Improper folded header

Simon Brereton simon.brereton at buongiorno.com
Fri Apr 20 16:12:36 CEST 2012


On 19 April 2012 20:06, Mark Martinec <Mark.Martinec+amavis at ijs.si> wrote:
> Simon,
>
>> Lately I've been getting a lot of these..
>>
>> /var/spool/mail/quarantine/badh-x9ylzx+MCHZB
>> ---
>> Return-Path: <jaxbar at example.com>
>> Delivered-To: bad-header-quarantine
>> X-Envelope-From: <jaxbar at example.com>
>> X-Envelope-To: <pj at example.net>
>> X-Envelope-To-Blocked:
>> X-Quarantine-ID: <x9ylzx+MCHZB>
>> X-Amavis-Alert: BAD HEADER SECTION Improper folded header field made up
>>         entirely of whitespace (char 09 hex): Subject:
>>         ...IMOgIHVuIGLD?=\n\t=?UTF-8?B?qWLDqSBzaW5nZSAh?=\n\t
>> X-Spam-Flag: NO
>
>> Does anyone know which/what client causes this, and how?
>
> Look at the User-Agent or X-Mailer or the last Received header fields
> in a quarantined message. Some poorly designed mailers have trouble
> wrapping a long header field they generate, commonly a Subject or
> References or a To header field.
>
> The
>  IncrediMail
> seems the be the most persistent offender.
>
> Also seen in:
>  Thunderbird 2.0.0.24 (Windows/20100228)
>  Synapse
>
> and in some genuine mail from
>  redmond.corp.microsoft.com
> and
>  ieee.org
> probably caused by some broken proprietary mailing list, or
> webmail or a remailer ("SMTP serializer", whatever that means).
>
>> What is the potential exploitable value of this?
>> I.e. if I set amavis to ignore this, what risk do I run
>> (even highly theoretical).
>
> The risk is that some non-compliant MUA or mail filter may
> inappropriately think the mail header ends at an
> all-whitespace line, thus opening a possibility than an
> end-user will see a different mail haeder (e.g. Subject, From, ...)
> than a mail filter. It is probably not a significant security
> risk, but widens a possibility for social engineering / fraud
> and spam. If a Content-Type header field ends up being pushed
> into a mail body, the MIME structure will not be poperly
> decoded and displayed by a MUA.
>
> I'd say if such mail is originating from your users it is
> worth investigating and fixing a cause. For other inbound
> mail it's probably not worth worrying.

Thanks Mark.  Not my users, obviously!  I'd kill them if they did
that.  Unfortunately, the mails were removed.  But I think it might
have been Incredimail.

The other wierd thing is that logwatch reports that mail as passing,
but it was definitely quarantined..  Not your issue, but I note it
here anyway.


Cheers

Simon


More information about the amavis-users mailing list