The DMARC failure report includes original virus, worm, and other malicious attachments.
search cancel

The DMARC failure report includes original virus, worm, and other malicious attachments.

book

Article ID: 266783

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When DMARC sender authentication is enabled in Spam > Sender Authentication and failure reports are enabled, the DMARC failure report generated by Messaging Gateway contains the unmodifed message as an attachment. If the original message which failed DMARC sender authentication contained malicious content, the copy attached to the DMARC notification will also include the malicious or viral content.

Environment

  • Messaging Gateway 10.8.0 or earlier
  • DMARC sender authentication enabled

Cause

Messaging Gateway generates the DMARC failure before scanning the message for malware so actions taken for DMARC failures operate on the original, unscanned and unmodified message. 

This behavior aligns with the DMARC specification which indicates that notifications SHOULD contain the original message.

Resolution

This issue has been addressed for the SMG 10.8.1 and later releases.

With SMG 10.8.1 or later, DMARC notifications will contain the headers of the original message but not body content.