Solved

Sonicwall Firewall stripping attachments out as text

Posted on 2013-11-05
10
1,463 Views
Last Modified: 2014-01-06
I had our eternally hosted website updated to create a form where people can send in their resumes.  There is an option for them to attach a word file or pdf etc.

When the web company sends the resume to our email account the attachment comes in as text.  I know it is the sonicwall firewall doing this because we have a barracuda spam filter afterwards and it shows the attachment as text aswell.

I had them direct the form to my personal email account and the attachment came in as an attchemnt.  We tried with different file types and it made no difference.  Here is what the email looks like.  I truncated it somewhat as the jibberrish text goes on for a while.

What could be causing this in my sonicwall.  We are using a NSA3500.  Attachments coming in via regular methods are of course ok.  Its is just from this form that the web guys built.

You have received a new application
Name      Bob Smith
Phone      
Email      
Address      
, .
Extra Information      test
--PHP-alt-a8f8b34dec412cc9946a6b5426b25b2c-- --PHP-mixed-a8f8b34dec412cc9946a6b5426b25b2c Content-Type: application/octet-stream; name="Full Logo with Tag.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Full Logo with Tag.jpg" /9j/4RdURXhpZgAATU0AKgAAAAgABwESAAMAAAABAAEAAAEaAAUAAAABAAAAYgEbAAUAAAABAAAA agEoAAMAAAABAAIAAAExAAIAAAAeAAAAcgEyAAIAAAAUAAAAkIdpAAQAAAABAAAApAAAANAALcbA AAAnEAAtxsAAACcQQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2gAMjAxMzowNDoyMCAyMDo0 MDoxMAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAIDqADAAQAAAABAAADQwAAAAAAAAAGAQMAAwAA AAEABgAAARoABQAAAAEAAAEeARsABQAAAAEAAAEmASgAAwAAAAEAAgAAAgEABAAAAAEAAAEuAgIA BAAAAAEAABYeAAAAAAAAAEgAAAABAAAASAAAAAH/2P/tAAxBZG9iZV9DTQAB/+4ADkFkb2JlAGSA AAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEMDAwMDAwRDAwMDAwMDAwMDAwM DAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQRDAwMDAwREQwMDAwMDBEMDAwM DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM
0
Comment
Question by:Bekster
  • 3
  • 3
  • 3
10 Comments
 
LVL 24

Assisted Solution

by:diverseit
diverseit earned 100 total points
ID: 39626392
Hi Bekster,

SonicWALL has no ability to do that unless you are explicitly filtering it through App Controls, which also has to be enabled and configured. Do you have CGSS licensed and App Control configured? If this was the culprit you'd see it in the Logs as well.

SonicWALL, via App Control, would block attachments in emails from a Mail Client, based on their contents. This method uses Match Object Type File Content in Application Firewall Match Objects. This method inspects the contents of file attachments and based on what is defined in Match Objects, blocks it. E.g., a document file with keyword "Confidential" or a compressed "exe" file. This method does not purport to block attachments by their extension. Likewise, this cannot be used to block HTTP Webmail attachments.

From what you have described it is not network specific which would point to the SonicWALL but rather email provider specific. Additionally, this App Control method would not filter out ALL attachments and would be easily identified in the Logs if it was engaged to take action. I'd look at the email provider and client used.

What Email Client are you using (Outlook, webmail)? What type of email server is it (Exchange, Google Apps, Linux)?

Let me know how it goes!
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39627016
Have you actually tried to open the attachement in an email client?

In order to transfer (email) the attachment it is uuencoded into text, sent, then uudecoded at the receiving site. It looks like you are looking at the attachment before it is converted back to whatever it was.
0
 

Author Comment

by:Bekster
ID: 39627408
I am using outlook with exchange . We have a Barracuda firewall that is after the sonicwall, but before the exchange server, and the message is in that format on the barracuda, so the email client isnt relevant here.

In an email client there is no actual attachment, there is just that huge string of text
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39627527
Here is another possibility...

There are two ways (or more) to add an attachment to an email. One is by simply uuencoding it and the other is to use mime headers with the encoding.

Some email clients will accept either while others (apple items) are much more restrictive and typically require mime headers with the encoding. If you see an attachment that appears in the body of an email, then typically you need mime headers.

Since this is your web site that is sending the email, which method are you using to send the email with attachment?

