Overview
Legitimate emails are moved to the EmailSecurity\FailedMails folder. Examining the failed emails shows that they have attachments.
Solution
Root Cause
This issue occurs when GFI identifies the attachments as corrupt archives. The content filter will fail and the email will be moved to the FailedMails folder.
Option 1
- Open the registry editor.
- Navigate to the following Key
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\MailEssentials\Ext\FileTypeChecker\KnownTypes
- Right-click and add a new dword. Name it as the extension of the attachment in the failed email and set the value to the next highest number not currently in use.
- Navigate to the following Key
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\MailEssentials\EmailSecurity\Engines\AttachChecker\BlockByAssocExceptions
- Add the number you assigned to the new extension registry key to the pdf, png, and jpg entries.
- Close the registry editor and restart the GFI MailEssentials attendant service.
- Reprocess the FailedMails folder to see if the issue is resolved.
Option 2
- Open the MailEssentials Configuration UI and navigate to the Email Security > Email exploit engine > Exploit list
- Disable the Malformed File Extension (High alert) option.
Please note that Email Exploit Engine like the other Content Filtering filters does not contain an exception list or whitelist. Emails are flagged depending on the nature and structure of their content.
In some environments that might cause false positives, in which case we suggest disabling the option triggering those. Such change should not pose any vulnerability to the system, assuming other Content Filtering and Email Security engines are used.