[Mimedefang] Sudden problem noted with File::Scan 1.43 and PDF attachments

Cormack, Ken Ken.Cormack at roadway.com
Wed Oct 19 13:56:09 EDT 2005 

After a lot of head-scratching, I finally needed to disable File::Scan last
night, on my MIMEDefang servers.

Beginning two days ago, with no changes to either the gateway machines, or
the systems that were generating the outbound emails bearing PDF
attachmnets, our MIMEDefang servers began apparently corrupting PDF
attachments.  The problem was narrowed down through process of elimination
to the following conclusions:

	1. Not all attachments were affected... Only PDFs.

	2. Not all PDFs were affected... Only those using mime-type
"application/pdf", such as were being generated programattically by two of
our servers.

PDFs attached, for example, using Outlook mail clients, were unaffected
(apparently, Outlook encodes them as mime-type "application/octect-stream".)

I see that CPAN has had version 1.43 of File::Scan up there since May of
this year, and the date/time-stamps of my installed 1.43 jive with that
release date.

The machines that generate the emails bearing the PDF attachments are a pair
of AIX boxes using an older version of PDFlib from www.pdflib.com, that we
have been running since 1999, and to which no other programming changes have
occurred for over a year.  I happened to have been on vacation all of last
week, so know first-hand that no changes have been recently made to the
MIMEDefang gateways, and this problem did not occur at any time prior to my
vacation.  So I'm stumped as to why all of a sudden an otherwise
problem-free process would suddenly start causing this kind of issue.

I'm also VERY puzzled as to how/why an attachment could possibly be
"corrupted" by File::Scan.  Note that I am NOT saying it was falsely
flagging the PDFs as "infected" in any way.  Instead, it seems that it has
actually MODIFIED these attachments in some way.  My understanding of
MIMEDefang was such that the actual working email is copied, as needed to
subdirs of the /var/spool/MIMEDefang directory, and then those COPIES were
scanned, leaving the original attachments unchanged.  Is this not correct?
Is MIMEDefang and/or File::Scan actually rebuilding the attachments, and
putting those rebuilt attachments back into the email in place of the
original attachments?

My systems run sendmail 8.13.5 and MIMEDefang 2.53.  I disabled File::Scan
1.43 and everything works fine (leaving CLAM, etc., still running.)

More information about the MIMEDefang mailing list