The ‘Illegal Mime Header’ Feature – what you need to know

‘Illegal Mime Header’ is an important feature in Antigen/Forefront. This blog entry describes the expected functionality of this feature from the Antigen 9 for Exchange/SMTP with SP1 and Forefront for Exchange RTM (SP0) releases.

The ‘Illegal Mime Header’ feature is basically a check on the internet headers of the SMTP message to confirm that they are consistent with the current RFC specifications. Without this check, Antigen/Forefront might not be able to correctly scan the message, which would in turn expose a security risk.

The introduction of this check allows Antigen/Forefront to either a) confirm conformity with the current RFC specificationsand let the message be scanned, or b) confirm that the message headers do not meet the current RFC specifications (the default action in this scenario would be to delete the message in question). Despite the name, this applies to all internet headers (not just MIME headers).


Setting-up the ‘Illegal MIME Header Action’ in Antigen/Forefront

You can change the ‘Illegal MIME Header Action’ in the SETTINGSàGeneral Options panel of the Antigen/Forefront Administrator console:




The default setting, ‘Purge’, will make Antigen/Forefront delete the entire message, if an illegal internet header is detected. The other possibility here is to ‘Ignore’ the detection, meaning that the message will be subjected to further scanning and may then reach the end user. We recommend that you stick with the default ‘Purge’ action, unless you have a good business reason to ‘Ignore’ . Consult Microsoft CSS (Customer Service and Support), if you are in any doubt.

Note that this option only affects SMTP level traffic (on your Internet/SMTP/Transport scanjob), as this is the only scanjob where internet headers are present in a message.


Duplicate/Multiple/Repeat Internet Headers

One common occurrence that we see from customer is a duplicate internet header of some kind. If the repeated header is identical to the first one, Antigen/Forefront will not return ‘IllegalMimeHeader’. If the repeated header is in any way different to the first one, alarm bells ring and Antigen/Forefront will purge the message (assuming that the action is set to ‘Purge’ in the General Options panel).


RFCs provide many important industry-wide standards and guidelines, but they do not (completely) dictate how a mail application reads a mail. In the case of duplicate or multiple headers, RFC822 (section 4.1, ‘Syntax’) notes that:


This specification permits multiple occurrences of most fields. Except as noted, their interpretation is not specified here, and their use is discouraged.


There is therefore no RFC standard to determine which duplicate header the mail application should accept and which should be ignored. Here is a header extract from a sample mail:



From: “A N Other” <>

Subject: Click on the attachment for fun fun fun!!

Message-ID: <yyhh339c2fgl2a602c6109f22f6516@/ >

Content-Type: text/plain; charset=”utf-8″


MIME-Version: 1.0

Content-Transfer-Encoding: 8Bit

Content-Type: multipart/alternative;



We can see that the ‘Content-Type’ header has been repeated, but that the two lines are not identical. This poses a potential security risk, as an AV product may take header instance #1 and scan it as clean, but the end user’s mail client may read header instance #2 and interpret the contents in a different way. This could possibly expose malicious content in the mail (e.g. a virus).


Antigen/Forefront will detect a non-identical repeat header as an ‘Illegal Mime Header’ in this instance, so that there is no threat to the end user.


Reporting a false-positive Illegal Mime Header detection

Microsoft CSS (Customer Service and Support) can investigate any perceived false-positive detection on an individual case basis (but this may be at cost to you, if the detection is deemed valid). It is worth checking RFC basics before you open a support case with us, however. Look for repeat header entries (as explained above) and also consider using the Internet Engineering Task Force’s RFC822/MIME checker: Message Lint. This tool allows you to enter the whole message header and will return any errors and warnings found by comparing them to the relevant RFCs. Watch out for “ERROR: missing mandatory header” and “WARNING: duplicate header” entries in particular, which will usually flag the reason why Antigen/Forefront is detecting the mail as ‘IllegalMimeHeader’.




Andy Day

Microsoft CSS (Customer Service and Support)

Comments (2)

  1. Berci says:

    MessageLint has moved to this page:…/msglint



  2. nice blog says:

    Showbox apk download strategy is suitable for all Smartphone brands like Sony, HTC, Samsung, Lenovo and Asus and so on. Showbox App is for these mobiles, as well as works for all Android based telephones. This instructional exercise is about, how to download
    Showbox apk record for your Android.

    Showbox App takes a shot at Laptop too. Yes, this (Showbox.apk) document additionally underpins your PC by the utilization of an emulator. I’ll post an alternate instructional exercise for that also, yet for the time being this is for the people who are having
    Smartphones. Here is a brief introduction with respect to Showbox application.

    Showbox is not a standard Android application, it’s a stunning wellspring of stimulation. This announcement is given by me, as well as the general population who are utilizing it. It gives heaps of TV appears and motion pictures to watch at no expense.

    Such a variety of variants were discharged in 2015 and first and foremost of 2016, a large portion of them are working great. Showbox 4.27 apk is one among them and the most recent variant is likewise profit here. Be that as it may, you can watch them in three
    distinct routes as indicated by clarity. They are Low, Medium and High qualities. Take after the strides orchestrated underneath to introduce the application.