problems with messages FROM GroupWise users

[RAM]

For the past week or so, I have had a couple of users report that some
messages they receive are "garbled." Essentially, it appears that the
messages are not being decoded properly, and show up as plain text,
with all the internet headers in the body of the message and the
actual content of the message looking like garbage:

----------------------------------
X-Mailer: Groupwise 6.5
Message-ID: <[email protected]>
From: "<sender>" <sender's email address>
Subject: RE: E-mail test
To: "Milbrand, Rachel A." <[email protected]>
Content-Type: multipart/alternative;
boundary="____VZICIQJZDGZFSAUPKXOP____"
X-Declude-RefID:
X-Spam-Tests-Failed: Whitelisted
X-Note: Mailprotector Spam Score: 0
X-Country-Chain:
X-Note: This E-mail was scanned for spam and viruses by
MailProtector(r).
X-SEF-Processed: 5_5_0_191__2007_08_13_08_27_14
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 13 Aug 2007 12:27:14.0384 (UTC)
FILETIME=[47981500:01C7DDA5]


--____VZICIQJZDGZFSAUPKXOP____
Content-Type: text/plain; charset=utf-8
Content-Language:
Content-Transfer-Encoding: base64

UmVwbGllZA0KDQo
+Pj4gIk1pbGJyYW5kLCBSYWNoZWwgQS4iIDxybWlsYnJhbmRAR0ZORVQu
UmVwbGllZA0KDQo+Y29t
----------------------------------

(truncated to save space in this post)

My outside anti-spam service, MailProtector, does not do anything that
would cause this, and neither does my in-house email filter
(SurfControl).

My research on the 'net has turned up almost nothing. My own research
shows that all the messages in question are from GroupWise 6.5 email
clients (as indicated in the garbled messages' internet headers), AND
are REPLIES to messages that my users have sent. The original messages
from my users appear to have been HTML format messages.

I've done some testing with one of the senders to confirm my findings:
if he replies to an HTML message, his reply comes in garbled/
improperly decoded. If he replies to a Plain Text or Rich Text format
message, MailProtector catches it with an "Outlook <blank folding>
vulnerability."

My users are running Outlook 2003, and we have Exchange 2003.

The only thing remotely related that I've found is a possibility that
a securtiy update to Exchange "broke" an earlier hotfix:

"reports from other Exchange administrators of issues with a security
patch breaking some of the base64 encoding on the Exchange side.

The old hotfix that fixed the problem:
http://support.microsoft.com/kb/885419

maybe a new hotfix broke the old:
http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx"

Is anyone having the same problem? Has anyone found the cause and a
fix?

Thanks in advance!

 

[John Fullbright]

It's missing the required MIME Version header, so it's interpreted as
plaintext. The issue is in the encoding, not the decoding (Groupwise)

You're post is actually quite funny. See the thread titled "Base64 Encoded
Messages?" in microsoft.public.exchange.admin for more background Perhaps
you and David should compare notes. Is it the same sending domain by
chance?


John

For the past week or so, I have had a couple of users report that some
messages they receive are "garbled." Essentially, it appears that the
messages are not being decoded properly, and show up as plain text,
with all the internet headers in the body of the message and the
actual content of the message looking like garbage:

----------------------------------
X-Mailer: Groupwise 6.5
Message-ID: <[email protected]>
From: "<sender>" <sender's email address>
Subject: RE: E-mail test
To: "Milbrand, Rachel A." <[email protected]>
Content-Type: multipart/alternative;
boundary="____VZICIQJZDGZFSAUPKXOP____"
X-Declude-RefID:
X-Spam-Tests-Failed: Whitelisted
X-Note: Mailprotector Spam Score: 0
X-Country-Chain:
X-Note: This E-mail was scanned for spam and viruses by
MailProtector(r).
X-SEF-Processed: 5_5_0_191__2007_08_13_08_27_14
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 13 Aug 2007 12:27:14.0384 (UTC)
FILETIME=[47981500:01C7DDA5]


--____VZICIQJZDGZFSAUPKXOP____
Content-Type: text/plain; charset=utf-8
Content-Language:
Content-Transfer-Encoding: base64

UmVwbGllZA0KDQo
+Pj4gIk1pbGJyYW5kLCBSYWNoZWwgQS4iIDxybWlsYnJhbmRAR0ZORVQu
UmVwbGllZA0KDQo+Y29t
----------------------------------

(truncated to save space in this post)

My outside anti-spam service, MailProtector, does not do anything that
would cause this, and neither does my in-house email filter
(SurfControl).

