings... |
lyndonje wrote:Posted By: lyndonje
Date Posted: 02 April 2007 at 8:25am
|
Below is a snippet from the email in question (found at the URL mentioned in the original post) Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_1175274000_371753209_31011983" ------=_NextPart_1175274000_371753209_31011983 Content-Type: multipart/alternative; boundary="----=_NextPart_1175274000_371753210_31011983" Is this where you are refering to? In my email they are unique unless you are refering to somewhere else? Still confused.... Thanks. |
Posted By: mikek
Date Posted: 02 April 2007 at 8:34am
| of course, you're right... looks like I need a new pair of glasses... |
Posted By: lyndonje
Date Posted: 02 April 2007 at 8:54am
| No problem. Do you have any other thoughts? |
Posted By: lyndonje
Date Posted: 03 April 2007 at 3:48am
|
Here are some more messages that were detected as corrupt in last nights backup: http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3408688 - Message 1 http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3408642 - Message 2 http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3404525 - Message 3 http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3398282 - Message 4 http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3398382 - Message 5 |
Posted By: LogSat
Date Posted: 03 April 2007 at 4:07pm
|
Getting an "access denied" when trying to view the emails...
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: lyndonje
Date Posted: 04 April 2007 at 3:40am
|
Hi R, Are you following the links or copying them? They'll only work it the referer passed is www.logsat.com. If for some reason this can't work for you let me know. Thanks, Lyndon. |
Posted By: __M__
Date Posted: 04 April 2007 at 4:50am
|
Lyndon, unfortunately I'm not able to be of assistance with diagnosing your problem however I think what you are doing sounds great and I'd like to know a bit more about how your achieving this when you get it all running. Top work. Regards, Mike |
Posted By: LogSat
Date Posted: 04 April 2007 at 11:19am
|
Got it. I use SSL when browsing the forums, and thus your referrer check blocked me. Looking at the messages, I'll let you know if we spot anything.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: WebGuyz
Date Posted: 04 April 2007 at 1:20pm
|
We are doing something similar but I just created a table in SQL with 3 fields: email | auth | date When I generate a notification email a link is sent in the email the customer receives like this: Dear x, You currently have 46 messages in the quarantine db. We encourage you to check to make sure valid mail has not been stopped. Please click the link below to be taken to you spam administration menu. http://spam_web/default.asp?email=joeblow@mydomain.com&auth=H&Q@!tR - http://spam_web/default.asp?email=joeblow@mydomain.com&a uth=H&Q@!tR When the user clicks this link the asp program checks the SQL table to see if the username & auth code match and if they do it logs them into the web spam admin area to view quarantines, modify whitelists,etc.. The 7 digit code is just a random generator script I found. Everytime emails are sent out I update the auth code and date so every link the customers receives is unique.
------------- http://www.webguyz.net |
Posted By: lyndonje
Date Posted: 05 April 2007 at 3:48am
|
Yeah, similar. The problem I see with that is its another step the user has to take to find out if anything genuine has been stopped. They may take the time follow the link only to find it was all spam anyway. The email I send lists the sender address & subject. If there is nothing of interest in the email the user can simply delete/ignore it. The emails listed in the notification will then automatically be deleted after 7 days, and even if they arn't deleted they won't be mentioned in future notifications. In the tblQuarantine table I've added a notified field, and an auth field. The asp generates a random auth code for each message and sets the notified flag to true when a message has been included in a notification. Therefore the SQL statement in the auto_notify.asp page only pulls messages where deliver, expired and notifed are all false. The link in the email contains the MsgID, Auth Code and Quarantine ID. When the link for a particular email is followed, an ASP page is run that makes sure the MsgID, Auth Code & Quarantine ID all match. If so its sets the deliver flag to true for SF to whitelist and forward. If all three codes dont match, or an email has already been delivered or deleted, an error is displayed indicating the likely cause. Only problem is some of these are corrupt.... and I don't know why! |
Posted By: WebGuyz
Date Posted: 05 April 2007 at 8:59am
|
But they would have to take time to read the email and sometimes your just not sure from the subject. Some of our older customers get tons of email everyday. To make it more manageable I ripped the guts out of a Webmail package for use in the spam admin and now when the customer see the quarantine list they have a small graphic on each line, when they click on the graphic, the actual email appears in a popup window in html, instead of a jumble of text that makes no sense and is hard to read.
------------- http://www.webguyz.net |
Posted By: lyndonje
Date Posted: 11 April 2007 at 7:36am
|
Anybody have anymore ideas on this? Roberto have you managed to take a look? Just thinking on... incase the email generated and saved in the database isn't corrupt, and the email is being somehow corrupt during transit, does anybody know of a way to see the full and raw source of an email in an exchange mailbox via outlook and compare that with the data saved in the SF database? |
Posted By: LogSat
Date Posted: 11 April 2007 at 6:12pm
|
lyndon, I've been fiddling around with your samples for several days now, trying to figure out "why" they were considered corrupted. The one I've been concentrating on is the email in your " http://mx1.uksubnet.net/spam2/getmsg.asp?msgid=3408688 - Message 1 " above. To be honest, I really can't find anything wrong with it... Everything looks as it should. Yes, looking to see what happens in transit is a good idea. If you're using Outlook 2003, there is finally a way to view the email's original, unmodified source. Look at http://www.outlook-tips.net/howto/view_source.htm - http://www.outlook-tips.net/howto/view_source.htm for the registry entry to change. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: lyndonje
Date Posted: 12 April 2007 at 4:15am
|
Hi Roberto, Got my hopes up there! But as is often the case, if you're using Exchange this doesn't work, or so the page says:
Just had another idea to give us an indication on whether they are being corrupt in transit... notifications that have already been sent to the respective recipeints that have been detected as corrupt are still stored in the database. I can change the EmailTo field of previously known corrupt emails to myself, and set deliver to 1 and expire to 0. Let them come through to me. If all are again detected as corrupt, its unlikely to be a problem in transit, however if some arn't detected as corrupt, it could be transit? What do you think? |
Posted By: lyndonje
Date Posted: 12 April 2007 at 4:36am
|
So far it doesnt seem like a transit issue.... I've selected 10 notification emails that have previously been detected by the backup as corrupt. I set their emailto field to myself, and deliver to 1 and expire to 0. Only 8 of the 10 got into my Inbox. The other two would not sync from the exchange server (I'm using Cached Exchange Mode in OL2003). If I had cahced exchange mode disabled, I presume I would see the emails in my Inbox, but not be able to open them, as this is the symptom some emails have shown on other systems so I'm guessing this is the difference there. I then tried a further two times at having these two particular emails sent through but every time there was a sync issue. These two messages are:
I'll wait to see what tonights backup says about the other 8 emails.... |
Posted By: lyndonje
Date Posted: 12 April 2007 at 6:33am
| Another thing I've just tried... The above two mentioned emails which Outlook won't even display, I've set the EmailTo to a POP3 account and downloaded with Outlook Express - both emails downloaded and displayed fine? Would this indicate a problem with these emails and exchange? |
Posted By: lyndonje
Date Posted: 13 April 2007 at 3:33am
| FYI the 8 other notifications were all reported as corrupt again by the backup, so doesn't look like they're being corrupt in transit...? |