Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2027
Views
30
Helpful
5
Replies

MID xxxxxxx cannot be scanned by CASE. The message is either malformed or CASE is unable to process it at the moment.

Jussi Torhonen
Level 1
Level 1

‎12-17-2017 10:47 AM - edited ‎03-08-2019 07:29 PM

Getting lots of critical error since 14 Dec 2017 from several of our Ironport ESAV appliances:

 

Critical: MID xxxxxxx cannot be scanned by CASE. The message is either malformed or CASE is unable to process it at the moment.

 

ESAV appliances are C300V and C600V. All running latest release v11.0.1-027. I have tried forcing CASE update (antispamupdate ironport force) but no help.

 

How can I get rid of this problem?


Regards,

Jussi

 

4 people had this problem
Labels:
0 Helpful
5 Replies 5

Libin Varghese
Cisco Employee
Cisco Employee

‎12-17-2017 06:57 PM

Hi,

 

I see quite a few instances of these errors were reported over the weekend and we are working on a fix on our end.

 

Regards,

Libin Varghese

0 Helpful

Jussi Torhonen
Level 1
Level 1
In response to Libin Varghese

‎12-17-2017 10:48 PM

It looks like 99% of all alerts are related to messages coming from lightinthebox.com or miniinthebox.com webshops. I have a CLI message filter logging From: and Reply-To: headers. It looks like all the problematic message events do have weird MIME encoding problems in the headers. I can see there headers like

 

From: Lightinthebox.com <system@email.lightinthebox.com>

 

From: "Miniinthebox.com"<Noreply-service@e.miniinthebox.com>

 

From: "Lightinthebox.com"<Noreply-service@lightinthebox.chtah.com>

 

Reply-To: "LightInTheBox.com"<support-xxxxxxxxxxxxxxxxxxx@lightinthebox.chtah.com>

 

 

So, perhaps you have tuned some CASE filtering workarounds against cisco-sa-20171129-esa / 

CSCvf44666, and they are causing some negative effects? I hope this helps you fixing problematic CASE rules soon.

 

Jussi

 

Libin Varghese
Cisco Employee
Cisco Employee
In response to Jussi Torhonen

‎12-18-2017 06:09 AM

TALOS has incorporated updates to the CASE URL Database in an attempt alleviate the issues we have been encountering with messages from *inthebox.com.

 

This was done around 2:30am Pacific Time.

 

Are you seeing any improvements?

 

Regards,

Libin Varghese

Jussi Torhonen
Level 1
Level 1
In response to Libin Varghese

‎12-18-2017 10:17 PM

Hello Libin

 

Currently last event that we have seen did happen 18 Dec at 09:37 UTC. It really looks like you got it fixed. Thanks!

 

Jussi

Libin Varghese
Cisco Employee
Cisco Employee
In response to Jussi Torhonen

‎12-19-2017 01:14 AM

Good to hear that. We are seeing no more reports of these alerts.

 

There should be an updated anti-spam engine coming out soon too with further improvements.

 

Regards,

Libin Varghese

Customers Also Viewed These Support Documents