Forefront Server Security Support Blog

A place for CSS to share experiences supporting Forefront Server Security and Antigen

The ‘Illegal Mime Header’ Feature – what you need to know

The ‘Illegal Mime Header’ Feature – what you need to know

  • Comments 1
  • Likes

‘Illegal Mime Header’ is an important feature in Antigen/Forefront. This blog entry describes the expected functionality of this feature from the Antigen 9 for Exchange/SMTP with SP1 and Forefront for Exchange RTM (SP0) releases.

The ‘Illegal Mime Header’ feature is basically a check on the internet headers of the SMTP message to confirm that they are consistent with the current RFC specifications. Without this check, Antigen/Forefront might not be able to correctly scan the message, which would in turn expose a security risk.

The introduction of this check allows Antigen/Forefront to either a) confirm conformity with the current RFC specificationsand let the message be scanned, or b) confirm that the message headers do not meet the current RFC specifications (the default action in this scenario would be to delete the message in question). Despite the name, this applies to all internet headers (not just MIME headers).

 

Setting-up the ‘Illegal MIME Header Action’ in Antigen/Forefront

You can change the ‘Illegal MIME Header Action’ in the SETTINGSàGeneral Options panel of the Antigen/Forefront Administrator console:

IllegalMimeHeaderAction 

 

 

The default setting, ‘Purge’, will make Antigen/Forefront delete the entire message, if an illegal internet header is detected. The other possibility here is to ‘Ignore’ the detection, meaning that the message will be subjected to further scanning and may then reach the end user. We recommend that you stick with the default ‘Purge’ action, unless you have a good business reason to ‘Ignore’ . Consult Microsoft CSS (Customer Service and Support), if you are in any doubt.

Note that this option only affects SMTP level traffic (on your Internet/SMTP/Transport scanjob), as this is the only scanjob where internet headers are present in a message.

 

Duplicate/Multiple/Repeat Internet Headers

One common occurrence that we see from customer is a duplicate internet header of some kind. If the repeated header is identical to the first one, Antigen/Forefront will not return ‘IllegalMimeHeader’. If the repeated header is in any way different to the first one, alarm bells ring and Antigen/Forefront will purge the message (assuming that the action is set to ‘Purge’ in the General Options panel).

 

RFCs provide many important industry-wide standards and guidelines, but they do not (completely) dictate how a mail application reads a mail. In the case of duplicate or multiple headers, RFC822 (section 4.1, ‘Syntax’) notes that:

 

This specification permits multiple occurrences of most fields. Except as noted, their interpretation is not specified here, and their use is discouraged.

 

There is therefore no RFC standard to determine which duplicate header the mail application should accept and which should be ignored. Here is a header extract from a sample mail:

 

To: user@mycompany.com

From: “A N Other” <another@anothercompany.com>

Subject: Click on the attachment for fun fun fun!!

Message-ID: <yyhh339c2fgl2a602c6109f22f6516@/www.anothercompany.com >

Content-Type: text/plain; charset="utf-8"

Sender: another@anothercompany.com

MIME-Version: 1.0

Content-Transfer-Encoding: 8Bit

Content-Type: multipart/alternative;

       boundary="----_=_NextPart_001_01C97BB3.7EC1CDCC"

 

We can see that the ‘Content-Type’ header has been repeated, but that the two lines are not identical. This poses a potential security risk, as an AV product may take header instance #1 and scan it as clean, but the end user's mail client may read header instance #2 and interpret the contents in a different way. This could possibly expose malicious content in the mail (e.g. a virus).

 

Antigen/Forefront will detect a non-identical repeat header as an ‘Illegal Mime Header’ in this instance, so that there is no threat to the end user.

 

Reporting a false-positive Illegal Mime Header detection

Microsoft CSS (Customer Service and Support) can investigate any perceived false-positive detection on an individual case basis (but this may be at cost to you, if the detection is deemed valid). It is worth checking RFC basics before you open a support case with us, however. Look for repeat header entries (as explained above) and also consider using the Internet Engineering Task Force’s RFC822/MIME checker: Message Lint. This tool allows you to enter the whole message header and will return any errors and warnings found by comparing them to the relevant RFCs. Watch out for “ERROR: missing mandatory header” and “WARNING: duplicate header” entries in particular, which will usually flag the reason why Antigen/Forefront is detecting the mail as ‘IllegalMimeHeader’.

 

 

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment