Microsoft KB Archive/926347

From BetaArchive Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Knowledge Base


The parsing of the "From:" header or of the "body From" header does not function as expected on an Exchange 2003 server

Article ID: 926347

Article Last Modified on 10/25/2007



APPLIES TO

  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition



SYMPTOMS

The parsing of the Request for Comments (RFC) 2822 standard "From:" header or of the "body From" header does not function as expected on a server that is running Microsoft Exchange Server 2003. Specifically, certain spam messages contain a "From:" header that resembles the following:

From: "A User" <a_user@somespammer.com> {set: debug=51}


This header can be broken down into the following component parts:

Display: "A User"
Route: a_user@somespammer.com
Junk: {set: debug=51}


Additionally, the following event is logged on the Exchange 2003 server: Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3008
Description: A non-delivery report with a status code of 5.0.0 was generated for recipient rfc822;innocent_bystander@somespammer.com (Message-ID <spam@somespammer.com>).
Cause: This indicates a permanent failure. Possible causes : 1)No route is defined for a given address space. For example, an SMTP connector is configured, but this recipient address does not match the address spaces for which it routes mail. 2)Domain Name Server (DNS) returned an authoritative host not found for the domain. 3)The routing group does not have a connector defined û mail from one server in the routing group has no way to get to another routing group.
Solution: Verify that this error is not caused by a DNS lookup problem, and then check the address spaces configured on your STMP connectors. If you are delivering Internet mail through an SMTP connector, consider adding an address space of type SMTP with value ô*ö (an asterisk) to one of the SMTP connectors to make routing possible. Verify all routing groups are connected to each other through a routing group connector or another connector.
For more information, see Help and Support Center at <http://go.microsoft.com/fwlink/events.asp>.

If Transport logging or Store Driver logging is turned up, the following event is logged: Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 327
Description: The following call : EcSetFileHandleProp to the store failed. Error code : -2147221221 (Message will be NDR'd). MDB : 712e4c21-6395-4a9f-921a-2725b2e156e1. FID : . MID : . File : C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_7ace8d5401c6dcdf00001429.EML.


CAUSE

This problem occurs because the "From:" header is translated into MAPI properties and then stored in the e-mail messages during content conversion. This translation returns a MAPI_E_CORRUPT_DATA error. Additionally, the translation generates a 5.0.0 non-delivery report (NDR).

Note Legitimate e-mail messages may also contain similarly malformed "From:" headers.

WORKAROUND

To work around this problem, use a content scanner or a spam filter to prevent spam messages from entering the Exchange Server environment.

MORE INFORMATION

Error code -2147221221 is equivalent to the MAPI_E_CORRUPT_DATA error. Although these events are logged, performance is not severely affected. Based on the volume of messages that enter the Exchange Server environment, event log data may be overwritten.

Keywords: kbtshoot kbexchstore kbexpertiseinter kbprb KB926347