My research on the 'net has turned up almost nothing. My own research
shows that all the messages in question are from GroupWise 6.5 email
clients (as indicated in the garbled messages' internet headers), AND
are REPLIES to messages that my users have sent. The original messages
from my users appear to have been HTML format messages.

I've done some testing with one of the senders to confirm my findings:
if he replies to an HTML message, his reply comes in garbled/
improperly decoded. If he replies to a Plain Text or Rich Text format
message, MailProtector catches it with an "Outlook <blank folding>
vulnerability."

My users are running Outlook 2003, and we have Exchange 2003.

The only thing remotely related that I've found is a possibility that
a securtiy update to Exchange "broke" an earlier hotfix:

"reports from other Exchange administrators of issues with a security
patch breaking some of the base64 encoding on the Exchange side.

The old hotfix that fixed the problem:
http://support.microsoft.com/kb/885419

maybe a new hotfix broke the old:
http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx"

Is anyone having the same problem? Has anyone found the cause and a
fix?

Thanks in advance!

 

[John Fullbright]

BTW, when you take the base64 encoded body and decode it, it says

"Replied

com"

For the past week or so, I have had a couple of users report that some
messages they receive are "garbled." Essentially, it appears that the
messages are not being decoded properly, and show up as plain text,
with all the internet headers in the body of the message and the
actual content of the message looking like garbage:

----------------------------------
X-Mailer: Groupwise 6.5
Message-ID: <[email protected]>
From: "<sender>" <sender's email address>
Subject: RE: E-mail test
To: "Milbrand, Rachel A." <[email protected]>
Content-Type: multipart/alternative;
boundary="____VZICIQJZDGZFSAUPKXOP____"
X-Declude-RefID:
X-Spam-Tests-Failed: Whitelisted
X-Note: Mailprotector Spam Score: 0
X-Country-Chain:
X-Note: This E-mail was scanned for spam and viruses by
MailProtector(r).
X-SEF-Processed: 5_5_0_191__2007_08_13_08_27_14
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 13 Aug 2007 12:27:14.0384 (UTC)
FILETIME=[47981500:01C7DDA5]


--____VZICIQJZDGZFSAUPKXOP____
Content-Type: text/plain; charset=utf-8
Content-Language:
Content-Transfer-Encoding: base64

UmVwbGllZA0KDQo
+Pj4gIk1pbGJyYW5kLCBSYWNoZWwgQS4iIDxybWlsYnJhbmRAR0ZORVQu
UmVwbGllZA0KDQo+Y29t
----------------------------------

(truncated to save space in this post)

My outside anti-spam service, MailProtector, does not do anything that
would cause this, and neither does my in-house email filter
(SurfControl).

My research on the 'net has turned up almost nothing. My own research
shows that all the messages in question are from GroupWise 6.5 email
clients (as indicated in the garbled messages' internet headers), AND
are REPLIES to messages that my users have sent. The original messages
from my users appear to have been HTML format messages.

I've done some testing with one of the senders to confirm my findings:
if he replies to an HTML message, his reply comes in garbled/
improperly decoded. If he replies to a Plain Text or Rich Text format
message, MailProtector catches it with an "Outlook <blank folding>
vulnerability."

My users are running Outlook 2003, and we have Exchange 2003.

The only thing remotely related that I've found is a possibility that
a securtiy update to Exchange "broke" an earlier hotfix:

"reports from other Exchange administrators of issues with a security
patch breaking some of the base64 encoding on the Exchange side.

The old hotfix that fixed the problem:
http://support.microsoft.com/kb/885419

maybe a new hotfix broke the old:
http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx"

Is anyone having the same problem? Has anyone found the cause and a
fix?

Thanks in advance!

 

[John Fullbright]

I'd hazard a guess that the problem is on the sending Groupwise internet
agent, a group representing the internet (or at least the group representing
your org accessed via tthe internet) has been defined, but the /mime switch
for the GWITA was not used. The message is therefore simply encoded in the
RFC 822 (plaintext) format by the GWITA instead of MIME. This would explain
the absense of the MIME Version 1.0 header. The admin for groupwise in the
sending domain needs to fix that.


