Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

INFO: What is a Deadletter?

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange
  • Trustwave Secure Email Server/MailMarshal SES

Question:

  • What is a Deadletter?
  • How do Deadletters happen?
  • What can I do to reduce Deadletters?

Symptoms:

  • Email being placed in a Deadletter folder.

Information:

A Deadletter is simply an email message that has encountered an error in processing and cannot be completely scanned. As an email content security product, SEG or ECM defaults to quarantine these messages. Rather than pass through an unscanned message representing a possible security threat, SEG or ECM will "deadletter" it, and notify the administrator accordingly.

Most Deadletters are not processed through the content scanning rules. Deadletters cannot be managed by end users through the SQM website.


  • Warning: Virus scanning and archiving are not applied to most Deadletters. Treat released or blocked Deadletters with due caution.

How do Deadletters happen?

Most Deadletters happen due to problems with unpacking an email message. Unpacking is the process of separating the message and its attachments into parts that can be recognized and scanned.

  • Malformed Mime: The structure of the message does not meet the standards for Internet email (Multipurpose Internet Mail Extension).
  • Malformed: The structure of an attached file (such as a zip archive) does not meet the published standards for the type of file.
  • Undetermined: A virus scanner or external command returns a value that is not recognized by SEG or ECM.

Deadletters can also happen for other reasons:

  • Routing (SEG only): The address provided to send a message (or return a non-delivery report) is malformed.
  • Encryption (SES): The message cannot be encrypted or decrypted.

The precise reason for messages being placed in the various Deadletter folders can be seen from the message log file. In the SEG or ECM Console, find the message in Mail History or Folders, open it, and view the log information.

What can I do about Deadletters?

  • For occasional unpacking-related errors, if you are confident that the message is safe, you can pass it through from the Console.
    • Be aware that these messages will not be scanned by the engine processing rules, including virus or malware scanning rules.
  • In current versions of SEG and ECM, you can create Deadletter Rules to automate the re-delivery of Deadletters. See the User Guide and Help. 
    • It is even more important in this case to be aware that these messages will not be scanned by the engine processing rules, including virus or malware scanning rules.
    • Carefully consider the risk and benefit of automating this process.

If you are getting many deadletters from one particular site, the likely reason is a problem with the email client or email generator at that site. In this case, further investigation of the problem is necessary.  Examining the raw message files (mml files) and log files in the Deadletter folders is a useful place to start. Using Windows Explorer, navigate to the Dead Letter folder (under the product installation folder) and examine the actual message file (.mml) using a text editor. For those with some knowledge of email message formatting, this will often point to the problem.   

If you still are unsure of what the problem is, you can contact Trustwave Technical Support for assistance (through your reseller if applicable).

Deadletter Folder Details

This section gives additional details of the reasons that messages may be placed in the various Deadletter folders.

Malformed and MalformedMime

(Both known as Unpacking in earlier versions)

Unpacking errors are the most common deadletters, and you can expect to see at least some messages in these folders. Email messages are sent by all manner of email clients and other email generating devices. Errors in formatting can arise from poorly written software, or varying interpretations of the relevant email standards. SEG and ECM, like other email software, have some built-in "leeway" when it comes to interpreting common errors. However, one key difference is that SEG and ECM are security products that are tasked to check the content of messages. They must be able to unpack each message into its individual components to apply rules-based scanning.

  • If SEG or ECM encounters a message it cannot unpack, rather than let it through unscanned, the product will place it in one of two Deadletter folders.  This is a deliberate action to limit possible security threats.  Such messages can be passed through via the Console or Dead Letter rules, but be aware they are unscanned and could potentially contain viruses or other content threats.
    • Messages with invalid MIME encoding (errors in the structure of the email message) are placed in the MalformedMime folder. The administrator is not notified of MalformedMime errors by default. Almost all email with Malformed Mime encoding is spam. For details and optional settings, see Trustwave Knowledge Base article Q11352.
    • Messages with apparently correct MIME encoding that cannot be unpacked (for instance corrupt archives or files) are placed in the Malformed folder. The administrator is notified of Malformed errors because the issue could be correctable by a user. 
  • Some common errors that you may see are discussed later in this article.

Undetermined

Messages placed in this folder are the result of "undetermined" scans by either a virus scanner or an external command.  SEG and ECM are set up to take action depending on the return code the virus scanner or external command provides.  If the scanner or command returns a code that is not defined in the interface (or the definition of a command line scanner), SEG or ECM will deadletter the affected message. Typically this happens when the virus scanner cannot scan a file. The file may be corrupt or encrypted.

