This article applies to:

• MailMarshal (SEG)
• MailMarshal ECM/MailMarshal Exchange 7.X

Symptoms:

• Plaintext emails are being blocked by the 'Unknown Attachment' rule.

Causes:

Certain sequential numeric sequences within the body of the message are being interpreted as base64 by the MMEngine service during message processing. An example of such a sequence would be:

14325931
14325932
14325933
14325934
14325935
14325936

Reply:

You can increase the number of lines MailMarshal must find to trigger the rule. This can be accomplished by following the steps below:

• In MailMarshal 10.0 and above, open the Management Console and navigate to Advanced Settings. Add a new value:
  • Name: Engine.SuspectB64Lines
  • Type: Integer
  • Value: The number of lines required to consider the data to be base64 encoded. The default is 10.
• In MailMarshal 8.X and below, open the Registry Editor on the Array Manager. Within the base registry key, navigate to \Default\Engine
  • In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine
  • For information about the registry location for each version, see article Q10832.
  • Enter the value as a new DWORD value named SuspectB64Lines (Use Decimal numbers to avoid confusion).
• Save your registry settings or configuration settings.
• Commit the configuration changes and restart the MailMarshal Engine service on each node.

If you are experiencing this problem, the recommended value for SuspectB64Lines is 100. A value of 100 will allow most legitimate email through while still being able to stop malicious binaries.

Notes:

• Important: Set SuspectB64Lines to the lowest value that resolves the issue. Using a very high value (such as 1000000 or more) will effectively disable the Unknown Attachment check and is not recommended.

This article was previously published as:

NETIQKB41143