stemly 0 Posted May 8, 2014 Share Posted May 8, 2014 Implementation of Email protection IMAP protocol command FETCH number BODY[TEXT] is wrong in ESET Enpoint Antivirus version 5.0.2228.1. For some reason Antivirus protection rewrite request to FETCH number (UID BODY[HEADER] BODY[TEXT]). Unfortunately it does not rewrite response to just BODY[TEXT] part it could cause trouble for some clients. We identify it when testing Java Mail library version 1.4.5+. Java mail does not expect that response contains more then just text part of body. Link to comment Share on other sites More sharing options...
ESET Staff MMx 28 Posted May 12, 2014 ESET Staff Share Posted May 12, 2014 Can you be more specific please? What kind of trouble are we talking about? Do you have a sample code that causes this behavior? What is your planned usage for the library? Thanks. Link to comment Share on other sites More sharing options...
stemly 0 Posted May 12, 2014 Author Share Posted May 12, 2014 (edited) Here is sample what you get when you call FETCH number BODY[TEXT] ? FETCH 2 BODY[text] * 2 FETCH (BODY[text] {238} --089e0115f0a2e0591904f93927a8 Content-Type: text/plain; charset=UTF-8 sample body -- FLAGS (\Seen)) ? OK FETCH completed and here is what you get when Email client protection is enabled ? FETCH 2 BODY[TEXT] * 2 FETCH (UID 47 BODY[HEADER] {2701} Received: from fernet.xx.sk ([172.19.2.100]) by mark.xx.sk (Lotus Domino Release 8.5.3FP3) with ESMTP id 2014051221432296-70770 ; Mon, 12 May 2014 21:43:22 +0200 Date: Mon, 12 May 2014 21:43:04 +0200 Message-ID: <CAFAYK4GK1xb0ucfnWt6JJEWvuP-YmkhFQP=VS+Qa=K__wFWeQQ@mail.www.com> Subject: test From: Stefan *** <stefan.***@www.com> To: "Test" <test@xx.sk> Content-Type: multipart/alternative; boundary=089e0115f0a2e0591904f93927a8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=www.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=e8X/iuYRN/E8j7XazY5VETM56uX3v3uCX0W+7+r4zSQ=; b=uLkZRVRQxSBYqDFVa05QnVwkVxm7DKxngseDVTwHlb6jDJGo4Xy+5xnPHc/pfRGP2O zK6RCCK7PzeIUDKozRT7nTTHV31VuVYCj78dZ9I2Jf+J1IBB25vgTvP4XYRSleRSiJzv JDh/whdLiyeaewrCB345A85ujashq+SctgfgKaAEY9xBd78w+WNEZMXykTODS3bW8rgZ X33Vfjo6xMrcKneg6ecxrroXjDNtW0iq3Zq+Gc9P1dtKiDB9X7APyC1T2kL5R8+ywA6b z8jbs8AGtrr3tTFMKAiZjx5Gf58zGO4/gRMO1GRA1gzOz9KMctK+mc3YLdYQkxFwv5A/ ySsA== MIME-Version: 1.0 X-Received: by 10.58.123.71 with SMTP id ly7mr24644964veb.11.1399923784307; Mon, 12 May 2014 12:43:04 -0700 (PDT) X-Virus-Scanned: Maia Mailguard 1.0.2a X-Spam-Status: No, hits=-1.72 tagged_above=-999 required=5 tests=AWL=-0.340, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SPF_PASS=-0.001, TVD_SPACE_RATIO=2.219 X-Spam-Level: X-MIMETrack: Itemize by SMTP Server on Mark/xxx Bratislava(Release 8.5.3FP3|November 15, 2012) at 12. 05. 2014 21:43:22 X-TNEFEvaluated: 1 ENVELOPE ("Mon, 12 May 2014 21:43:04 +0200" "test" (("Stefan ****" NIL "stefan.***" "www .com")) (("Stefan ***" NIL "stefan.***" "www.com")) (("Stefan ***" NIL "stefan.***" "www.com")) (("Test" NIL "test" "www.sk")) NIL NIL NIL "<CAFAYK4GK1xb0ucfnWt6JJE WvuP-YmkhFQP=VS+Qa=K__wFWeQQ@mail.www.com>") BODY[TEXT] {238} --089e0115f0a2e0591904f93927a8 Content-Type: text/plain; charset=UTF-8 sample body --089e0115f0a2e0591904f93927a8 ) ? OK FETCH completed So problem is that Java library asked by IMAP command ? FETCH 2 BODY[TEXT] and is expecting just text part of Mail body, but Email client protection rewrite request to ? FETCH 2 (UID BODY[HEADER] BODY[TEXT]) and response contains more data than Java mail library is expecting Edited May 12, 2014 by stemly Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,168 Posted May 13, 2014 ESET Moderators Share Posted May 13, 2014 Hello Stemly, we have opened a ticket with our Dev team so they will check it. It can take a while, but we will get back to you for sure. Link to comment Share on other sites More sharing options...
ESET Staff MMx 28 Posted May 15, 2014 ESET Staff Share Posted May 15, 2014 (edited) What you're describing here looks more like a problem in the mentioned Java library, since it understands only a subset of allowed IMAP constructs instead of parsing everything the server is allowed to send. In particular the RFC never mentions that the server SHOULD, SHALL or MUST send only the requested items. Somewhat to the contrary it allows the server to send FETCH responses by unilateral decision (see hxxp://tools.ietf.org/html/rfc3501#section-7.4.2). The reason I'm asking for sample code and intended usage is that I can change the protoscan behavior so that it can be used with the Java library. From the communication you sent it is e.g. not clear why the client is requesting only message body and no headers. Are the headers cached client-side? In such case the clients are usually robust enough to handle such counter-intuitive responses. Or was it sent during previous communication? Protoscan attempts to cache such transmissions, and asks for headers only if they're not cached. Edited May 15, 2014 by MMx Link to comment Share on other sites More sharing options...
stemly 0 Posted May 23, 2014 Author Share Posted May 23, 2014 I attached sample code that I use for testing. It's maven project. It prints message with number 1 from Inbox MailTest2.zip Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,168 Posted February 4, 2015 ESET Moderators Share Posted February 4, 2015 Hello Stemly, this issue is fixed in Internet protection module 1063 +. Can you please confirm it? Thank you. Link to comment Share on other sites More sharing options...
Recommended Posts