Routing (SEG only)

SEG will occasionally Deadletter messages in the Routing folder if it encounters malformed addresses or for some other reason it cannot send the message to its final destination, or cannot route the message back to the sender. Some examples are as follows:

  • Moved To Dead Letter (by MakeThreadAvailable)
    Bad MAIL FROM: address <553 malformed address: <jocbour.@oricom.ca>
  • Moved To Dead Letter (by MakeThreadAvailable)
    Bad MAIL FROM: address <553 malformed address: @server6.hypermart.net

These messages have been scanned but cannot be further processed or passed through from the console as they have no valid destination. They could potentially be forwarded to a valid destination.

Encryption

If you are using S/MIME functionality (MailMarshal SMTP 5.5 or MailMarshal SES), messages may be placed in the Deadletter Encryption folder when problems arise with the encryption or decryption process.

Typical unpacking errors you may see

Event - Unpack for B00056b9e.00000001.mml caught exception 4 - An error occurred in the following line
   < quoted -printable The error was Unknown Content-Transfer-Encoding

This is an incorrect specification of the MIME encoding format "Quoted-printable".  See the Related Articles section below for more details.

Event - Unpack for B000573eb.00000001.mml caught exception Too many lines in the header (2501)

MailMarshal has an in built check for message headers that exceed 2500 lines (500 lines for earlier versions). Sometimes there are valid reasons for this, such as large mailing lists. You can change this value with a Registry entry, as described later in this article. 2500 lines is the current recommendation but you can increase the value even further if you find many valid messages with larger headers.

  • Note that this issue does not apply in MailMarshal ECM 7.1.5 and above due to the normal presence of large headers in Exchange 2013.

Event - Unpack for B000569bf.00000001.mml caught exception UnpackMimeBody: Too many lines before boundary(2)

This error (only in older versions of SEG or ECM) indicates a problem with the specification of the boundary markers in a MIME message. MIME (Multi-Purpose Internet Mail Extension) is a standard for sending a variety of different types of data types via Internet electronic mail. What MIME does is provide standard ways to encode data types for transmission in email. MIME messages are usually separated into parts divided by boundary markers. This problem occurs when email attachments which are encoded in MIME format are encoded incorrectly by the email client. Such a message will use boundaries marking the different parts of the message. If the mail message uses illegal/non compliant boundaries MailMarshal will be unable to find the boundaries and will be unable to unpack it.

  • In SEG version 7.0 and above, the problem is handled automatically and this error is no longer encountered.

Event - Unpack for B00052b6e.00000001.mml caught exception Timed out waiting for unzip -oq "d:\MMExp\T1\U3\6501sdr.zip", error = Wait Timeout>

This error is indicates the presence of a password protected zip file. MailMarshal does not know the password and cannot unzip the file to scan it, so rather than let the file pass through unchecked, the Engine deadletters it.

Suspicious UUE line -Event - Unpack for B000590f2.00000001.mml caught exception UUE fragments detected

The suspicious UUE line message comes about if SEG or ECM finds lines in the mail message that look like uuencoding but it hasn't encountered a UUEncoding header. Automatically generated email sometimes trips this check. If you have a problem with UUE messages, you can safely disable this check without impacting the ability to decode properly formatted uuencoded messages. You can change this value with a Registry entry (see later in this article).

Event - Unpack for B000573eb.00000001.mml caught exception Unable to create a unique name

This error relates to non-standard characters such as "?" in attachment filenames.

Registry/Advanced Setting changes

To apply the Registry or Advanced Setting changes mentioned above:
  1. On the Array Manager, edit the Registry (10.X: use Advanced Settings in the Management Console)
  2. Navigate to the SEG Engine key:
    • In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine
    • 10.X: value names have the prefix Engine. (Engine dot).
    • For full details of the location for each product version, see article Q10832.
  3. For Too many lines in the header:
    • Add a DWORD (integer) value named "MaxHeaderLines" and enter the number of lines you want to allow in the header.
      • The default value for SEG 7.3 and above is 2500 (decimal).
      • The default value for other versions is 500 (decimal).
    • This fix does not apply to MailMarshal ECM 7.1.5 and above because header lines are not checked or limited in this product version.
  4. For UUE fragments:
    • Add a DWORD (integer) value named "SuspectUUELines" and enter the number of lines. You can disable the check completely by entering a very high value such as 10000 decimal.
  5. Commit configuration and then restart the Engine service on all nodes.

Notes

Also see Trustwave Knowledge Base article Q10533: How do I verify that the archive is corrupt if SEG or ECM fails to unpack an archive attachment?

This article was previously published as:
NETIQKB29051
Marshal KB56

To contact Trustwave about this article or to request support:


Rate this Article:
     

Related Articles



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.