In Progress CPANEL-39708 - Bounced DMARC Reports

[celiac101]

I use my server to send out our site's weekly eNewsletter to over 100K opt in subscribers. All my SPF and DMARC records are set correctly, however in my mail queue I see lots of bounces from different email servers with this message:

FROM: [email protected]west-2.amazonses.com
cancelled by system filter: This message has been rejected because it has\na potentially executable attachment amazonses.com!mydomain.com!1664841600!1664928000.xml.gz\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.

So what appears to be happening, as that my server is sending out DMARC reports to other mail servers with the DMARC report as an attachment, but they are being rejected by many servers because they may have a virus in them.

If this is happening, what is the solution? I thought DMARC was the standard that everyone was using, and that those using it are supposed to be sending out AND ACCEPTING such reports?

 

[cPRex]

Hey there! I'm not finding anything on my end about DMARC reports bouncing in this manner. Could you create a ticket with our team so we can investigate this?

 

[celiac101]

I created this #94492246

 

[cPRex]

Thanks for that - I'm following along with that ticket on my end now as well.

 

[cPRex]

Here's the most recent reply to that ticket:

These messages are being sent to your [email protected] from remote services such as Amazon and Yahoo, which appears to be bouncing these emails due to the DMARC record on the domain domain.com.  The original message that you tried to send is being attached to the message, and it is this attachment from these remote servers that is triggering the System Filter at this time.  This is due to the file name having domain names inside such as "amazonses.com", and "domain.com". 
 
These are not outbound messages from your server, but inbound messages that your server is rejecting due to the filename of the attached file. I understand you are receiving similar bouncebacks from other sources, however, these other sources are using a different filename for these return messages so they are being accepted.
 
This still applies the same case of CPANEL-39708, as the same filter is catching these messages at this time.  Unfortunately, as you are not directly sending these messages, you are not able to change the file name of these attachments and thus they will continue to be rejected.  We currently do not have a workaround for this at this time.

Here is the public article related this case:

https://support.cpanel.net/hc/en-us/articles/4418520986775

I've left a comment on the case to let the developers know this is still affecting uses as this is an older case, so if I hear any updates I'll be sure to share them.

 

[celiac101]

So I suppose what is happening is that there could be malicious users using my domain to send email, and these other servers are properly reading my DMARC setting and rejecting them, and then they are sending me a g-zipped report in an attachment, which my server is then rejecting based on the attachment settings.

In this case it seems like my server is therefore becoming a burden on these other major mail servers, as the emails are hung up and rejected by my server.

I can't think of an easy solution to this issue, but it is clear that using DMARC, which is necessary in my case for good deliverability, has its own set of issues that are created.