DrWeb Security Space 5 and Mozilla Thunderbird
Hello.
I am the administrator of the corporate mail system, in which, besides ours, some of our clients' mail is also stored. One disgusting day, some users began to complain to me that the attachments to them come broken.
')
The system uses the Postfix SMTP server as the MTA, and Cyrus IMAPd as the MDA. Postfix sends Cyrus mail using LMTP, users interact with Cyrus via IMAP and POP3. Cyrus stores mail in the file system, each letter in a separate file, each IMAP folder corresponds to a directory in the system; localized IMAP folder names are encoded using a special scheme with UTF-7. In addition to the letters, there are stored a database with access rights to IMAP folders, a table with hashes of letters for suppressing dual delivery, indexes for a quick search for mail, Sieve scripts. (This all allows you to receive the contents of letters without using the IMAP and POP3 protocols, for example, through scp.)
For users, mail is configured via IMAP, i.e. Sent letters, like all others, are stored on the server.
The first thing I discovered was that when users sent each other a letter with an attachment as an attachment, it came in a broken form. It was the internal attachment that was corrupted.
At the same time, what came (via SMTP + LMTP protocol) to the transfer recipient, and what went (via IMAP protocol) into the “sent” folder of the forwarding user was corrupted in exactly the same way, and differed only in the Recieved headers at the beginning of the letter. There were no headers in the "Sent", in that it came to me, there were headers added by Postfix and Cyrus when receiving mail. These headers (the path of the letter Recieved, the results of the X-Spam-Status spam check and X-Virus-Scanned viruses) are due to the normal operation of the mail system.
Therefore, I concluded that the email sent was spoiled once by the email client, before it was sent via SMTP and placed in the IMAP folder. In all cases, the client was Thunberbird, but in different versions.
The second thing I discovered was that even in the same users' incoming mail, some attachments were displayed as broken (when they were received via IMAP), although on the disk in the Cyrus repository they were normal. Pulling out mail without using IMAP and decoding base64 made it possible to get normal, non-broken attachments.
Thus, some mail was spoiled even before it hit the mail client, when received via the IMAP protocol.
At the same time, there are no such problems in Linux. The problem was noticeable only for those Thunderbird users who used Windows.
We noticed that one of the users started this almost immediately after installing DrWeb. The very first check - disabling DrWeb - confirmed the hunch: Thunderbird began to accept mail and forward it without any distortion. Also, the problem disappeared if Thunderbird was added to DrWeb exceptions (there is a list of applications that it does not touch).
A more detailed study showed that when disabling the heuristic analysis module DrWeb also the problem disappeared.
Everything written above concerns the version of DrWeb Security Space 5. Checked on the most accessible - on the 30-day trial version just downloaded from their website:
Actually, the same bug report went to DrWeb.
I am the administrator of the corporate mail system, in which, besides ours, some of our clients' mail is also stored. One disgusting day, some users began to complain to me that the attachments to them come broken.
')
System
The system uses the Postfix SMTP server as the MTA, and Cyrus IMAPd as the MDA. Postfix sends Cyrus mail using LMTP, users interact with Cyrus via IMAP and POP3. Cyrus stores mail in the file system, each letter in a separate file, each IMAP folder corresponds to a directory in the system; localized IMAP folder names are encoded using a special scheme with UTF-7. In addition to the letters, there are stored a database with access rights to IMAP folders, a table with hashes of letters for suppressing dual delivery, indexes for a quick search for mail, Sieve scripts. (This all allows you to receive the contents of letters without using the IMAP and POP3 protocols, for example, through scp.)
For users, mail is configured via IMAP, i.e. Sent letters, like all others, are stored on the server.
Customer
The first thing I discovered was that when users sent each other a letter with an attachment as an attachment, it came in a broken form. It was the internal attachment that was corrupted.
At the same time, what came (via SMTP + LMTP protocol) to the transfer recipient, and what went (via IMAP protocol) into the “sent” folder of the forwarding user was corrupted in exactly the same way, and differed only in the Recieved headers at the beginning of the letter. There were no headers in the "Sent", in that it came to me, there were headers added by Postfix and Cyrus when receiving mail. These headers (the path of the letter Recieved, the results of the X-Spam-Status spam check and X-Virus-Scanned viruses) are due to the normal operation of the mail system.
Therefore, I concluded that the email sent was spoiled once by the email client, before it was sent via SMTP and placed in the IMAP folder. In all cases, the client was Thunberbird, but in different versions.
Or a server?
The second thing I discovered was that even in the same users' incoming mail, some attachments were displayed as broken (when they were received via IMAP), although on the disk in the Cyrus repository they were normal. Pulling out mail without using IMAP and decoding base64 made it possible to get normal, non-broken attachments.
Thus, some mail was spoiled even before it hit the mail client, when received via the IMAP protocol.
Solution
At the same time, there are no such problems in Linux. The problem was noticeable only for those Thunderbird users who used Windows.
We noticed that one of the users started this almost immediately after installing DrWeb. The very first check - disabling DrWeb - confirmed the hunch: Thunderbird began to accept mail and forward it without any distortion. Also, the problem disappeared if Thunderbird was added to DrWeb exceptions (there is a list of applications that it does not touch).
A more detailed study showed that when disabling the heuristic analysis module DrWeb also the problem disappeared.
Drweb
Everything written above concerns the version of DrWeb Security Space 5. Checked on the most accessible - on the 30-day trial version just downloaded from their website:
SpIDer Agent for Windows
spideragent.exe (5.0.1.06018)
SpIDer Agent settings module for Windows
spideragent_set.exe (5.0.1.06018)
SpIDer Guard Service
spidernt.exe (5.00.1.04160)
SpIDer Guard UI Agent
spiderui.exe (5.00.1.04160)
SpIDer Guard Control Panel Applet
spidercpl.exe (5.00.1.04160)
SpIDer Guard File System Monitor
spider.sys (5.00.1.04160)
SpIDer Gate for Windows
spidergate.exe (5.0.2.07030)
SpIDer Gate for Windows settings module
spidergate_set.exe (5.0.2.07030)
SpIDer Mail for Windows Workstation
spiderml.exe (5.0.1.06300)
SpIDer Mail for Windows Workstation settings module
spml_set.exe (5.0.1.06300)
Dr.Web Winsock Provider Hook
drwebsp.dll (5.0.1.06040)
Dr.Web R Scanner for Windows
drweb32w.exe (5, 00, 4, 6300)
Dwz
drwadins.exe (4.44)
VadeRetro Antispam & AV Filter
vrcpp.dll (01.284.57)
Dr.Web Update for Windows
drwebupw.exe (5.00.4.06300)
Dr.Web Shell Extension
drwsxtn.dll (5, 00, 0, 11280)
Dr.Web Helper
drwreg.exe (5.00.3.04060)
DrWeb Protection Library for Windows
dwprot.dll (5.0.6.04070 built by: WinDDK)
DrWeb Protection for Windows
dwprot.sys (5.0.6.04070 built by: WinDDK)
Dr.Web Scanning Engine
dwengine.exe (5.0.2.01210 (Build 2133))
Dr.Web Virus-Finding Engine
drweb32.dll (5, 00, 0, 12182)
Actually, the same bug report went to DrWeb.
Source: https://habr.com/ru/post/66980/
All Articles