SBS Premium 2003 - Exchange: random repeating emails

Thank you for your suggestion, TechSoEasy. That is not something that I have checked before. Unfortunately, the field was blank, so I guess that wasn't it.

Stay Active? I read and respond to every comment made in any of my questions. Thank you for your response.

I hadn't had a chance to respond yet... it's been a busy week.

If this is happening to just a single user, then I'd suspect that user has a rule or two configured in their Outlook which is causing the problem.  Please review their rules, and see that there aren't multiple rules which may apply to the emails in question.  If there are, you can have just the first rule apply by checking the "stop processing more rules" box.

Jeff
TechSoEasy

This has happened to everyone who receives email from outside the domain (including me) at least once. 99% of our users have not set up any rules in Outlook.

You will then have to provide more specific information about the email received.  Where did it come from?  (ie, what was the domain name).  Who was it addressed to?  Specifically... was the recipient in the To: field?  Or was it addressed in the CC or BCC field?

Can you replicate the error by having the same sender resend the email message?

If you can replicate it, then if you disable GFI Mail Archiver 4 does the problem go away?

Jeff
TechSoEasy

There have been over a hundred of these emails so far. Do you want copies of all of them?

Where did it come from?  
Each of the emails came from a different address in a different domain.

Who was it addressed to?  
As I said above, almost everyone in our domain has received at least one of these.

Specifically... was the recipient in the To: field?  
In almost all of the cases, the recipient was specifically addressed in the To: field. A couple of them had the recipient listed in the CC: field. I don't think any of them were in the BCC: field.

Can you replicate the error by having the same sender resend the email message?
No. In every single case, subsequent emails from the same sender to the same recipient have not resulted in repeating emails.

I know these answers are not much help. I've been going nuts trying to find an answer that makes sense.

Thanks for your response... that does help a bit... not that I have any idea what's causing this yet... but at least you've eliminated a few possibilities.

Have you tried disabling the SMTP proxy within the Watchguard Firewall?

Jeff
TechSoEasy

Can you check the message headers of these SPAM... and post them here along with the message header of a legitamate email from the same person. Obscure any personal detail where necessary

These are not SPAM, Jimbo. These are legitimate emails sent from clients to valid email addresses in our domain. I'm not sure whether the header is going to be much help. But anyway, here's the header of one recent example:

Microsoft Mail Internet Headers Version 2.0
Received: from outside-domain.com ([70.102.xxx.xx]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.1830);
       Fri, 4 May 2007 19:27:17 -0700
MIME-Version: 1.0
Subject: RE: Diablo Logo
Date: Thu, 3 May 2007 15:46:21 -0700
Message-ID: <ab3a9779cab07ff6652cbb7e682600aa8afb6fac@localhost>
From: "Outside Client" <client@outside-domain.com>
To: "Our Employee" <employeee@mydomain.com>
X-WatchGuard-Spam-ID: str=0001.0A09020B.463BEBC3.009A,ss=1,fgs=0
X-WatchGuard-Mail-From: client@outside-domain.com
X-WatchGuard-Mail-Recipients: employeee@mydomain.com
Content-Type: multipart/mixed;
      boundary="----_=_NextPart_001_01C78DD4.E19CB438"
Return-Path: client@outside-domain.com
X-OriginalArrivalTime: 05 May 2007 02:27:17.0713 (UTC) FILETIME=[E698FC10:01C78EBC]

------_=_NextPart_001_01C78DD4.E19CB438
Content-Type: multipart/alternative;
      boundary="----_=_NextPart_002_01C78DD4.E19CB438"

------_=_NextPart_002_01C78DD4.E19CB438
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

------_=_NextPart_002_01C78DD4.E19CB438
Content-Type: text/html;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


------_=_NextPart_002_01C78DD4.E19CB438--
------_=_NextPart_001_01C78DD4.E19CB438
Content-Type: image/bmp;
      name="Diablo Logo.BMP"
Content-Transfer-Encoding: base64
Content-Description: Diablo Logo.BMP
Content-Disposition: attachment;
      filename="Diablo Logo.BMP"

