On 2016-03-31 11:54, MI wrote:
There seems to be a wave of malware emails for which Amavis complains
about a bad header, and then apparently skips the attachment scanning.
So the mail goes through.
This is the header which Amavis adds to the email:
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse
head;
error near:; Content-Transfer-Encoding: base64
Is there anything that can be done about that?
First, I don't really see what the MIME error may be. Nor does
Thunderbird, which can extract the attachment.
This is how one such mail looks. Maybe someone can spot what Amavis
doesn't like in the headers?
The error is in incorrectly wrapped Content-Type header field,
where the continuation line does not start with a space or tab,
so the broken MIME part does not get base64-decoded.
Content-Type: application/octet-stream; x-unix-mode=0600;
name="hostmaster_document_4876E9.rar"
Content-Transfer-Encoding: base64
Is there a way to ask amavis to check a single mail from the
command-line with debugging output?
Not really, although you can use the amavisd-submit utility
to feed a mail directly to an amavisd socket, and you may
use a policy bank to rise a log level on a mail submitted
through such dedicated socket.
I don'twant to just blindly block any email with a bad header, from
fear of blocking too many normal mails sent by a stupid client
program.
You may use a SpamAssassin rule like the following to
capture such invalid wrap:
full L_INV_NAME_WRAP /^Content-Type:.*\nname="/mi
score L_INV_NAME_WRAP 20
Also, the SaneSecurity 3rd party rules to ClamAV seem to be
able to catch these.
Mark
