Christian, A couple of ideas,
You mentioned that you se traffic on the port 50000, have you tried to analyze that traffic (with wireshark)? I attach some valid traffic betwen amavisd-new and p0f (on port 2345), so you can compare to the traffic you see. Also, you should increase the logging level or amavisd-new, so you can see what's going on inside. I have logs that say: Sep 14 13:53:04 mail amavis[21274]: (21274-07) spam-tag, <XXX> -> <[email protected]>, No, score=3.801 tagged_above=0 required=5 tests=[BAYES_00=-1.9, JMQ_SPF_NEUTRAL_ALL=0.5, L_P0F_Linux=-0.1, ...] autolearn=no autolearn_force=no Sep 14 14:00:13 mail amavis[21677]: (21677-05) OS_fingerprint: 192.0.46.81 -9.562 ham.Linux - Linux 3.11 and newer; dist: 14; link: Ethernet or modem; params: none; raw_mtu: 1500; raw_sig: 4:50+14:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 In my amavisd-new config I have no $allowed_added_header_fields but in an archived spam message I see: X-Spam-Status: Yes, score=6.101 tagged_above=0 required=5 tests=[BAYES_00=-1.9, JMQ_SPF_NEUTRAL_ALL=0.5, L_P0F_Linux=-0.1, ...] autolearn=no autolearn_force=no X-Amavis-OS-Fingerprint: Linux 3.1-3.10; dist: 15; link: Ethernet or modem; params: none; raw_freq: 250.01 Hz; raw_mtu: 1500; raw_sig: 4:49+15:0:1460:mss*10,4:mss,sok,ts,nop,ws:df,id+:0; uptime: 122 days 3 hrs 17 min (modulo 198 days), [XXX.XXX.XXX.XXX]:58723 [141.42.206.35]:44214 If the message is not spam, I will only get the X-Amavis-OS-Fingerprint: like for your last message in this thread: X-Amavis-OS-Fingerprint: Linux 3.11 and newer; dist: 16; link: Ethernet or modem; params: none; raw_mtu: 1500; raw_sig: 4:48+16:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0, [141.42.206.35]:44214 Best regards, Olivier
p0f.tcpdump.pcapng
Description: Binary data
