Disappearing E-mail Text

Problem: Random e-mails (most notably distribution group e-mails) are delivered to users with stripped bodies, i.e. no text inside the e-mail.

I was not sure where to start with this, so I began my search in the obvious places… Microsoft Message Tracking and the spam filter. Well… for one, the company was not using a smart-host and this was happening on internal e-mails, so I could rule out the spam filter. I attempted to troubleshoot using message tracker, but of course it would only tell me the e-mail was delivered.

I patched and configured the server until I was blue in the face to make sure all the bugs were removed. The server was configured identically to most 2003 servers I’ve come across. The server had Eset anti-virus (non-Exchange version) which we upgraded… uninstalled… replaced… nothing resolved the issue.

Finally, I did some research on CommVault and NetVault (both running on the server, unsure of job status because at the time I did not have access to the backup software as I was an outside consultant only given specific access. On a whim I disabled both and had them do several tests… all of which worked successfully.

Internally they made the decision to discontinue the use of one of the backup solutions on the Exchange server.

Resolution: Don’t use two  log-based backup solutions on an Exchange server. I imagine both solutions had some sort of continous backup technology where they were constantly monitoring and backing up logs, causing the e-mail text to be misplaced.

Is your e-mail broken? Blame Cisco.

Just a few things you may eventually come across:

Getting an NDR stating #500 Firewall Error# is usually the fault of Cisco IOS. Chances are you have the ip inspect command set for smtp/esmtp. Removing this resolves the error (which may be inconsistent and difficult to replicate on demand).

Fixing Fake AntiVirus spyware infections is very easy in a domain environment through the use of PSLIST/PSKILL from the PSTOOLS package that Microsoft has available through Sysinternals. It appears that most fake antivirus programs associate themselves with the “exefile” class and redirect .exe to a “scefile” class where it loads its own executable as a wrapper. If by chance you can still run regedit (some block it… others don’t) you can remove the wrapper from the key in regedit and then set permissions on the key to read only for everyone. This will allow you to download and install MalwareBytes and/or ComboFix. Other times regedit is blocked and you will have to locate the file itself (almost always in the user’s temp files) and set permissions to deny full control to everyone and end the task. If you are looking for AntiVirus software that works well in preventing this type of spyware infection, either Symantec Endpoint (11.0.5 is latest release) or Microsoft Forefront Client Security seem to work very well.