recent increase in bad header quarantine emails

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
msmcknight
Advanced member
Advanced member
Posts: 99
Joined: Sat Sep 13, 2014 12:27 am

recent increase in bad header quarantine emails

Postby msmcknight » Thu Nov 15, 2018 7:10 am

Hello Everyone,

Within the past couple of weeks I have started getting a lot of emails directed to quarantine because of bad headers. In particular, the error looks like this:

Code: Select all

X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8)
        (char A0 hex): Feedback-ID:
        ...dfa3-9e3c-46cf-9ff0-8931e63824c8:email:epslh1\x{A0}

When examining the emails in quarantine, I noticed a glaring similarity... they are all being generated by a program called "ecelerity", as shown here:

Code: Select all

$ grep ecelerity *
badh-1GQgTnRSPtk3:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-8q_jrXKZkfWQ:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-8vK1Yw-APYqX:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-Ax4J5KEAHgPL:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-F8o2oh4QlMQP:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-FFi4SYDbmXlK:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-Jry_agaDpjrq:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-NLsvjcAVOQN8:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-SGbzTZ4eTYL6:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-TQ5xEsZMarv3:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-VBJ9drQXtakA:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-aFYe6QVM0iSk:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-eMhoJ8RCPmM7:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-lWkssAl3o-CZ:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-ogrC8tCOZcy0:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-pBcFSu2gy8k3:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM

And in every email, the offending field is Feedback-ID...

Code: Select all

badh-1GQgTnRSPtk3:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-8q_jrXKZkfWQ:Feedback-ID: c8827038-beab-4370-8ae4-c5bfe9bf92c5:dae6dfa3-9e3c-46cf-9ff0-8931e63824c8:email:epslh1▒
badh-8vK1Yw-APYqX:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-Ax4J5KEAHgPL:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-F8o2oh4QlMQP:Feedback-ID: 1a358d93-a6a5-4178-99c7-051a3108dd37:02eb8b37-72cf-4a52-8bf3-248486b395de:email:epslh1▒
badh-FFi4SYDbmXlK:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-Jry_agaDpjrq:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
badh-NLsvjcAVOQN8:Feedback-ID: c8827038-beab-4370-8ae4-c5bfe9bf92c5:dae6dfa3-9e3c-46cf-9ff0-8931e63824c8:email:epslh1▒
badh-SGbzTZ4eTYL6:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-TQ5xEsZMarv3:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-VBJ9drQXtakA:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
badh-aFYe6QVM0iSk:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-eMhoJ8RCPmM7:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
badh-lWkssAl3o-CZ:Feedback-ID: 1a358d93-a6a5-4178-99c7-051a3108dd37:02eb8b37-72cf-4a52-8bf3-248486b395de:email:epslh1▒
badh-ogrC8tCOZcy0:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-pBcFSu2gy8k3:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒


I hope the paste above shows the bad character at the end of each line so you can see what it's complaining about.

What's odd is that these emails are all coming from legitimate sources and the content is valid. Some of the sources include:
mail.paypal.com
sheratonvacationclub.com
chase.com

My guess is that all of these companies are using ecelerity, or are outsourcing their marketing emails to a company that does, and they must have recently upgraded to a buggy version of ecelerity.

The question I have is how can I tell Amavis to ignore them? If anyone has any tips on how to do this, please let me know.
I'm running: Release 8.8.10_GA_3039.RHEL6_64_20180928094617 RHEL6_64 FOSS edition, Patch 8.8.10_P1.

Thanks to you all in advance,
-Michael


User avatar
DualBoot
Outstanding Member
Outstanding Member
Posts: 850
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: recent increase in bad header quarantine emails

Postby DualBoot » Tue Dec 04, 2018 8:47 am

Hello,

you can whitelist the sender.

Regards
msmcknight
Advanced member
Advanced member
Posts: 99
Joined: Sat Sep 13, 2014 12:27 am

Re: recent increase in bad header quarantine emails

Postby msmcknight » Wed Dec 05, 2018 6:37 am

Thanks for the suggestion. Over the past week, these kinds of quarantines have stopped... from all sources. Makes me wonder if "ecelerity" may have issued a patch for the bad characters in the headers they were generating.

Whitelisting sources would have been a good idea. It just would have been nice if I could have whitelisted all sources based on a specific header string, such as "BAD HEADER SECTION, Non-encoded non-ASCII data".

Hopefully the issue has resolved itself.

Thanks again!

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider], Kordian and 28 guests