Header and body flags that indicate PGP encrypted email for SPAM filter and mail server configuration
Article ID: 150133
Updated On:
Products
Issue/Introduction
This article will describe the headers that PGP encryption uses for the different encoding methods: PGP MIME, PGP Partitioned and EML.
For information on how to configure mail policies for the Symantec Encryption Management Server, see the following article:
Resolution
SPAM filter and mail server flags to detect the presence of PGP encrypted emails sent by Symantec Encryption Management Server (Formerly PGP Universal Server) and Symantec Encryption Desktop (Formerly PGP Desktop):
From the "Content-Type" header of the encrypted email message:
MIME encrypted email:
- multipart/Encrypted
- multipart/Signed
- application/pkcs7-mime
- application/pkcs7-signature
- application/x-pkcs7-signature
- application/x-pkcs7-mime
PGP encrypted messages:
- X-PGP-Encoding-Format
- X-PGP-Encoding-Version
Important Note: In some situations, an email with attachments may show a content type of "multipart/mixed", and this denotes one or more attachments are embedded on an email. One of these such attachments could be encrypted, however, if you are looking only at the above header content type values, you may miss the message. As a result, please ensure you can parse these "multipart/mixed" messages, because other attachment types may be included, such as "Content-Type: Application/pkcs7-mime".
The list above is not an exhaustive list, but provides most of the scenarios for encryption or signing.
From the body of the encrypted email message:
- "Begin PGP Message" will be present in the body of PGP encrypted emails such as the following example:
-----BEGIN PGP MESSAGE-----
Version: Encryption Desktop 10.5.0 (Build 1180)
Charset: utf-8qANQR1DBwEwDLuPpsaG3WhIBCACroez6eJgYyTZBfed44P4bfEWPR2rdghtFYzgi
bjUyGRQzn9xMzcOIG0Bik/23rm5iXLa01cbrwUU9OBYnKTVDAYgwXQF5WRGnj6mV
Rze3EEWON9Jfz3ZWqyh3c/UL+e+pbifjE/F/XAp1Ns25yQOKXE06sS9XoJpbbMXG
q072HrjUNRcvgAg50zGqMKIemCBwYK3D8jBGEL3OA97mnCs8M/xSVcxDM6SEAUb6
4GVTOnw28t4lZ2VwF4A9oxrcryDIfOmVDuNwUiy5GGA1XqBSTb3VHZ9Q85dt/XSz
lnyQYpJWKpLBzgUyO7l541J1UP3XKm3bTMCdzverJePlWU4Y0kkBf8kETdJIFaf/
1IQOsZVCPmUITES5UeVLPgQXKEVa7EEVZkvP7E+6KDtAm+IzGiY8avARFeAbQji3
AwMkzC0P5BLIi1luKqNn
=vgmS
-----END PGP MESSAGE-----
Also, if Symantec Encryption Management Server has been deployed into the mailstream (Gateway mode), when it processes messages, it will add headers to the email:
X-PGP-Universal: processed - This doesn't mean the message was necessarily an encrypted message, but that it processed the message. You will need to test this in your scenarios to see when to review this header into your header-evaluation logic.
X-PGP-Universal-Decrypted: TRUE - This header means the message was decrypted. As such, for message integrity, do not attempt to modify these files, as doing so will break the signature verification process.
The following are some examples of how the headers may appear on emails in their particular encoding:
PGP MIME Encoding example:
X-PGP-Universal: processed;
X-PGP-Encoding-Format: MIME
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/encrypted;
boundary="PGP_Universal_08189068_0E0D0370_82C5016E_197E5405";
protocol="application/pgp-encrypted"
PGP Partitioned example:
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Type: text/html
Content-Type: application/octet-stream; name="PGPexch.htm.pgp"
Content-Transfer-Encoding: base64
PGP EML Encoding example:
X-PGP-Encoding-Format: EML
X-PGP-Encoding-Version: 2.0.2
Content-Type: application/octet-stream; name=Message.pgp
Content-Disposition: attachment; filename=Message.pgp
X-Content-PGP-Universal-Saved-Content-Type: message/rfc822; name=Message.eml
Note: For more information on encoding methods, see article 203838.
Additional Information
Feedback
