recent increase in bad header quarantine emails

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
msmcknight
Advanced member
Advanced member
Posts: 117
Joined: Sat Sep 13, 2014 12:27 am

recent increase in bad header quarantine emails

Post by msmcknight »

Hello Everyone,

Within the past couple of weeks I have started getting a lot of emails directed to quarantine because of bad headers. In particular, the error looks like this:

Code: Select all

X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8)
        (char A0 hex): Feedback-ID:
        ...dfa3-9e3c-46cf-9ff0-8931e63824c8:email:epslh1\x{A0}
When examining the emails in quarantine, I noticed a glaring similarity... they are all being generated by a program called "ecelerity", as shown here:

Code: Select all

$ grep ecelerity *
badh-1GQgTnRSPtk3:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-8q_jrXKZkfWQ:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-8vK1Yw-APYqX:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-Ax4J5KEAHgPL:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-F8o2oh4QlMQP:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-FFi4SYDbmXlK:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-Jry_agaDpjrq:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-NLsvjcAVOQN8:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-SGbzTZ4eTYL6:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-TQ5xEsZMarv3:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-VBJ9drQXtakA:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-aFYe6QVM0iSk:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-eMhoJ8RCPmM7:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-lWkssAl3o-CZ:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-ogrC8tCOZcy0:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
badh-pBcFSu2gy8k3:      (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
And in every email, the offending field is Feedback-ID...

Code: Select all

badh-1GQgTnRSPtk3:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-8q_jrXKZkfWQ:Feedback-ID: c8827038-beab-4370-8ae4-c5bfe9bf92c5:dae6dfa3-9e3c-46cf-9ff0-8931e63824c8:email:epslh1▒
badh-8vK1Yw-APYqX:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-Ax4J5KEAHgPL:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-F8o2oh4QlMQP:Feedback-ID: 1a358d93-a6a5-4178-99c7-051a3108dd37:02eb8b37-72cf-4a52-8bf3-248486b395de:email:epslh1▒
badh-FFi4SYDbmXlK:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-Jry_agaDpjrq:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
badh-NLsvjcAVOQN8:Feedback-ID: c8827038-beab-4370-8ae4-c5bfe9bf92c5:dae6dfa3-9e3c-46cf-9ff0-8931e63824c8:email:epslh1▒
badh-SGbzTZ4eTYL6:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-TQ5xEsZMarv3:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-VBJ9drQXtakA:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
badh-aFYe6QVM0iSk:Feedback-ID: ca5dbf63-208e-450e-9416-29f2e967c6e9:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-eMhoJ8RCPmM7:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
badh-lWkssAl3o-CZ:Feedback-ID: 1a358d93-a6a5-4178-99c7-051a3108dd37:02eb8b37-72cf-4a52-8bf3-248486b395de:email:epslh1▒
badh-ogrC8tCOZcy0:Feedback-ID: 6b8a899b-9832-41e9-aaef-e3506dad65da:32cb7f3c-56d5-425d-8b7f-61c7e1daafa0:email:epslh1▒
badh-pBcFSu2gy8k3:Feedback-ID: d5784092-14df-486e-b864-8b3d56298cee:7849683f-0db4-4dca-93ab-cc226c17c075:email:epslh1▒
I hope the paste above shows the bad character at the end of each line so you can see what it's complaining about.

What's odd is that these emails are all coming from legitimate sources and the content is valid. Some of the sources include:
mail.paypal.com
sheratonvacationclub.com
chase.com

My guess is that all of these companies are using ecelerity, or are outsourcing their marketing emails to a company that does, and they must have recently upgraded to a buggy version of ecelerity.

The question I have is how can I tell Amavis to ignore them? If anyone has any tips on how to do this, please let me know.
I'm running: Release 8.8.10_GA_3039.RHEL6_64_20180928094617 RHEL6_64 FOSS edition, Patch 8.8.10_P1.

Thanks to you all in advance,
-Michael
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: recent increase in bad header quarantine emails

Post by DualBoot »

Hello,

you can whitelist the sender.

Regards
msmcknight
Advanced member
Advanced member
Posts: 117
Joined: Sat Sep 13, 2014 12:27 am

Re: recent increase in bad header quarantine emails

Post by msmcknight »

Thanks for the suggestion. Over the past week, these kinds of quarantines have stopped... from all sources. Makes me wonder if "ecelerity" may have issued a patch for the bad characters in the headers they were generating.

Whitelisting sources would have been a good idea. It just would have been nice if I could have whitelisted all sources based on a specific header string, such as "BAD HEADER SECTION, Non-encoded non-ASCII data".

Hopefully the issue has resolved itself.

Thanks again!
Post Reply