[logback-user] SMTPAppender with Amazon SES

Abraham Lin abraham.lin at post.harvard.edu
Tue May 14 02:41:38 CEST 2013 

It's most likely coming from a stack trace generated by your application.
The JavaMail API is vulnerable to header injection via the Subject header,
and you're probably seeing that phenomenon (though by accident).

For my own application, I wrote a subclass of SMTPAppender that truncates
the Subject header at the first EOL character, which prevents this issue
from occurring.


On Mon, May 13, 2013 at 8:20 PM, Jason Bennett <jasonab at acm.org> wrote:

>
> I'm using Amazon SES with SSL to send emails via Logback's SMTPAppender.
> It usually works, but sometimes I receive the following error:
>
> 0:01:51,863 |-ERROR in ch.qos.logback.classic.net.SMTPAppender[EMAIL] -
> Error occurred while sending e-mail notification.
> com.sun.mail.smtp.SMTPSendFailedException: 554 Transaction failed: Illegal
> header 'Caused by'.
>
>         at com.sun.mail.smtp.SMTPSendFailedException: 554 Transaction
> failed: Illegal header 'Caused by'.
>
>         at      at
> com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2114)
>         at      at
> com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:1900)
>         at      at
> com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1122)
>         at      at javax.mail.Transport.send0(Transport.java:195)
>         at      at javax.mail.Transport.send(Transport.java:124)
>         at      at
> ch.qos.logback.core.net.SMTPAppenderBase.sendBuffer(SMTPAppenderBase.java:395)
>         at      at
> ch.qos.logback.core.net.SMTPAppenderBase$SenderRunnable.run(SMTPAppenderBase.java:690)
>         at      at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
>         at      at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at      at java.lang.Thread.run(Thread.java:679)
>
>
> I'm aware that Amazon only allows emails with legal headers through SES,
> but I have no idea where Amazon is getting this header from. Has anyone
> else seen this?
>
> jason
>
>
> --
> Jason Bennett, jasonab at acm.org
> E pur si muove!
> Get Firefox! - http://getfirefox.com
>
> _______________________________________________
> Logback-user mailing list
> Logback-user at qos.ch
> http://mailman.qos.ch/mailman/listinfo/logback-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qos.ch/pipermail/logback-user/attachments/20130513/648f0dbf/attachment-0001.html>

More information about the Logback-user mailing list