Digital Certificate "There are problems with the signature"

Dear All,

We are testing out Digital Certificates as a prelude to Secure Messaging
with some of our Clients.

We obtained individual certificates for ourselves (as there is not many of
us) but started our Client on a Business account with a CA.

After setting up one of their users we notice that most times their email is
fine, but other times instead of the usual "rosette" there is a red line and
the statement "There are problems with the signature. Click the signature
button for details."

The message in the Security Properties is "Error: The message contents may
have been altered. Signed by sa@<client domain here>.com using RSA/SHA1 at
15:05:47 16/08/2006."

As we use an external mail filter (so all our mail is scanned in transit) we
believe that the scanning by our mail filter is causing the Digital
Certificate to detect a modification (or attempt) and hence the error.

My questions are:

1) Is the above assumption correct, and this is normal?

2) Is there anything that can be done to elimiate this (if caused by an
external mail scanner perhaps not)

3)If we move to Secure Messaging where the email is encrypted and hence
cannot be scanned by our mail filter, should I presume that the above error
will not appear and that all will be OK (at least as much as it should be)?

thanks

-----
pbw

imhotep
Tue Sep 05 12:02:41 CDT 2006

pretzel wrote:

> Dear All,
>
> We are testing out Digital Certificates as a prelude to Secure Messaging
> with some of our Clients.
>
> We obtained individual certificates for ourselves (as there is not many of
> us) but started our Client on a Business account with a CA.
>
> After setting up one of their users we notice that most times their email
> is fine, but other times instead of the usual "rosette" there is a red
> line and
> the statement "There are problems with the signature. Click the signature
> button for details."
>
> The message in the Security Properties is "Error: The message contents may
> have been altered. Signed by sa@<client domain here>.com using RSA/SHA1 at
> 15:05:47 16/08/2006."
>
> As we use an external mail filter (so all our mail is scanned in transit)
> we believe that the scanning by our mail filter is causing the Digital
> Certificate to detect a modification (or attempt) and hence the error.
>
> My questions are:
>
> 1) Is the above assumption correct, and this is normal?

Don't quite see how you came to the conclusion the your external mail
gateway is causing this. Are you guessing?

> 2) Is there anything that can be done to elimiate this (if caused by an
> external mail scanner perhaps not)

You need to do more research. Look at your logs. Look for some type of error
code. Something.

> 3)If we move to Secure Messaging where the email is encrypted and hence
> cannot be scanned by our mail filter, should I presume that the above
> error
> will not appear and that all will be OK (at least as much as it should
> be)?


Again, you *REALLY* don't know what the error is. You seem to be "shooting
in the dark". Review your logs and get a better handle on understanding the
problem *BEFORE* you try fixing the problem.

Send you emails log files....

> thanks
>
> -----
> pbw


Imhotep

Jeff
Tue Sep 05 13:01:31 CDT 2006

I interpret that he is suggesting his mail virus scanner is appending
his messages with a statement that the message has been "scanned by xyz
scanner", as I have seen by many virus scanners do. I have seen this a
lot with incoming mail, myself.

I would be interested to see an answer to this question myself.

If a mail scanner is appending messages with predefined text
(especially, signed or encrypted messages), will that change cause an
error at the recipients end as indicating the signed message has been
altered?

Tks - Jeff


imhotep wrote:
> pretzel wrote:
>
> > Dear All,
> >
> > We are testing out Digital Certificates as a prelude to Secure Messaging
> > with some of our Clients.
> >
> > We obtained individual certificates for ourselves (as there is not many of
> > us) but started our Client on a Business account with a CA.
> >
> > After setting up one of their users we notice that most times their email
> > is fine, but other times instead of the usual "rosette" there is a red
> > line and
> > the statement "There are problems with the signature. Click the signature
> > button for details."
> >
> > The message in the Security Properties is "Error: The message contents may
> > have been altered. Signed by sa@<client domain here>.com using RSA/SHA1 at
> > 15:05:47 16/08/2006."
> >
> > As we use an external mail filter (so all our mail is scanned in transit)
> > we believe that the scanning by our mail filter is causing the Digital
> > Certificate to detect a modification (or attempt) and hence the error.
> >
> > My questions are:
> >
> > 1) Is the above assumption correct, and this is normal?
>
> Don't quite see how you came to the conclusion the your external mail
> gateway is causing this. Are you guessing?
>
> > 2) Is there anything that can be done to elimiate this (if caused by an
> > external mail scanner perhaps not)
>
> You need to do more research. Look at your logs. Look for some type of error
> code. Something.
>
> > 3)If we move to Secure Messaging where the email is encrypted and hence
> > cannot be scanned by our mail filter, should I presume that the above
> > error
> > will not appear and that all will be OK (at least as much as it should
> > be)?
>
>
> Again, you *REALLY* don't know what the error is. You seem to be "shooting
> in the dark". Review your logs and get a better handle on understanding the
> problem *BEFORE* you try fixing the problem.
>
> Send you emails log files....
>
> > thanks
> >
> > -----
> > pbw
>
>
> Imhotep

