CSCvh85675 - Calendar invites are being moved to inline attachment when they are footer stamp

kleemisch · ‎02-19-2018

When is this going to get fixed? This has impacted several of our users as we have a disclaimer added to every single email so our users know if an email is coming from the outside. I need this fixed ASAP.

Thiruchelvam Thurairaj · ‎02-20-2018

A workaround should be adding a message body in the content filter which does not add the disclaimer for now.

Via GUI you can do this;

condition

1. Message Body - contains text : ("(?i)text/calendar|BEGIN:VCALENDAR", 1)

or

2. Message Body - contains text : ("(?i)method=REQUEST|METHOD:REQUEST", 1)

Action: Skip Filters.

select: If one or more conditions match"

commit

--------------

If you are using CLI and working with message filters then you could do this:

MeetingRequest: if (body-contains("(?i)text/calendar|BEGIN:VCALENDAR", 1)) OR (body-contains("(?i)method=REQUEST|METHOD:REQUEST", 1)) {
                            log-entry("No Disclaimer");
                            skip-filters();
                        }

Try to bring this filter to a higher position than the other filters with disclaimers

But we all know this is only a workaround and not a fix and Cisco is already working on it.

kleemisch · ‎02-20-2018

The workaround does not work for all calendar invites I receive. Some of them look right, but others still show as attachments.

mark fitzgerald · ‎02-27-2018

I have the same situation. The options aren't really good options. My invites are coming in blank, other than the subject. No attachments, no nothing.

chris.hankins · ‎03-01-2018

I was able to resolve this by removing any disclaimers applied via the ironport appliances and apply them via Exchange transport rules.

marc.luescherFRE · ‎03-05-2018

Here our workaround for incoming calendar invites :

CLISkip_Footerv5: if (header("X-MS-Exchange-Calendar-Originator-Id")) OR ((header("x-ms-exchange-calendar-series-instance-id")) OR ((attachment-filename == "invite.ics") OR
((attachment-filename == ".ics$") OR ((header("X-Barracuda-RBL-Trusted-Forwarder")) OR (body-contains("BEGIN:VCALENDAR", 1)))))) {
skip-filters();
}

Hope that helps.

That filters support gmail, baracuda, office365, Lotus Notes and classical ICAL.

adamawenner · ‎03-05-2018

We're also seeing this hit on header stamps, not just footer stamps as indicated. Maybe the bug needs to be updated indicate that?

marc.luescherFRE · ‎03-05-2018

I was told by support that they are aware of both conditions.
We had them both 😊

mark fitzgerald · ‎03-06-2018

This affects both inbound and outbound meeting invites, correct? We apply disclaimers outbound, and we are seeing this behavior.

chris.hankins · ‎03-06-2018

This only affected our outgoing meeting invites. All incoming invites worked as normal because no disclaimers/footers were added to the messages.

mark fitzgerald · ‎03-06-2018

Ah thanks. So it is in both directions. We first noticed it on inbound messages that we were adding headers to, based on content filters. This is bad.

chris.hankins · ‎03-06-2018

Yeah it definitely could affect incoming invites as well, if you're adding headers/footers that conflict with the coding of the message body.

I'm curious what headers you are adding to incoming invites?

mark fitzgerald · ‎03-06-2018

Mostly spoof warnings, Also there are warnings about encrypted attachments, etc. Tags that tell people how to submit suspected phishing, etc.

marc.luescherFRE · ‎03-06-2018

You are correct it impacts incoming and outgoing messages with calendar entries

kleemisch · ‎03-16-2018

The bug says the status is "fixed", however I do not see an updated version on Cisco's web site. Is this truly fixed? In my ironport there is a version 11.1.0 build 072 available, but that doesn't show up on Cisco's web site either.