On 9/10/2014 12:54 PM, Joerg Rohrer wrote: > On 10-09-2014 19:03, Noel Jones wrote: >> On 9/10/2014 11:47 AM, Joerg Rohrer wrote: >>> Hi >>> >>> On 10-09-2014 15:59, Ralf Hildebrandt wrote: >>>> * Joerg Rohrer <[email protected]>: >>>> >>>> "file" is to blame: >>>> >>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) result line from >>>>> file(1): p001: Python script, UTF-8 Unicode text executable\n >>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) lookup_re("Python >>>>> script, UTF-8 Unicode text executable") matches key >>>>> "(?^i:\bexecutable\b)", result="exe" >>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) lookup >>>>> [map_full_type_to_short_type] => true, "Python script, UTF-8 >>>>> Unicode text executable" matches, result="exe", >>>>> matching_key="(?^i:\134bexecutable\134b)" >>> >>> Thanks for all of your answers. It makes absolute sense that file is >>> the culprit. >>> But why this happen all of a sudden? There were no obvious changes >>> one the system (file, amavis, postfix). >> >> Perhaps the email contents changed. Do you have one in quarantine >> you can examine? Maybe run file on it by hand? >> >> Regardless, check to see if an update for file(1) is available. >> >> >> -- Noel Jones > > Thanks Noel for the hint. Indeed there were a change in the header. > see below. don't know if that could be the reason. > -------- > bad mail: > > Content-Type: text/plain; charset="ISO-8859-1" > Date: Fri, 05 Sep 2014 00:10:24 +0200 > > good mail: > > Content-Type: text/plain; charset="UTF-8" > Date: Mon, 08 Sep 2014 00:10:22 +020 > -------- > > Am i right sending side has change this? > > Thanks > Jörg
Yes, those headers are defined by the sender. I don't know if this is what is causing the misclassification. I suppose if you were curious enough, you could look in your file "magic" database to see what your version of file uses to determines a Python script. "man file" or "man magic" might help. It's also possible that the new content has some UTF-8 non-ascii characters that are tripping up file(1). That's my wild guess. Does the new Date: header really have "+020" for the offset, or is that a copy/paste failure? Not sure a 3 digit offset is allowed... but I didn't bother to actually check. I suppose that's covered in RFC5322. -- Noel Jones