------_=_NextPart_001_01C78DD4.E19CB438
Content-Type: application/msword;
      name="Diablo Logo.DOC"
Content-Transfer-Encoding: base64
Content-Description: Diablo Logo.DOC
Content-Disposition: attachment;
      filename="Diablo Logo.DOC"

Jeff, if I disable the SMTP Proxy, it is my understanding that no email will pass through the firewall. I have thought about trying to disable various parts of the proxy to see if there is an invalid setting somewhere, but the problem is that I would have no way to test whether the change had worked because I never know when we're going to get one of these repeating emails and I have no way of forcing one.

Just to clarify:

These emails, recieved as corrupted but sent by the expected sender? The point is important... either something is randomly corrupting your emails or somone is spamming you - spoofing the email address of the sender (easily done).

Received: from outside-domain.com ([70.102.xxx.xx]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.1830);

Can you verify that this IP is a legitamte source for the domain/sender that the email appears to be comming from?

What anti virus is installed on your server locally?

Hi Jimbo -

For the example that I posted, there were two attachments. One of them was received uncorrupted. The other was corrupted. And when I say corrupted, I mean that it was an empty file, only 64 bytes in size, which is basically just the header. Itwas definitely NOT spam. It was a response from a client to a request for copies of their logo in various formats. The email was expected by the recipient.

Yes, the IP does resolve to the proper MX record.

We are using the Enterprise version of Eset's NOD32 (current version 2.70.32).

Have you configure the server anti virus to exclude the folders specified in this article:

http://support.microsoft.com/kb/328841

#2

Can the client resend the same email, afterwards with your user receiving it uncorrupted?

well, actually, since we use Exchange 2003, I have configured it to exclude the folders specified in this article:
http://support.microsoft.com/kb/823166/en-us

I have also verified which folders to exclude with Eset. In addition, we have excluded the folders that are specified GFI.

#2
with the specific example that I gave, the client did re-send the attachments, and the results were the same. however, other emails from that same sender have not had similar problems. In this specific example, the attachment that got corrupted was a Word Document with a copy of the client's logo in two different image formats in it.

i guess that would give a strong indication that this is related to the attachments. But I have to tell you that we send and receive literally hundreds of similar attachments every day and it is only the occassional, random email that ends up with this problem of repeating.

The problem quite definately appears to be attachment related. Since the data your end user views inevitably changes hands many times there can be a few places where this corruption is happening:

1) The senders infrastructure. Get them to send it to say a hotmail address to verify.
2) Filtering mechanisms on your firewall (if present).
3) Anti-SPAM box
4) Exchange Information store level AV
5) Client side AV. (Use Outlook Web Access do you get the same thing?). Disable the service to see what happens - before receiving the email.

Since the problem is reproducable with a particular email - the best method is to resend this email paying particular attention to the above, disabling and enabling services as required.

I hear you. It might take a while for me to find the appropriate sender to ask to spend time on this. I'm hesitant to ask clients to help us resolve an internal email issue that doesn't really affect them.

Anyway, thanks for spending time with me on a Sunday. I'm done for the day. I'll try to find time to work on it again tomorrow.

If it is indeed an attachment issue - you should only need to obtain a copy of the attachment prior to it reaching your network(like if they send it to a hotmail address). You could then test from there onwards.

If however the same corruption is found in the email sent to the hotmail account it is probably their infrastructure.

Thanks, Jeff. Man, why couldn't I find that MS KB article?

OK, so now I have two things to try. This is a very busy week for me, but I'll try to find time to test both of these.

That SMTP proxy article looks very promising. Make it your priority.

*bookmarks that one for later*

I had this same issue with a firebox 500 but after pulling my hair out I came to realize that the issue was because there wasn't enough bandwidth on my internet connection and we had voip phones