This article applies to:
- MailMarshal (SEG)
- MailMarshal ECM/MailMarshal Exchange 7.X
Symptoms:
- Plaintext emails are being blocked by the 'Unknown Attachment' rule.
Causes:
Certain sequential numeric sequences within the body of the message are being interpreted as base64 by the MMEngine service during message processing. An example of such a sequence would be:
14325931
14325932
14325933
14325934
14325935
14325936
Reply:
You can increase the number of lines MailMarshal must find to trigger the rule. This can be accomplished by following the steps below:
- In MailMarshal 10.0 and above, open the Management Console and navigate to Advanced Settings. Add a new value:
- Name: Engine.SuspectB64Lines
- Type: Integer
- Value: The number of lines required to consider the data to be base64 encoded. The default is 10.
- In MailMarshal 8.X and below, open the Registry Editor on the Array Manager. Within the base registry key, navigate to \Default\Engine
- In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine
- For information about the registry location for each version, see article Q10832.
- Enter the value as a new DWORD value named SuspectB64Lines (Use Decimal numbers to avoid confusion).
- Save your registry settings or configuration settings.
- Commit the configuration changes and restart the MailMarshal Engine service on each node.
If you are experiencing this problem, the recommended value for SuspectB64Lines is 100. A value of 100 will allow most legitimate email through while still being able to stop malicious binaries.
Notes:
- Important: Set SuspectB64Lines to the lowest value that resolves the issue. Using a very high value (such as 1000000 or more) will effectively disable the Unknown Attachment check and is not recommended.
- This article was previously published as:
- NETIQKB41143