552 MS-Office file containing VBA macros found inside of the email msg


This article applies to:

  • Trustwave MailMarshal (SEG)

Symptoms

  • Remote sender attempting to send email in to MailMarshal site
  • Remote server receives 500 series SMTP response
  • Example: 552 MS-Office file containing VBA macros found inside of the email msg
  • Email sender receives error report including this code
  • MailMarshal receiver logs do not show any matching connection attempt

Causes

  • A firewall with IPS/IDS (intrusion prevention system/intrusion detection system) is enabled at the network boundary. The remote email server did not connect to MailMarshal.

Resolution:

To allow messages through to MailMarshal, disable the IPS/IDS email content inspection features of the firewall.

Notes:

  • The listed error message is only an example. Other messages could be received for the same reason.
  • The specific example listed was generated by a SonicWall firewall with gateway antivirus and the rule "Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)"
  • Trustwave recommends that the MailMarshal server be the first device receiving/filtering email at the network boundary. MailMarshal anti-spam and email filtering performance can be reduced if other devices are present.
  • MailMarshal Receiver does not perform content inspection of email. MailMarshal content inspection is performed by the Engine.

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle11683.aspx