This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange 7.X
Symptoms:
- Plaintext emails are being blocked by the 'Unknown Attachment' rule.
Causes:
Certain sequential numeric sequences within the body of the message are being interpreted as base64 by the MMEngine service during message processing. An example of such a sequence would be:
14325931
14325932
14325933
14325934
14325935
14325936
Reply:
Add a new registry value called SuspectB64Lines and increase the number of lines MailMarshal must find to trigger the rule. This can be accomplished by following the steps below:
- On the Array Manager, edit the Registry (10.X: use Advanced Settings in the Management Console)
- Navigate to the SEG Engine key:
- In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine
- 10.X: value names have the prefix Engine. (Engine dot).
- For full details of the location for each product version, see article Q10832.
- Add a new DWORD value named SuspectB64Lines.
- Set the value to the number of lines required to consider the data to be base64 encoded. The default is 10 (Decimal).
- Commit the configuration.
If you are experiencing this problem, the recommended value for SuspectB64Lines is 100. A value of 100 will allow most legitimate email through while still being able to stop malicious binaries.
Notes:
- Important: Set SuspectB64Lines to the lowest value that resolves the issue. Using a very high value (such as 1000000 or more) will effectively disable the Unknown Attachment check and is not recommended.
- This article was previously published as:
- NETIQKB41143