Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
list Shawn Heisey
Xymon server is version 0.1.4, the client in this instance is BBWin 0.13 on a Server 2012 R2 system. Occasionally, I am seeing xymon alarms with ATT00001.bin attachments instead of an actual message. I already googled this, and applied the MAILC fix that I found to xymonserver.cfg, but it's still happening sometimes. I discovered some other bad characters that needed to be removed, so my tr command is set up to remove three characters: # For the xymond_alert module MAILC="/usr/bin/tr -d '\\001\\004\\015' | mail" # Command used to send an e-mail with no subject #MAILC="mutt -x" # Command used to send an e-mail with no subject MAIL="$MAILC -s" # Command used to send an e-mail with a subject Looking in the attachment that I just received, I can see hex 0D characters (carriage returns, octal 015) ... but the "tr" command that I implemented should have removed them. Either there's a bug, or I am missing something simple. Can anyone help? I have not yet tried upgrading Xymon to the latest version. Thanks, Shawn
list Shawn Heisey
▸
On 8/12/2015 12:58 PM, Shawn Heisey wrote:
Xymon server is version 0.1.4, the client in this instance is BBWin 0.13 on a Server 2012 R2 system.
I have no idea how I managed to type that version, and even less idea how it managed to slip by without correction. The version is 4.3.14.
list Glauber Ribeiro
That happens because the messages have CR+LF line terminations, or have at least a few lines that have CR in them; this is causing Unix to treat those as binary instead of text content. In our system, I created a script that runs tr to get rid of those #! /bin/bash # 20130104 - glauber - get rid of CR in emails exec /usr/bin/tr -d '\015' | /bin/mail "$@" Then I set the MAIL parameter in xymonserver.cfg to point to this script instead of the actual mail application. It works beautifully. g
▸
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Shawn Heisey
Sent: Wednesday, August 12, 2015 13:58
To: xymon at xymon.com
Subject: [Xymon] Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
Xymon server is version 0.1.4, the client in this instance is BBWin 0.13
on a Server 2012 R2 system.
Occasionally, I am seeing xymon alarms with ATT00001.bin attachments
instead of an actual message.
I already googled this, and applied the MAILC fix that I found to
xymonserver.cfg, but it's still happening sometimes. I discovered some
other bad characters that needed to be removed, so my tr command is set
up to remove three characters:
# For the xymond_alert module
MAILC="/usr/bin/tr -d '\\001\\004\\015' | mail" # Command used to send
an e-mail with no subject
#MAILC="mutt -x" # Command used
to send an e-mail with no subject
MAIL="$MAILC -s" # Command used to send
an e-mail with a subject
Looking in the attachment that I just received, I can see hex 0D
characters (carriage returns, octal 015) ... but the "tr" command that I
implemented should have removed them.
Either there's a bug, or I am missing something simple. Can anyone
help? I have not yet tried upgrading Xymon to the latest version.
Thanks,
Shawn
list Glauber Ribeiro
Sorry, I made 2 mistakes 1) MAILC is the parameter you want to override, not MAIL 2) I didn't read your email well enough to see that you have already tried something similar. What you did should have worked. Make sure you are modifying the configuration file that is actually being used. Also, if you haven't yet, you would have to restart xymon server to pick up that configuration change.
▸
g
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Ribeiro, Glauber
Sent: Wednesday, August 12, 2015 14:46
To: Shawn Heisey; xymon at xymon.com
Subject: Re: [Xymon] Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
That happens because the messages have CR+LF line terminations, or have at least a few lines that have CR in them; this is causing Unix to treat those as binary instead of text content. In our system, I created a script that runs tr to get rid of those
#! /bin/bash
# 20130104 - glauber - get rid of CR in emails
exec /usr/bin/tr -d '\015' | /bin/mail "$@"
Then I set the MAIL parameter in xymonserver.cfg to point to this script instead of the actual mail application.
It works beautifully.
g
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Shawn Heisey
Sent: Wednesday, August 12, 2015 13:58
To: xymon at xymon.com
Subject: [Xymon] Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
Xymon server is version 0.1.4, the client in this instance is BBWin 0.13
on a Server 2012 R2 system.
Occasionally, I am seeing xymon alarms with ATT00001.bin attachments
instead of an actual message.
I already googled this, and applied the MAILC fix that I found to
xymonserver.cfg, but it's still happening sometimes. I discovered some
other bad characters that needed to be removed, so my tr command is set
up to remove three characters:
# For the xymond_alert module
MAILC="/usr/bin/tr -d '\\001\\004\\015' | mail" # Command used to send
an e-mail with no subject
#MAILC="mutt -x" # Command used
to send an e-mail with no subject
MAIL="$MAILC -s" # Command used to send
an e-mail with a subject
Looking in the attachment that I just received, I can see hex 0D
characters (carriage returns, octal 015) ... but the "tr" command that I
implemented should have removed them.
Either there's a bug, or I am missing something simple. Can anyone
help? I have not yet tried upgrading Xymon to the latest version.
Thanks,
Shawn
list Glauber Ribeiro
I just saw that you used single quotes and double escapes tr -d '\\001\\004\\015' I think you need tr -d '\001\004\015' or tr -d "\\001\\004\\015" (and restart xymon after making the change)
▸
g
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Ribeiro, Glauber
Sent: Wednesday, August 12, 2015 15:13
To: Shawn Heisey; xymon at xymon.com
Subject: Re: [Xymon] Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
Sorry, I made 2 mistakes
1) MAILC is the parameter you want to override, not MAIL
2) I didn't read your email well enough to see that you have already tried something similar.