imhotep
Tue Sep 05 17:40:51 CDT 2006

Jeff B. wrote:

> I interpret that he is suggesting his mail virus scanner is appending
> his messages with a statement that the message has been "scanned by xyz
> scanner", as I have seen by many virus scanners do. I have seen this a
> lot with incoming mail, myself.
>
> I would be interested to see an answer to this question myself.
>
> If a mail scanner is appending messages with predefined text
> (especially, signed or encrypted messages), will that change cause an
> error at the recipients end as indicating the signed message has been
> altered?

I have seen this also. For example SpamAssassin can have this affect (it
adds a field in the header "X-Spam-Score". I would say any alteration of
the email message would cause this error. Once you sign a message you can
not change a single bit (it will fail the check).

You hit upon a good point, I would guess that this is probably the
culprit...

--Imhotep

>
> Tks - Jeff
>
>
> imhotep wrote:
>> pretzel wrote:
>>
>> > Dear All,
>> >
>> > We are testing out Digital Certificates as a prelude to Secure
>> > Messaging with some of our Clients.
>> >
>> > We obtained individual certificates for ourselves (as there is not many
>> > of us) but started our Client on a Business account with a CA.
>> >
>> > After setting up one of their users we notice that most times their
>> > email is fine, but other times instead of the usual "rosette" there is
>> > a red line and
>> > the statement "There are problems with the signature. Click the
>> > signature button for details."
>> >
>> > The message in the Security Properties is "Error: The message contents
>> > may have been altered. Signed by sa@<client domain here>.com using
>> > RSA/SHA1 at 15:05:47 16/08/2006."
>> >
>> > As we use an external mail filter (so all our mail is scanned in
>> > transit) we believe that the scanning by our mail filter is causing the
>> > Digital Certificate to detect a modification (or attempt) and hence the
>> > error.
>> >
>> > My questions are:
>> >
>> > 1) Is the above assumption correct, and this is normal?
>>
>> Don't quite see how you came to the conclusion the your external mail
>> gateway is causing this. Are you guessing?
>>
>> > 2) Is there anything that can be done to elimiate this (if caused by an
>> > external mail scanner perhaps not)
>>
>> You need to do more research. Look at your logs. Look for some type of
>> error code. Something.
>>
>> > 3)If we move to Secure Messaging where the email is encrypted and hence
>> > cannot be scanned by our mail filter, should I presume that the above
>> > error
>> > will not appear and that all will be OK (at least as much as it should
>> > be)?
>>
>>
>> Again, you *REALLY* don't know what the error is. You seem to be
>> "shooting in the dark". Review your logs and get a better handle on
>> understanding the problem *BEFORE* you try fixing the problem.
>>
>> Send you emails log files....
>>
>> > thanks
>> >
>> > -----
>> > pbw
>>
>>
>> Imhotep

QuidnuncSimcha
Tue Sep 05 23:16:01 CDT 2006

Hello,

Forgive me for asking such a question....If "all" mail is "scanned",
wouldn't "all" mail be appendened?

or

If mail is scanned, then mail is appended with a "generic message"
...in the above case, it would seem that all mail would have a problem.

if mail is scanned and a filter only adds warning in specific cases
(keywords/characters), then some messages will be affected

Your filter may be "changing" the text and causing the problem

Sorry, I didn't help You a bit. I am nowhere near an expert, but you may
want to elaborate on the "all" and one/USERS area.




