kopano-virusd

bmachek

Connected via ActiveSync and Cache mode is enabled.
These are the installed Z-Push packages.

ii  z-push-autodiscover                             2.4.5+0-0                                  all          Z-Push autodiscover
ii  z-push-backend-kopano                           2.4.5+0-0                                  all          Z-Push Kopano backend
ii  z-push-common                                   2.4.5+0-0                                  all          open source implementation of the ActiveSync protocol
ii  z-push-config-apache                            2.4.5+0-0                                  all          Z-Push apache configuration
ii  z-push-ipc-sharedmemory                         2.4.5+0-0                                  all          Z-Push ipc shared memory provider
ii  z-push-kopano                                   2.4.5+0-0                                  all          Z-Push for Kopano
ii  z-push-kopano-gabsync                           2.4.5+0-0                                  all          GAB sync for Kopano

Manfred

Hi Bastian,

are the changes also visible on a mobile device?

Manfred

bmachek

Hi Manfred,

Yes, my Android mobile displays the message correctly. Attachment removed and subject rewritten.

Funny thing: I was using Kopano Deskapp instead of Outlook the past few days. So I just started up Outlook to verify the error again, and very strange: Outlook even displays messages wrong it received after they were changed by my script. Hmmm… Any ideas?

Bastian

Manfred

Hi Bastian,

post the WBXML log of the modified item being synced to Outlook. However it’s possible that Outlook simply ignores it because except for flags and categories email items shouldn’t change.

Manfred

bmachek

Hi,

sorry for the delay, here’s the WBXML log.

<Add>
 <ServerEntryId>
 U35543:24937b6b13fb44928664478bc0982183ce9a00000000
 </ServerEntryId>
 <Data>
  <POOMMAIL:To>
  "Bastian Machek" <bastian@xxx.xxx>
  </POOMMAIL:To>
  <POOMMAIL:From>
  "virus" <virus@xxx.xxx>
  </POOMMAIL:From>
  <POOMMAIL:Subject>
  [CLEANED] Blubb
  </POOMMAIL:Subject>
  <POOMMAIL:DateReceived>
  2019-04-10T18:14:20.000Z
  </POOMMAIL:DateReceived>
  <POOMMAIL:DisplayTo>
  Bastian Machek
  </POOMMAIL:DisplayTo>
  <POOMMAIL:Importance>
  1
  </POOMMAIL:Importance>
  <POOMMAIL:Read>
  1
  </POOMMAIL:Read>
  <POOMMAIL:MessageClass>
  IPM.Note
  </POOMMAIL:MessageClass>
  <POOMMAIL:InternetCPID>
  20127
  </POOMMAIL:InternetCPID>
  <AirSyncBase:Body>
   <AirSyncBase:Type>
   4
   </AirSyncBase:Type>
   <AirSyncBase:EstimatedDataSize>
   1867
   </AirSyncBase:EstimatedDataSize>
   <AirSyncBase:Truncated>
   0
   </AirSyncBase:Truncated>
   <AirSyncBase:Data>
   <<< written 1867 of 1867 bytes of plain data >>>
   </AirSyncBase:Data>
  </AirSyncBase:Body>
  <AirSyncBase:Attachments>
   <AirSyncBase:Attachment>
    <AirSyncBase:DisplayName>
    test.txt-removed.txt
    </AirSyncBase:DisplayName>
    <AirSyncBase:FileReference>
    00000000c3de78d1ffb44d9683de66668e17c6b701000000050000005920821221c5494ca97bac1116a0b95b00000000:0:24937b6b13fb44928664478bc0982183083200000000
    </AirSyncBase:FileReference>
    <AirSyncBase:Method>
    1
    </AirSyncBase:Method>
    <AirSyncBase:EstimatedDataSize>
    216
    </AirSyncBase:EstimatedDataSize>
   </AirSyncBase:Attachment>
  </AirSyncBase:Attachments>
  <POOMMAIL:ContentClass>
  urn:content-classes:message
  </POOMMAIL:ContentClass>
  <POOMMAIL:Flag/>
  <AirSyncBase:NativeBodyType>
  1
  </AirSyncBase:NativeBodyType>
 </Data>
</Add>

This is my first WBXML log. If something is missing, give me a hint. :-)

Bastian

Manfred

Hi Bastian,

is “[CLEANED] Blubb” the modified subject?
Did you also check the windows event log if there are any errors at the time when the modified email is synced?

Manfred

bmachek

Yes, that’s the modified subject.
There are no errors in the event log… (at that time)

Manfred

Hi Bastian,

@bmachek said in kopano-virusd:

Yes, that’s the modified subject.
There are no errors in the event log… (at that time)

Do you change only the subject or some other properties as well?
Outlook requests the whole RFC822 message, so it’s possible that it gets subject from it and not from the subject property.

Manfred

bmachek

Hi Manfred,

I change the subject, and if configured the infected attachment is removed, and a dummy .txt attachment is created. btw Outlook also still is able to access the attachment…

Bastian

Manfred

Hi Bastian,

@bmachek said in kopano-virusd:

I change the subject, and if configured the infected attachment is removed, and a dummy .txt attachment is created. btw Outlook also still is able to access the attachment…

like I said, Outlook over ActiveSync requests the whole RFC message (headers + body) in AirSyncBase:Data which comes either from PR_EC_IMAP_EMAIL property or is built by mapi_inetmapi_imtoinet function. Either way if Outlook itself parses the RFC message to get the necessary information, it’s not enough to just change the subject and remove attachment. You’d also have to manipulate PR_EC_IMAP_EMAIL or whatever properties mapi_inetmapi_imtoinet uses to put the RFC message together.

Manfred