As a hint, if you view the entire email (not just the attachemnt portion) as text, then you would see something like the following if mime headers are used.

Subject: base64-encoded test
MIME-Version: 1.0
Content-Type: application/octet-stream; name="resume.pdf"
Content-Transfer-Encoding: base64
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Bekster
ID: 39627639
Here is everything before the text jibberrish.  This is from the Barracuda

X-ASG-Debug-ID: 1382488109-02b1fb0c4152a1d0001-5MlMsj
Received: from cvc-dell2850 ([199.68.176.112]) by barracuda.ourserver.com with ESMTP id tQB9nQ5mltF2YziM for <jobs@ourserver.com>; Tue, 22 Oct 2013 20:28:30 -0400 (EDT)
X-Barracuda-Envelope-From:
X-Barracuda-Apparent-Source-IP: 199.68.xxx.xx
Received: from cvc-dell2850 ([127.0.0.1]) by cvc-dell2850 with Microsoft SMTPSVC(6.0.3790.4675);
       Tue, 22 Oct 2013 20:28:29 -0400
Date: Tue, 22 Oct 2013 20:28:29 -0400
Subject:  Careers - Job Application Submission
To: jobs@ourserver.com
X-ASG-Orig-Subj:  Careers - Job Application Submission
From:
Reply-To:
Content-Type: multipart/mixed; boundary="PHP-mixed-a8f8b34dec412cc9946a6b5426b25b2c"
Return-Path: <>
Message-ID: <CVC-DELL2850cAXLtYm00000095@cvc-dell2850>
X-OriginalArrivalTime: 23 Oct 2013 00:28:29.0300 (UTC) FILETIME=[CBDABB40:01CECF86]
X-Barracuda-Connect: UNKNOWN[199.68.176.112]
X-Barracuda-Start-Time: 1382488110
X-Barracuda-URL: http://localserver:8000/cgi-mod/mark.cgi
X-Barracuda-Orig-Rcpt: jobs@ourserver.com
X-Virus-Scanned: by bsmtpd at ourserver.com
X-Barracuda-Spam-Score: -1001.00
X-Barracuda-Spam-Status: No, SCORE=-1001.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=6.0

 
--PHP-mixed-a8f8b34dec412cc9946a6b5426b25b2c  
Content-Type: multipart/alternative; boundary="PHP-alt-a8f8b34dec412cc9946a6b5426b25b2c"

--PHP-alt-a8f8b34dec412cc9946a6b5426b25b2c  
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

  Name: My Name Phone:   Email:   Address:
     , .   Extra Information:
  test
--PHP-alt-a8f8b34dec412cc9946a6b5426b25b2c  
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<h3>You have received a new application</h3>
<table width="600" cellpadding="4" cellspacing="1">
  <tr><th width="150" align="right" bgcolor="#CCCCCC">Name</th><td bgcolor="#EEEEEE">My Name</td></tr>
  <tr><th align="right" bgcolor="#CCCCCC">Phone</th><td bgcolor="#EEEEEE"></td></tr>
  <tr><th align="right" bgcolor="#CCCCCC">Email</th><td bgcolor="#EEEEEE"></td></tr>
  <tr><th align="right" bgcolor="#CCCCCC">Address</th><td bgcolor="#EEEEEE"> <br>, . </td></tr>
  <tr><th align="right" bgcolor="#CCCCCC">Extra Information</th><td bgcolor="#EEEEEE">test</td></tr>
</table>
--PHP-alt-a8f8b34dec412cc9946a6b5426b25b2c--

--PHP-mixed-a8f8b34dec412cc9946a6b5426b25b2c  
Content-Type: application/octet-stream; name="Full Logo with Tag.jpg"  
Content-Transfer-Encoding: base64  
Content-Disposition: attachment; filename="Full Logo with Tag.jpg"
0
 
LVL 20

Accepted Solution

by:
carlmd earned 400 total points
ID: 39627660
Look at the section that says

Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

This indicates the attachment is plain text, which is what you are seeing. There are no mime headers, which is what I believe is your problem.

If you take one of the problem emails sent to to your personal account, and forward it to your work account, you will see the difference.

I would go back to your website and change the coding to use mime headers with attachments.
0
 

Author Comment

by:Bekster
ID: 39627688
OK thanks I will forward to the web guys and see what they some up with.

Yes, if the email is sent to my personal account then forwarded to my work account its fine.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39628179
Nice pinpointing Carl!
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39689673
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now