"pretzel" wrote:

> Dear All,
>
> We are testing out Digital Certificates as a prelude to Secure Messaging
> with some of our Clients.
>
> We obtained individual certificates for ourselves (as there is not many of
> us) but started our Client on a Business account with a CA.
>
> After setting up one of their users we notice that most times their email is
> fine, but other times instead of the usual "rosette" there is a red line and
> the statement "There are problems with the signature. Click the signature
> button for details."
>
> The message in the Security Properties is "Error: The message contents may
> have been altered. Signed by sa@<client domain here>.com using RSA/SHA1 at
> 15:05:47 16/08/2006."
>
> As we use an external mail filter (so all our mail is scanned in transit) we
> believe that the scanning by our mail filter is causing the Digital
> Certificate to detect a modification (or attempt) and hence the error.
>
> My questions are:
>
> 1) Is the above assumption correct, and this is normal?
>
> 2) Is there anything that can be done to elimiate this (if caused by an
> external mail scanner perhaps not)
>
> 3)If we move to Secure Messaging where the email is encrypted and hence
> cannot be scanned by our mail filter, should I presume that the above error
> will not appear and that all will be OK (at least as much as it should be)?
>
> thanks
>
> -----
> pbw

S
Wed Sep 06 04:56:41 CDT 2006

"imhotep" <imhotep@nospam.net> wrote in message
news:Bu2dnY34_9VuYWDZnZ2dnUVZ_rWdnZ2d@adelphia.com...
> I have seen this also. For example SpamAssassin can have this affect (it
> adds a field in the header "X-Spam-Score". I would say any alteration of
> the email message would cause this error.

No. A scanner that adds a text to the (signed) message body is altering it
indeed; adding an extra header doesn't break S/MIME signature, as only the
message body integrity is protected (yes, you can add fake headers and spoof
the From: field).

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Jeff
Thu Sep 07 09:26:31 CDT 2006

>From my experience, mail scanners (usually virus scanners - sometimes
content scanners) often only read the outgoing message. Others, append
every message with text that inidicates to the recipient that the
message has been scanned and "approved" as virus free by the scanner
(to give you a warm and fuzzy secure feeling).

For example, NOD32 appends body text as follows:

"
__________ NOD32 1.1742 (20060906) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com
"

The above text was copied from a message I recieved from my wife's work
mail scanner.
However, I am using Norton AV2006. Norton scans my incoming and
outgoing messages, but does not append or alter any content (to my
knowledge).
If Norton finds a virus, it hijacks the message and quarantines it and
opens a windows dialogue box indicating so.

But, I don't know digitally signed messages or encrypted messages
respond to scanners trying to append them. I am trying to test that
out now...



QuidnuncSimcha wrote:
> Hello,
>
> Forgive me for asking such a question....If "all" mail is "scanned",
> wouldn't "all" mail be appendened?
>
> or
>
> If mail is scanned, then mail is appended with a "generic message"
> ...in the above case, it would seem that all mail would have a problem.
>
> if mail is scanned and a filter only adds warning in specific cases
> (keywords/characters), then some messages will be affected
>
> Your filter may be "changing" the text and causing the problem
>
> Sorry, I didn't help You a bit. I am nowhere near an expert, but you may
> want to elaborate on the "all" and one/USERS area.
>
>
>
>
> "pretzel" wrote:
>
> > Dear All,
> >
> > We are testing out Digital Certificates as a prelude to Secure Messaging
> > with some of our Clients.
> >
> > We obtained individual certificates for ourselves (as there is not many of
> > us) but started our Client on a Business account with a CA.
> >
> > After setting up one of their users we notice that most times their email is
> > fine, but other times instead of the usual "rosette" there is a red line and
> > the statement "There are problems with the signature. Click the signature
> > button for details."
> >
> > The message in the Security Properties is "Error: The message contents may
> > have been altered. Signed by sa@<client domain here>.com using RSA/SHA1 at
> > 15:05:47 16/08/2006."
> >
> > As we use an external mail filter (so all our mail is scanned in transit) we
> > believe that the scanning by our mail filter is causing the Digital
> > Certificate to detect a modification (or attempt) and hence the error.
> >
> > My questions are:
> >
> > 1) Is the above assumption correct, and this is normal?
> >
> > 2) Is there anything that can be done to elimiate this (if caused by an
> > external mail scanner perhaps not)
> >
> > 3)If we move to Secure Messaging where the email is encrypted and hence
> > cannot be scanned by our mail filter, should I presume that the above error
> > will not appear and that all will be OK (at least as much as it should be)?
> >
> > thanks
> >
> > -----
> > pbw

Paul
Thu Sep 07 17:17:01 CDT 2006

In article <Bu2dnY34_9VuYWDZnZ2dnUVZ_rWdnZ2d@adelphia.com>, in the
microsoft.public.security news group, imhotep <imhotep@nospam.net>
says...

