2
UTF-encoded header not being decoded properly
Problem reported by Dave Lerner - March 15, 2016 at 1:32 PM
Submitted
I have an odd issue with our Smartermail (14.4.5801) server. We get some emails that have headers like:
 
Return-Path: <>
Received: from filter.wyomingnetwork.com (filter.wyomingnetwork.com [184.154.72.85]) by mail.lonetree.net with SMTP;
Fri, 4 Mar 2016 03:00:37 -0700
Received: from localhost (localhost [127.0.0.1])
by filter.wyomingnetwork.com (Postfix) with ESMTP id 78997160B1A
for <somelocaluser@ourdomain.com>; Fri, 4 Mar 2016 03:00:35 -0700 (MST)
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_709eabfc2e0d3dd36d5f0ed59dbed3fc"
From: =?UTF-8?B?V3lvbWluZ05ldHdvcms=?= <root@wyomingnetwork.com>
Subject: =?UTF-8?B?TWFpbCBGaWx0ZXIgUXVhcmFudGluZSBSZXBvcnQ=?=

I've omitted irrelevant lines for brevity. Take a look at the From an Subject lines; the "Name" is UTF-8 encoded. We get the emails just fine, and the proper names and addresses show up in our email clients. The issue is how these messages show up in the SMTP logs:
 
[2016.03.03] 03:00:33 [184.154.72.85][19483085] connected at 3/3/2016 3:00:33 AM
[2016.03.03] 03:00:33 [184.154.72.85][19483085] IP in whitelist
[2016.03.03] 03:00:33 [184.154.72.85][19483085] IP in authentication bypass
[2016.03.03] 03:00:33 [184.154.72.85][19483085] cmd: EHLO filter.wyomingnetwork.com
[2016.03.03] 03:00:33 [184.154.72.85][19483085] rsp: 250-mail.lonetree.net Hello [184.154.72.85]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2016.03.03] 03:00:33 [184.154.72.85][19483085] cmd: MAIL FROM:<> SIZE=82387
[2016.03.03] 03:00:33 [184.154.72.85][19483085] rsp: 250 OK <> Sender ok

This is from a mail filtering appliance so that's why its in the whitelist, btw. In any case, look at the last two lines; the MAIL FROM is blank. It seems the Smartermail and/or logger facility cannot, or does not, decode that email address at all. This makes it very difficult for us to search the logs for these mails when we get customer inquiries. Do you know if this is a bug or oversight?
 
Any input you guys might have would be appreciated!
Thanks,
Steve.

Reply to Thread