IMON problem with Turnpike mail client

Discussion in 'NOD32 version 2 Forum' started by Phil_S, Nov 14, 2003.

Thread Status:
Not open for further replies.
  1. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Hi,

    I am currently using the trial version of NOD32 on a Win XP Pro box, with a view to buying the full version. Having had my fill of unstable bloatware such as McA***, and trying several other programs including KAV, I have to say that I am really very impressed with NOD.

    I do however have one problem, related to the email scanning function of IMON. I am using the Turnpike mail client (http://www.turnpike.com). Initially, when downloading email I kept getting a Winsock Error, and the download would stop. I moved the compatibility slider in IMON to the middle setting, which solved that problem, but it is still not quite working right :(

    Every few emails fetched I get the following error in my mail log:

    POP3: unexpected: Scanned by NOD32

    and when I open my mailbox I find several emails with no title or subject, the mail body always being similar to this example:

    ------------------------------------------------------------------------------------------

    Received: from pop3.---.co.uk by ----.co.uk with POP3
    id <"1068769421.13955_0.----.----.co.uk".----@pop3.---.co.uk>
    for <----@pop3.---.co.uk> ; Fri, 14 Nov 2003 05:22:50 +0000
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    AAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAA=

    ------------------------------------------------------------------------------------------

    It looks to me as if the text appended to the emails by IMON is somehow getting mixed up with the dialogue between the POP3 server and client.

    Having done some more testing this evening, I have discovered that if I disable the appending of notifications to emails by IMON, then everything works fine. I have found a couple of references to a similar problem in this forum and elsewhere, including a comment from one of the Turnpike developers to the effect that he believed IMON was probably not allowing for the use of async socket handling by POP3 clients.

    I wondered if the problem has already been fixed in the full version of NOD, but not in the trial version? If not, is there a possibility of a fix being implemented in the licensed version, as I would really like the notification feature to work!

    Thanks,

    Phil
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Phil,

    when using Turnpike, the IMON compatibility level should be set to medium. To adjust this setting, go to IMON advanced setup and drag and move the slider to the middle position.
     
  3. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Hi Marcos,

    Thanks for your reply. First of all, I should say that I like NOD32 so much that I have already purchased a licence, despite this problem :)

    I already have the compatibility slider set to the halfway position. It is with this setting that I am receiving the corrupt emails as described above. In the maximum efficiency setting I cannot download email at all, because Turnpike halts with a Winsock error as descibed in a previous thread on this forum.

    Having done some more testing, I found that if I completely disable appending NOD32's notification to email, then the errors disappear from Turnpike's log, and (until a few minutes ago) mail appeared to download normally. Even with this setting though, some emails are getting several "Comment: Scanned by Nod32" headers inserted in each mail.

    I said it appeared to be working correctly until a few minutes ago, because I just received several emails with attachments. On the first attempt at fetching these emails, the download ground to a halt, and I had to disconnect and restart, meaning I got several of the messages delivered twice (but that's better than losing them, eh?) ;)

    Here are the first "few" lines from the headers of one of the emails I just received. It was the worst affected, but several others were similar:

    ------------------------------------------------------------------------------------------
    Received: from pop3.---.co.uk by ---.---.co.uk with POP3
    id <"1069077624.77069_0.jupiter.---.co.uk".---@pop3.---.co.uk>
    for <----@pop3.---.co.uk> ; Mon, 17 Nov 2003 15:08:46 +0000
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Comment: Scanned by NOD32
    Return-Path: <mail@-----.fsnet.co.uk>
    Received: from cmailg3.svr.pol.co.uk (cmailg3.svr.pol.co.uk [195.92.195.173])
       by jupiter.---.co.uk (8.12.8/8.12.3) with ESMTP id hAHE0I0H076869
       for <phil@----.nildram.co.uk>; Mon, 17 Nov 2003 14:00:18 GMT
    Delivered-To: <phil@----.nildram.co.uk>
    ------------------------------------------------------------------------------------------

    This is running on the middle compatibility level in IMON, set not to append notification messages to emails.

    The only way round this seems to be to set IMONs POP3 setting to a different port, but then of course I am losing the email scanning ability altogether :'(

    Phil
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    I think that's "normal". In order to scan the e-mail, and give the user an option to perform an action with infected objects, IMON must receive the whole mail before it gets sent to the POP3-client. If a virus is detected and cured/deleted, IMON will alter the e-mail, and then send it to the e-mail client.

    If you are downloading a large e-mail, the whole mail has to be received by IMON, before anything is sent to the e-mail client (otherwise, no action can be performed on infected mails). Since that may take a while, IMON sometimes sends the "comment" to the mail client, to prevent the client from timing out.

    Any possible additional headers to the mails will most often not make any difference.

    If you never ever want the headers, disable IMONs capability of modifying infected mails... Then it will send the data to the client as soon as it is received. You will still receive the warning that IMON has detected a virus, but, since the mail has already been sent to the email client, you can't choose to perform an action on it, like deleting the attachment. AMON will still protect you from the files, even if IMON doesn't remove it from the emails.

