NOD32d (Mailserver) crash on mail body with "error occurred while reading archive"

Discussion in 'NOD32 version 2 Forum' started by Holger Isenberg, Jun 12, 2006.

Thread Status:
Not open for further replies.
  1. Holger Isenberg

    Holger Isenberg Registered Member

    Joined:
    May 9, 2006
    Posts:
    10
    When forwarding some harmless ascii text only message inside a MIME-type "text/rfc822-headers", nod32d in MTA mode crashes with "error occurred while reading archive" and rejects the message.

    That means, without any external self built workaround in our MTA configuration which captures that error, harmless messages do not reach recipients in our company.

    You can easily verify this with using the attached file as body of any message.

    From nod32d.log:
    Created session 3369835142
    3369835142: Received command HELO
    3369835142: Configuration ID `mda' requested
    3369835142: Configuration ID `mda' found
    3369835142: Accepted command HELO
    3369835142: Received command SCEM
    3369835142: Object scanned with status 5
    3369835142: vdb=7396, agent=mda, msgid=<20060612152224.7548.qmail@somewhere>, object="email message", name="mail", virus="is OK", action="", info="", lines=3
    3369835142: vdb=7396, agent=mda, msgid=<20060612152224.7548.qmail@somewhere>, object="file", name="mail -> MIME -> part000.txt", virus="is OK", action="", info=""
    3369835142: vdb=7396, agent=mda, msgid=<20060612152224.7548.qmail@somewhere>, object="email message", name="mail -> MIME", virus="is OK", action="", info=""
    3369835142: vdb=7396, agent=mda, msgid=<20060612152224.7548.qmail@somewhere>, object="", name="mail -> MIME -> ", virus="", action="", info="error occurred while reading archive"
    3369835142: Accepted command SCEM
    3369835142: Received command QUIT
    3369835142: Accepted command QUIT
    Finished session 3369835142


    Addition:
    action_on_notscanned = "reject" is set in /etc/nod32/nod32.cfg and it's no option for us to set it to "defer" or "accept" as that would neutralize the concept of a MTA Virus scanner. The attached message is a real life example and we had at least a dozen normal harmless messages with that problem during the last 2 weeks since nod32d was installed.
     

    Attached Files:

    Last edited: Jun 12, 2006
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The code does not meet any standards for email and as such was correctly evaluated as corrupted.
     
  3. Holger Isenberg

    Holger Isenberg Registered Member

    Joined:
    May 9, 2006
    Posts:
    10
    Even if you just copy the ASCII text into your favorite MUA and send it as a normal text message it does not get past nod32d. Note that in this case the MIME boundaries have not to be interpreted by any MTA as no MIME-header is set inside the message header.

    I reduced the problem to the following line:
    Content-Type: multipart/; boundary="-"

    A message body of that line causes the same error and that is a bug. The complete message with header and body:

    From - Tue Jun 13 09:45:16 2006
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00800000
    Message-ID: <448E6D0B.6040708@mydomain.com>
    Date: Tue, 13 Jun 2006 09:45:15 +0200
    From: Holger Isenberg <holger@mydomain.com>
    User-Agent: Mozilla Thunderbird 1.0.2 (X11/20060423)
    X-Accept-Language: de-DE, de, en-us, en
    MIME-Version: 1.0
    To: "Isenberg, Holger" <isenberg@myotherdomain.de>
    X-Enigmail-Version: 0.91.0.0
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: 7bit

    Content-Type: multipart/; boundary="-"
     
    Last edited: Jun 13, 2006
Thread Status:
Not open for further replies.