Email with unmatched boundary could contain unscanned content


This article applies to:

  • Trustwave MailMarshal (SEG) 6.4 and above 
  • Note that default behavior is changed in version 7.0 and above.

Symptoms:

  • Multipart message with boundary defined in header, not used correctly in the message body
  • In versions prior to 7.0, if the message is not deadlettered for "Too many Lines ..." then the message is not unpacked and the message body content is not available for content analysis
  • This issue is most likely to occur in versions prior to 7.0, if the MaxPreBoundaryLines value was increased from the default (see article Q10846).

Information:

MailMarshal SMTP 6.9 and below

If a message is malformed as described in the symptoms section, MailMarshal cannot unpack or scan the body part, but does not deadletter the message. This issue is more likely to occur when the MaxPreBoundaryLines value has been changed to avoid deadlettering of other malformed messages. There is a small risk that content could pass through MailMarshal and be displayed in an email client. It is unlikely that this content could be treated as an attachment.

MailMarshal SMTP/SEG 7.0 and above

If a message is malformed as described in the symptoms section, MailMarshal treats the affected content as text. This content is scanned in the same way as any other text content unpacked from the message. You can still choose to apply the registry entry described below, if you wish to deadletter the affected messages.

Available setting to deadletter affected messages

In MailMarshal versions 6.4 and above, you can choose to deadletter messages with "unmatched header boundary" by setting a value in the Registry. Be aware that this setting might also cause legitimate messages to be deadlettered.

Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Trustwave cannot guarantee that problems resulting from the incorrect use of Registry Editor can be resolved. Make sure that you back up your Registry prior to making any changes.

  1. On the Array Manager, edit the Registry (10.X: use Advanced Settings in the Management Console)
  2. Navigate to the SEG Engine key:
    • In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\Engine
    • 10.X: value names have the prefix Engine. (Engine dot).
    • For full details of the location for each product version, see article Q10832.
  3. Add the following registry DWORD value:

    IgnoreUnmatchedHeaderBoundary

  4. Set the data value to 0.
  5. Commit configuration changes.
     
  6. Restart the MailMarshal Engine service on each email processing server.

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle11976.aspx