    I hope I described it well, even though I'm quite tired. :)

    Best regards,
    Anders
     
  5. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Thank you Anders, you described it very well. I understand what is going on with the headers now.

    There is still the situation that if I ask IMON to add a notification to the emails, something goes wrong with the POP3 dialogue between server and client - possibly IMON is sending the comment at a point where the client is expecting a response at the POP3 protocol level:

    -----------------------------------------------------------------------------------------
    Sun, 16 Nov 2003 20:56:01 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:01 POP3[C0] -> TOP 7 0
    Sun, 16 Nov 2003 20:56:01 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:02 POP3[C0] -> RETR 7
    Sun, 16 Nov 2003 20:56:02 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:06 POP3: unexpected: nned by NOD32

    Sun, 16 Nov 2003 20:56:06 New mail from mailbox --- stored in a mailbox as <"1069014780.32406_0.jupiter.---.co.uk".---@pop3.---.co.uk>
    Sun, 16 Nov 2003 20:56:06 POP3[C0] -> DELE 7
    Sun, 16 Nov 2003 20:56:06 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:06 POP3[C0] -> TOP 8 0
    Sun, 16 Nov 2003 20:56:06 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:06 POP3[C0] -> RETR 8
    Sun, 16 Nov 2003 20:56:06 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:10 POP3: unexpected: : Scanned by NOD32

    Sun, 16 Nov 2003 20:56:10 New mail from mailbox --- stored in a mailbox as <"1069014990.40029_0.jupiter.---.co.uk".---@pop3.---.co.uk>
    Sun, 16 Nov 2003 20:56:10 POP3[C0] -> DELE 8
    Sun, 16 Nov 2003 20:56:10 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:10 POP3[C0] -> TOP 9 0
    Sun, 16 Nov 2003 20:56:10 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:10 Message from mailbox --- rejected, FROM: "Microsoft Corporation Technical Assistance" <ijbhvecp-pwwmp@technet.net>
    Sun, 16 Nov 2003 20:56:10 POP3[C0] -> DELE 9
    Sun, 16 Nov 2003 20:56:10 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:10 POP3[C0] -> TOP 10 0
    Sun, 16 Nov 2003 20:56:10 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:11 POP3[C0] -> RETR 10
    Sun, 16 Nov 2003 20:56:11 POP3[C0] <- +OK
    Sun, 16 Nov 2003 20:56:12 POP3: unexpected: Scanned by NOD32
    -----------------------------------------------------------------------------------------

    This is what appears to lead to corrupted emails arriving in my inbox.

    Would it be possible to look at this at some stage and try to fix it, since I really would like this notification ability to work as intended? I appreciate it probably will not be a high priority.

    I have been trialling quite a few different anti-virus programs over the last few weeks before settling on NOD. AVG has an email scanner and notification plugin that works flawlessly with Turnpike - it is other areas that let the program down. Possibly the plugin works because it seems to act as a POP3 client/server in its own right and is able to accept incoming mail from the original server on one port and pass it on to the email client on another - both user configurable.

    I hope my reply makes sense. I am also very tired, having just got home from a night shift :(

    Thanks again,

    Phil
     
  6. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    I'll make sure the developers looks at this thread, then they can test IMON with turnpike..

    Best regards,
    Anders
     
  7. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    OK. Thanks Anders, that is very much appreciated.

    Best wishes,

    Phil
     
  8. Jackie R

    Jackie R Guest

     
  9. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Hi Jackie,

    Set the slider to Maximum Compatibility level in advanced settings (the leftmost position). It will state that it's not possible to intervene in incoming emails. Depending on the IMON scanner settings, you may get an alert window requiring you to perform an action on receipt of an infected email, which may not be suitable if you automate fetching of email by Turnpike in your absence.

    In the event that you want to avoid email going through the IMON scanner altogether you can enter a totally spurious POP3 port setting such as 5001, or possibly leave the port setting blank. I can confirm the first option works, but I haven't tried the latter.

    Phil
     
  10. billneary

    billneary Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    2
    Glad to see this thread. Since Buying NOD32 I'd lost all my ability to upload any email from my Turnpike server, disabling the email scannner in IMON has allowed me to receive my unaccesable mail but I'm a bit reluctant to leave it like this as I assume it has a purpose.
    I've adjusted my slider to medium compatability and wait to see if I get the same responses as the others in this thread when I restart email scanning. If so have there been any developments in the year since this was discussed or is IMON still in conflict with Turnpike?
     
  11. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Hi Billneary,

    I have IMON set to middle compatibility level, modifying subject of infected email selected, and NOD messages appended to infected emails only. IMON Scanner settings are set to clean only as first option, with delete and quarantine selected for uncleanable infiltrations.

    Turnpike and NOD seem to get along quite happily like this, and I haven't had any problems at all since using these settings within IMON.

    Phil
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's a problem of Turnpike itself which, as a result, requires IMON to be set to middle compatibility level.
     
  13. billneary

    billneary Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    2
    Its only been five days but placing IMON on medium compatability has worked perfectly for me with no corruption or excess footnotes to any of my emails from turnpike :)
     
Thread Status:
Not open for further replies.