For any messages that trigger the suspicious message structure check, the email is held in the Administrator Hold Queue. Additionally an email notification is sent to the intended recipient of the email. For example:
This is a content alert notification message.
The message indicated below is badly structured and could not be fully examined.
These notifications can be customized to include customer specific details (e.g. Helpdesk telephone number for releasing held emails).
Below are some of the reasons for emails being placed in the Hold Queue because of "Suspicious Message Structure":
- Incorrect encoding of message: An example of this would be if Mimecast has received a message that has been encoded by a system in a binary format. This can result in a corrupt email, a corrupt mail folder or mail program. It’s unlikely that the ﬁle will even be usable, and the sender should try and send the message again. For more details, see the MSDN website.
- Mail format that should not be sent over the internet: An example of this could be a message that has a WINMAIL.DAT attachment with a number of formatting irregularities. This format is only supported by Microsoft Exchange, as the .DAT ﬁle contains formatting components for a speciﬁc email client application. The sending server should not allow messages with this formatting to traverse the internet, as not all mail servers can interpret the ﬁle. To work around the above issue, Microsoft has recommended the following actions:
Emails that are placed in the Hold Queue that are subsequently determined to be safe can only be released by an Administrator (although these emails cannot be viewed in the end user's Hold queue). Once released, the email will be delivered to the recipient.
- If the sending party cannot resolve the issue on their end, Administrators can prevent these messages from being placed On Hold by configuring a Message Passthrough Policy. This Policy should typically only be created after testing with Mimecast Support has been completed.
- Suspected Malware Detection interrogates emails with .ZIP file attachments for certain file types (e.g. .EXE, .MSI) and if detected a notification is sent to the intended recipient, and the email is placed in the Administrator Hold Queue. This detection works independently of any Attachment Management policy configured for your account, and ensures comprehensive protection for all Mimecast customers regardless of their individual settings.
A Suspicious Malware Bypass policy can be used to bypass these checks. For example, if your organization is developing software with an external vendor, and is using .EXE files for updates, these files may be held by Mimecast. The policy will allow the files to be delivered to the internal user, instead of applying a Hold action.
Mimecast advises using this policy with caution, as it could allow a new virus outbreak to go undetected whilst signatures are being updated. It may also negate the Mimecast Virus Service Level Agreement.