What you did should have worked. Make sure you are modifying the configuration file that is actually being used. Also, if you haven't yet, you would have to restart xymon server to pick up that configuration change.
g
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Ribeiro, Glauber
Sent: Wednesday, August 12, 2015 14:46
To: Shawn Heisey; xymon at xymon.com
Subject: Re: [Xymon] Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
That happens because the messages have CR+LF line terminations, or have at least a few lines that have CR in them; this is causing Unix to treat those as binary instead of text content. In our system, I created a script that runs tr to get rid of those
#! /bin/bash
# 20130104 - glauber - get rid of CR in emails
exec /usr/bin/tr -d '\015' | /bin/mail "$@"
Then I set the MAIL parameter in xymonserver.cfg to point to this script instead of the actual mail application.
It works beautifully.
g
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Shawn Heisey
Sent: Wednesday, August 12, 2015 13:58
To: xymon at xymon.com
Subject: [Xymon] Getting "ATT0001.bin" attachments sometimes -- MAILC fix is already in place
Xymon server is version 0.1.4, the client in this instance is BBWin 0.13
on a Server 2012 R2 system.
Occasionally, I am seeing xymon alarms with ATT00001.bin attachments
instead of an actual message.
I already googled this, and applied the MAILC fix that I found to
xymonserver.cfg, but it's still happening sometimes. I discovered some
other bad characters that needed to be removed, so my tr command is set
up to remove three characters:
# For the xymond_alert module
MAILC="/usr/bin/tr -d '\\001\\004\\015' | mail" # Command used to send
an e-mail with no subject
#MAILC="mutt -x" # Command used
to send an e-mail with no subject
MAIL="$MAILC -s" # Command used to send
an e-mail with a subject
Looking in the attachment that I just received, I can see hex 0D
characters (carriage returns, octal 015) ... but the "tr" command that I
implemented should have removed them.
Either there's a bug, or I am missing something simple. Can anyone
help? I have not yet tried upgrading Xymon to the latest version.
Thanks,
Shawn
list Shawn Heisey
▸
On 8/12/2015 2:18 PM, Ribeiro, Glauber wrote:
I just saw that you used single quotes and double escapes tr -d '\\001\\004\\015' I think you need tr -d '\001\004\015' or tr -d "\\001\\004\\015" (and restart xymon after making the change)
I did nearly the same thing found here, except I provided multiple characters: http://lists.xymon.com/archive/2013-March/037159.html Now I have set it like this, I will try it. MAILC="tr -d \"\\001\\004\\015\" | mail" Note that running the following command while logged into the same machine over ssh strips out those three characters: cat bad-characters | tr -d '\001\004\015' > filtered The double backslashes in the xymon config weren't my idea (it was suggested by the email thread I found), and I also tried it with single backslashes. The xymon service was restarted after every change. Thanks, Shawn
list Shawn Heisey
On 8/13/2015 9:01 AM, Ribeiro, Glauber wrote:
MAILC="tr -d \"\\001\\004\\015\" | mail" I think you shouldn't escape the quotes: MAILC="tr -d "\\001\\004\\015" | mail"
I suspect that without the escapes, the variable won't have the right definition, since quotes are used to contain the value ... although it's possible that *with* the escapes, it won't have the right definition either. It's starting to sound like I need to write a script so that no special characters are required. An ugly hack, but I think it will work ... so I will go ahead and do that. A better option might be to create a feature where we can define a list of characters that should be stripped out of email text before it is sent, and have Xymon itself handle that. Thanks, Shawn
list Shawn Heisey
▸
On 8/13/2015 10:33 AM, Shawn Heisey wrote:
It's starting to sound like I need to write a script so that no special characters are required. An ugly hack, but I think it will work ... so I will go ahead and do that.
Even when stripping CR characters, I was still getting attachments in
"msgs" alarms, but only on alarms related to one machine, which happens
to be the only one running Windows Server 2012. The really frustrating
part: sometimes alarms related to that machine came through just fine,
no attachment.
I finally figured out why. It's because Windows is trying to make event
logs prettier. The problem event that I noticed is using the so-called
'smart' apostrophe. Here's part of what I see if I 'cat' one of those
attachments on Linux:
===
This event is generated when a process attempts to log on an account by
explicitly specifying that account<92>s credentials.
===
Notice the <92> ... this is hex character 92 (the curly apostrophe in
the Windows-1252 character set), and because this character has the high
bit set, /bin/mail decides that it can't use the input as the message
body, and makes it an attachment.
I came up with a script to handle this situation, called with this line
in xymonserver.cfg:
MAILC="/etc/xymon/stripxymonmail"
The contents of that script are below:
===
#!/bin/sh
TMPF=`/bin/mktemp`
cat > ${TMPF}
CHARSET=`file --mime-encoding ${TMPF} | sed 's/.*: \(.*\)/\1/'`
[ "x${CHARSET}" == "xunknown-8bit" ] && CHARSET=cp1252
/usr/bin/iconv -f ${CHARSET} -t ASCII//TRANSLIT ${TMPF} \
-o ${TMPF}.filter
/bin/rm -f ${TMPF}
cat ${TMPF}.filter | /usr/bin/tr -d '\001\004' | dos2unix \
| /bin/mail "$@"
/bin/rm -f ${TMPF}.filter
===
I don't yet know whether this is completely foolproof. It works if the
content is already ascii, and I'm hoping it works if the content is
UTF-8, but I haven't tested this yet. If anyone has ideas to make it
more bulletproof, please share.
Thanks,
Shawn