Under "message Formatting and Encoding"

http://www.novell.com/documentation...ion/gw65/gw65_admin/data/aig15tm.html#brltspm

or

"Non-GroupWise Domain for MIME Replies"

http://www.novell.com/documentation...ion/gw65/gw65_admin/data/a2zi22h.html#a2zi901

To summarize, it might help if they read the manual.

For the past week or so, I have had a couple of users report that some
messages they receive are "garbled." Essentially, it appears that the
messages are not being decoded properly, and show up as plain text,
with all the internet headers in the body of the message and the
actual content of the message looking like garbage:

----------------------------------
X-Mailer: Groupwise 6.5
Message-ID: <[email protected]>
From: "<sender>" <sender's email address>
Subject: RE: E-mail test
To: "Milbrand, Rachel A." <[email protected]>
Content-Type: multipart/alternative;
boundary="____VZICIQJZDGZFSAUPKXOP____"
X-Declude-RefID:
X-Spam-Tests-Failed: Whitelisted
X-Note: Mailprotector Spam Score: 0
X-Country-Chain:
X-Note: This E-mail was scanned for spam and viruses by
MailProtector(r).
X-SEF-Processed: 5_5_0_191__2007_08_13_08_27_14
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 13 Aug 2007 12:27:14.0384 (UTC)
FILETIME=[47981500:01C7DDA5]


--____VZICIQJZDGZFSAUPKXOP____
Content-Type: text/plain; charset=utf-8
Content-Language:
Content-Transfer-Encoding: base64

UmVwbGllZA0KDQo
+Pj4gIk1pbGJyYW5kLCBSYWNoZWwgQS4iIDxybWlsYnJhbmRAR0ZORVQu
UmVwbGllZA0KDQo+Y29t
----------------------------------

(truncated to save space in this post)

My outside anti-spam service, MailProtector, does not do anything that
would cause this, and neither does my in-house email filter
(SurfControl).

My research on the 'net has turned up almost nothing. My own research
shows that all the messages in question are from GroupWise 6.5 email
clients (as indicated in the garbled messages' internet headers), AND
are REPLIES to messages that my users have sent. The original messages
from my users appear to have been HTML format messages.

I've done some testing with one of the senders to confirm my findings:
if he replies to an HTML message, his reply comes in garbled/
improperly decoded. If he replies to a Plain Text or Rich Text format
message, MailProtector catches it with an "Outlook <blank folding>
vulnerability."

My users are running Outlook 2003, and we have Exchange 2003.

The only thing remotely related that I've found is a possibility that
a securtiy update to Exchange "broke" an earlier hotfix:

"reports from other Exchange administrators of issues with a security
patch breaking some of the base64 encoding on the Exchange side.

The old hotfix that fixed the problem:
http://support.microsoft.com/kb/885419

maybe a new hotfix broke the old:
http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx"

Is anyone having the same problem? Has anyone found the cause and a
fix?

Thanks in advance!

 

[RAM]

Thanks, John. I'm emailing the tech support folks of the senders in
question, I will include this information and ask them to check their
settings.

I'll post back with the results!

- RAM

 

[Fishbones]

Thanks, John. I'm emailing the tech support folks of the senders in
question, I will include this information and ask them to check their
settings.

I'll post back with the results!

- RAM

RAM,
I found that the Exchange hotfix that you stated broke the decoding
part for Exchange in receiving Groupwise mail. The only thing that I
can ask my users is to have the ask the sending party to send as plain
text. This garbling only happens when the sending party is sending as
HTML format. I have also tested a user on a test Exchange box and
found that with the hotfix that broke my production box, it works find
so I may think that the virtual SMTP has gotten screwed up. Thought I
have to say that I have yet to test which patch broke the production
server.

 

[John Fullbright]

If I'm not misktaken, that was a security patch to avoid an exploit whem
malformed messages are decoded. The fact is, if a message is malformed you
cannot expect it to be reliably decoded.

1. The MIME Version is required on all MIME messages. In this case,
groupwise did not send one as required by RFC.
2. The Content-Language is malformed.

These are things that must be fixed on the groupwise side. The most likely
source is the GWITA. In Groupwise, you have two choices when sending
messages over the internet to a group; you can use the /mime option and add
the appropriate headers, or you can use the default which simply takes
whatever is ther and stuffs it in an RFC822 plaintext format. If you are
sending an html mail from GW, you want to use the /mime option so the
required headers are added. If you don't, and the required headers are
missing, you can't expect the content to be reliably decoded.