Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning

Sat, 16 Feb 2008 13:51:27 -0800 

On Sat, Feb 16, 2008 at 11:31:05AM -0800, Christopher J Shaker wrote:
> You may all know about this, but it was new to me.
> 
> Found a persistent spammer was sending email to my domain without
> any score information from amavis-new.
> 
> After trying several possibilities, I finally realized that he was sending
> the email with a hand crafted 'X-Virus-Scanned' header that was identical
> to what my Amavis-new would have added.
> 
> That seems to bypass scanning with Amavis-new!

  I am pretty sure amavisd-new does *not* work this way.  It has an
implicit list of checks to run on each incoming mail, starting with
virus scanning, and works its way through them.  If it's working this
way for you, it may be the result of something funky in your Postfix
configuration which is bypassing the routing through amavisd if it sees
that header.

  How are you selecting the Postfix routing to content filtering?  In
main.cf, in master.cf, or otherwise?

> I've temporarily added a filter to my postfix header_checks file to reject
> messages coming into my server that already have the X-Virus-Scanned
> header added to them. This is not a good solution, because it also blocks
> my outgoing email.

  A much better interim measure would be to strip the incoming headers,
by simply replacing that REJECT with IGNORE in the same header_checks
line.  It's not a bad idea anyway to strip spam scan headers which
could be mistaken for your own.

  -- Clifton

-- 
    Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
       President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to