Question
I see an "X-Defects" header added to a number of messages passing through the GMS server. What do these headers mean?
Answer
These headers relate to the Message Quality feature within GMS Anti-Spam. The headers are added to all messages but they are only acted on if the check has actually been enabled.
If you enable any of the Message Quality features the settings for these are held in the system variable "messagequalitymask". Any messages containing items that are enabled will be rejected by the server. The messagequalitymask variable uses the same values as outlined below for the X-Defects header.
The figure you see in the header is a bitmask, with each bit indicating a different issue with the message. In order to see which bits are and aren’t set for a particular message you need to take the number in the header, which is in hex, and convert it to binary form. Each bit in the binary number then relates to the relevant bit in the following table.
Bit | Meaning |
00 | Message lines not terminated by CRLF |
01 | Message line length exceeds RFC2822 limits |
02 | Attachment name is too long |
03 | Suspicious attachment name |
04 | CLSID in attachment name |
05 | UUEncode begin in subject |
06 | UUEncode begin incomplete |
07 | UUEncode data with blank lines |
08 | UUEncode data with spaces |
09 | UUEncode data line too long |
10 | UUEncode data invalid |
11 | UUEncode data invalid decode |
12 | Base64 encoding of inline text |
13 | Base64 data invalid |
14 | Base64 data invalid length |
15 | Base64 data has leading = signs |
16 | Base64 data has too many = signs |
17 | Base64 data after end of decode |
18 | Base64 data line too long |
19 | Binhex data in text section |
20 | Binhex data invalid |
21 | MIME no final boundary |
22 | 8 bit characters in header field |
23 | MIME partial message fragment |
24 | MIME invalid fieldname format |
25 | MIME invalid message/rfc822 content type |
26 | MIME comment detected |
27 | MIME section in prolog or epilog |
28 | HTML component has IFrame entities |
29 | HTML component uses CID to load file |
30 | HTML component has Object entities |
31 | Suspicious header field |
32 | URL has IP not hostname |
33 | Message does not have required RFC822 headers |
34 | Attachment is empty |
35 | MIME Boundary is empty |
36 | MIME no start boundary |
37 | URL has been obfuscated |
38 | Message has no body |
39 | HTML has unnecessary encodings |
40 | MIME invalid content transfer encoding |
41 | MIME contains duplicate headers |
42 | MIME invalid RFC2047 encoding |
43 | MIME contains RFC2231 encodings |
44 | Message and MIME header lines contain invalid folding |
45 | Quoted Printable encoding of binary data |
The online help page for Message Quality has a full explanation of each of the above meanings.
Note: The calculator included in each copy of Windows is useful for converting the numbers between hex and binary. In scientific view, select the "Hex" option, enter the number and then select the "Bin" option. The number will now be displayed in binary format.
The number should be read from right to left with the first digit representing bit 0, the second bit 1 and so on.
See Also:
Keywords:X-Defects defects message quality suspicious