> I have seen this also. For example SpamAssassin can have this affect (it
> adds a field in the header "X-Spam-Score". I would say any alteration of
> the email message would cause this error. Once you sign a message you can
> not change a single bit (it will fail the check).
>
> You hit upon a good point, I would guess that this is probably the
> culprit...
>

Your ignorance is showing, or are you just shooting in the dark? Perhaps
you should do some more research first. Modifying the header of a
message will not invalidate a signed email as only the message is signed
not the headers. If you'd take a moment to even begin to understand how
SMTP email works, you'd realize that every time an SMTP message goes
through an SMTP server, the headers change.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

Jeff
Fri Sep 08 10:18:15 CDT 2006

I can't come up with any clear answer on this question. Limited
testing with the my wife's work mail scanner revealed that their mail
scanner appends all unsigned/unencrypted "incoming" mail "body text"
with the NOD32 signature.
But, when I send a signed or encrypted message, those messages do - not
- get appended with the NOD32 signature. Thus, they apparently do not
get altered and there are no errors encountered.
But this is a very limited test and I expect many different scanners
deal with signed/encrypted messages differently.

To the original poster of this thread:

- Find out who the 3rd party scanner is.
- Talk to their scanner administrator about the possibility their
scanner is corrupting message content because of altered message
content or appended text.
- Try finding another scanner service who will work with you on solving
the problem

It would be interesting to hear from someone who has real experience
with this issue...



Jeff B. wrote:
> >From my experience, mail scanners (usually virus scanners - sometimes
> content scanners) often only read the outgoing message. Others, append
> every message with text that inidicates to the recipient that the
> message has been scanned and "approved" as virus free by the scanner
> (to give you a warm and fuzzy secure feeling).
>
> For example, NOD32 appends body text as follows:
>
> "
> __________ NOD32 1.1742 (20060906) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
> "
>
> The above text was copied from a message I recieved from my wife's work
> mail scanner.
> However, I am using Norton AV2006. Norton scans my incoming and
> outgoing messages, but does not append or alter any content (to my
> knowledge).
> If Norton finds a virus, it hijacks the message and quarantines it and
> opens a windows dialogue box indicating so.
>
> But, I don't know digitally signed messages or encrypted messages
> respond to scanners trying to append them. I am trying to test that
> out now...
>
>
>
> QuidnuncSimcha wrote:
> > Hello,
> >
> > Forgive me for asking such a question....If "all" mail is "scanned",
> > wouldn't "all" mail be appendened?
> >
> > or
> >
> > If mail is scanned, then mail is appended with a "generic message"
> > ...in the above case, it would seem that all mail would have a problem.
> >
> > if mail is scanned and a filter only adds warning in specific cases
> > (keywords/characters), then some messages will be affected
> >
> > Your filter may be "changing" the text and causing the problem
> >
> > Sorry, I didn't help You a bit. I am nowhere near an expert, but you may
> > want to elaborate on the "all" and one/USERS area.
> >
> >
> >
> >
> > "pretzel" wrote:
> >
> > > Dear All,
> > >
> > > We are testing out Digital Certificates as a prelude to Secure Messaging
> > > with some of our Clients.
> > >
> > > We obtained individual certificates for ourselves (as there is not many of
> > > us) but started our Client on a Business account with a CA.
> > >
> > > After setting up one of their users we notice that most times their email is
> > > fine, but other times instead of the usual "rosette" there is a red line and
> > > the statement "There are problems with the signature. Click the signature
> > > button for details."
> > >
> > > The message in the Security Properties is "Error: The message contents may
> > > have been altered. Signed by sa@<client domain here>.com using RSA/SHA1 at
> > > 15:05:47 16/08/2006."
> > >
> > > As we use an external mail filter (so all our mail is scanned in transit) we
> > > believe that the scanning by our mail filter is causing the Digital
> > > Certificate to detect a modification (or attempt) and hence the error.
> > >
> > > My questions are:
> > >
> > > 1) Is the above assumption correct, and this is normal?
> > >
> > > 2) Is there anything that can be done to elimiate this (if caused by an
> > > external mail scanner perhaps not)
> > >
> > > 3)If we move to Secure Messaging where the email is encrypted and hence
> > > cannot be scanned by our mail filter, should I presume that the above error
> > > will not appear and that all will be OK (at least as much as it should be)?
> > >
> > > thanks
> > >
> > > -----
> > > pbw