Justin Piszcz schrieb am Tuesday, den 26. May 2009: > Package: amavsid-new > Version: 2.6.2-2 > > I am running amavsid-new on Debian Testing and spotted this in the logs > the other day: > > May 25 10:32:21 p34 postfix/smtpd[997]: connect from > mail.zepter.ro[212.146.103.126] > May 25 10:32:30 p34 postfix/geoip[1001]: address[212.146.103.126] country[RO, > Romania] result[strictcheckslvl2] > May 25 10:32:32 p34 postfix/policyd-weight[23698]: weighted check: > NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 > CL_IP_NE_HELO=1.5 (check from: .zepter. - helo: .zepter. - helo-domain: > .zepter.) CL_HOSTNAME_MATCHES_FROM(DOMAIN)=-1.2; > <client=mail.zepter.ro[212.146.103.126]> <helo=zepter.ro> > <from=infobiopt...@zepter.ro> <to=jpis...@mydomain.com>; rate: -4.2 > May 25 10:32:32 p34 postfix/policyd-weight[23698]: decided action=PREPEND > X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 > NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=1.5 (check from: .zepter. - helo: .zepter. > - helo-domain: .zepter.) CL_HOSTNAME_MATCHES_FROM(DOMAIN)=-1.2; rate: -4.2; > <client=mail.zepter.ro[212.146.103.126]> <helo=zepter.ro> > <from=infobiopt...@zepter.ro> <to=jpis...@mydomain.com>; delay: 1s > May 25 10:32:35 p34 grossd: #9360f950: a=trust d=242 w=0 c=212.146.103.126 > s=infobiopt...@zepter.ro r=jpis...@mydomain.com h=zepter.ro > May 25 10:32:35 p34 postfix/policy-spf[1003]: : SPF None (No applicable > sender policy available): Envelope-from: infobiopt...@zepter.ro > May 25 10:32:35 p34 postfix/policy-spf[1003]: handler > sender_policy_framework: is decisive. > May 25 10:32:35 p34 postfix/policy-spf[1003]: : Policy action=PREPEND > Received-SPF: none (zepter.ro: No applicable sender policy available) > receiver=my.internal.lan; identity=mfrom; > envelope-from="infobiopt...@zepter.ro"; helo=zepter.ro; > client-ip=212.146.103.126 > May 25 10:32:35 p34 postfix/smtpd[997]: AC8134112: > client=mail.zepter.ro[212.146.103.126] > May 25 10:32:36 p34 postfix/cleanup[1004]: AC8134112: > message-id=<200905251632.n4pgwrsp027...@zepter.ro> > May 25 10:32:37 p34 postfix/qmgr[16923]: AC8134112: > from=<infobiopt...@zepter.ro>, size=160850, nrcpt=1 (queue active) > May 25 10:32:37 p34 postfix/smtpd[1009]: connect from > localhost.localdomain[127.0.0.1] > May 25 10:32:37 p34 postfix/smtpd[1009]: warning: Illegal address syntax from > localhost.localdomain[127.0.0.1] in MAIL command: postmas...@my.internal.lan > May 25 10:32:37 p34 amavis[13688]: (13688-06) Negative SMTP resp. to DATA: > 403 4.5.1 Error: need RCPT command > May 25 10:32:37 p34 postfix/smtpd[1009]: disconnect from > localhost.localdomain[127.0.0.1] > May 25 10:32:37 p34 amavis[13688]: (13688-06) (!)SEND via SMTP: > postmas...@my.internal.lan -> > <postmas...@mydomain.com>,envid=am..20090525t1432...@my.internal.lan 401 > 4.1.7 TempFailed, id=13688-06, from MTA([127.0.0.1]:10025): 401 4.1.7 Bad > sender address syntax > May 25 10:32:37 p34 amavis[13688]: (13688-06) (!!)TROUBLE in check_mail: > quar+notif FAILED: temporarily unable to notify admin: 401 4.1.7 TempFailed, > id=13688-06, from MTA([127.0.0.1]:10025): 401 4.1.7 Bad sender address syntax > at /usr/sbin/amavisd-new line 12548. > May 25 10:32:37 p34 amavis[13688]: (13688-06) (!)PRESERVING EVIDENCE in > /var/lib/amavis/tmp/amavis-20090524T224325-13688 > May 25 10:32:37 p34 postfix/lmtp[1005]: AC8134112: to=<jpis...@mydomain.com>, > relay=127.0.0.1[127.0.0.1]:10024, delay=16, delays=15/0/0/0.33, dsn=4.5.0, > status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in > processing, id=13688-06, quar+notif FAILED: temporarily unable to notify > admin: 401 4.1.7 TempFailed, id=13688-06, from MTA([127.0.0.1]:10025): 401 > 4.1.7 Bad sender address syntax at /usr/sbin/amavisd-new line 12548. (in > reply to end of DATA command)) > May 25 10:32:50 p34 postfix/smtpd[997]: disconnect from > mail.zepter.ro[212.146.103.126] > > I was able to raise the debug level to 5 and the sender tried again, so I > was able to capture all necessary information (hopefully) required: > http://home.comcast.net/~jpiszcz/20090526/mail.log > > As well as the EVIDENCE directory (this contains the attachment from the > e-mail, which is Worm.Gibe.F): > http://home.comcast.net/~jpiszcz/20090526/amavis-20090525T235848-16067.tar.gz > > # file email.txt > email.txt: ASCII mail text > # file parts/* > parts/p001: HTML document text > parts/p002: PE32 executable for MS Windows (GUI) Intel 80386 32-bit > > # clamscan parts/p002 > parts/p002: Worm.Gibe.F FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 561692 > Engine version: 0.95.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.10 MB > Data read: 0.10 MB (ratio 1.00:1) > Time: 0.918 sec (0 m 0 s) > > If anyone could shed some light on what is happening here with > amavisd-new, it would be much appreciated, thanks! The "mail from" you send is broken: May 25 11:30:05 p34 amavis[6014]: (06014-01) smtp cmd> MAIL FROM:postmas...@p34.internal.lan envid=am..20090525t1530...@p34.internal.lan
There are missing <> around. Which is intersting, amavis normally adds them for you. Do you have mailfrom_notify_* configured? If yes how does it look?. Alex ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
