Hi list, today I discovered a mail that made it through Amavisd-new, even if policy for this user clearly states that mail should be scanned - but as log files show it has been passed to Spamassassin, but not to any Virus scanner. ClamAV on this host (and on other hosts) recognizes this mail as spam.
Here are the log lines of the original (not catched) mail: (13191-11-6) Checking: ObFusYq0movf mymx [1.2.3.4] <sen...@domain.tld> -> <m...@customer.tld> (13191-11-6) p004 1 Content-Type: multipart/related (13191-11-6) p005 1/1 Content-Type: multipart/alternative (13191-11-6) p001 1/1/1 Content-Type: text/plain, size: 4410 B, name: (13191-11-6) p002 1/1/2 Content-Type: text/html, size: 24530 B, name: (13191-11-6) p003 1/2 Content-Type: image/jpeg, size: 8860 B, name: image001.jpg (13191-11-6) SPAM-TAG, <sen...@domain.tld> -> <m...@customer.tld>, No, score=-0.405 tagged_above=-999 required=3 tests=[AWL=-2.194, BAYES_50=0.001, HTML_MESSAGE=0.001, URIBL_PH_SURBL=1.787] (13191-11-6) smtp session most likely still valid (short idle 7.0 s) (13191-11-6) FWD via SMTP: <sen...@domain.tld> -> <m...@customer.tld>,BODY=7BIT 250 2.0.0 Ok, id=13191-11-6, from MTA([1.2.3.5]:25): 250 2.0.0 Ok: queued as A48B92948A8 (13191-11-6) Passed CLEAN, mymx [4.3.2.1] [4.3.2.2] <sen...@domain.tld> -> <m...@customer.tld>, Message-ID: <whate...@pc>, mail_id: ObFusYq0movf, Hits: -0.405, size: 45705, pt: 24, queued_as: A48B92948A8, 6697 ms As you can see, "run_av" does not appear in this lines. If I use the whole mail as another mail's plain content, it is being caught: (11166-04-2) Checking: ObFusgHsHsH6 mymx [1.2.3.4] <anot...@sender.tld> -> <o...@mailbox.tld> (11166-04-2) p001 1 Content-Type: text/plain, size: 53267 B, name: (11166-04-2) run_av (ClamAV-clamd): /var/lib/amavis/tmp/amavis-20090611T0123456-11166/parts INFECTED: Phishing.Heuristics.Email.SpoofedDomain (11166-04-2) virus_scan: (Phishing.Heuristics.Email.SpoofedDomain), detected by 1 scanners: ClamAV-clamd (11166-04-2) Virus Phishing.Heuristics.Email.SpoofedDomain matches (constant:1), sender addr ignored (11166-04-2) SEND via SQL (DBI:mysql:database=somedb;host=mydb;port=3306): <anot...@sender.tld> -> <o...@mailbox.tld>, mail_id ObFusgHsHsH6 (11166-04-2) Blocked INFECTED (Phishing.Heuristics.Email.SpoofedDomain), mymx [5.4.3.2] [5.4.3.2] <anot...@sender.tld> -> <o...@mailbox.tld>, quarantine: ObFusgHsHsH6[24], Message-ID: <whate...@sender.tld>, mail_id: ObFusgHsHsH6, Hits: -, size: 55589, pt: 24, 8138 ms Is there something badly going wrong - or did I miss something? Please note that qr'^MAIL$' is NOT part of my @keep_decoded_original_maps list, that setting was what first seemed reasonable to me. But as run_av does not even be called for the decoded MIME parts that's probably not the issue here. Any suggestions? Best regards, Thomas Gelf ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
