Hi, It could be a password-protected zip attachment that prevents the virus scanner from opening and scanning the contents…
regards MK Von: amavis-users <amavis-users-bounces+info=ea80....@amavis.org<mailto:amavis-users-bounces+info=ea80....@amavis.org>> Im Auftrag von Nick Tait Gesendet: Montag, 16. Juni 2025 11:24 An: Amavis Users Mailing List <amavis-users@amavis.org<mailto:amavis-users@amavis.org>> Betreff: What does "UNCHECKED" really mean? Hi list. It appears that every email one of my users receives from a particular company logs "Passed UNCHECKED {AcceptedInbound}", but for the life of me I've been unable to understand exactly what this means, or why it is doing it for just one sender. Initially I had assumed that something had prevented the email from being SPAM-checked and/or virus-scanned, but I took a closer look at one of these emails, and it contains headers to the contrary... I'm using Postfix with Amavis invoked as a milter with SpamAssassin and ClamAV. These are the messages I see in (Postfix) mail logs for one particular example: 2025-06-09T20:38:01.159392+12:00 mx postfix/smtpd[66941]: connect from XXX[XXX] 2025-06-09T20:38:01.982297+12:00 mx postfix/smtpd[66941]: Anonymous TLS connection established from XXX[XXX]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 2025-06-09T20:38:04.114647+12:00 mx policyd-spf[66963]: : prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=XXX; helo=XXX; envelope-from=XXX@XXX; receiver=<UNKNOWN> 2025-06-09T20:38:04.165040+12:00 mx policyd-spf[66968]: : prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=XXX; helo=XXX; envelope-from=XXX@XXX; receiver=<UNKNOWN> 2025-06-09T20:38:04.170630+12:00 mx postfix/smtpd[66941]: 29982A0F3D: client=XXX[XXX] 2025-06-09T20:38:04.372133+12:00 mx postfix/cleanup[66969]: 29982A0F3D: message-id=<XXX> 2025-06-09T20:38:06.990525+12:00 mx opendkim[1174]: 29982A0F3D: message has signatures from XXX, XXX 2025-06-09T20:38:06.990875+12:00 mx opendkim[1174]: 29982A0F3D: DKIM verification successful 2025-06-09T20:38:06.991081+12:00 mx opendkim[1174]: 29982A0F3D: s=XXX d=XXX a=rsa-sha256 SSL 2025-06-09T20:38:06.993404+12:00 mx opendmarc[1172]: implicit authentication service: mx.tait.net.nz 2025-06-09T20:38:06.994461+12:00 mx opendmarc[1172]: 29982A0F3D: SPF(mailfrom): XXX pass 2025-06-09T20:38:07.169121+12:00 mx opendmarc[1172]: 29982A0F3D: XXX pass 2025-06-09T20:38:07.180201+12:00 mx amavis[65876]: (65876-07) Checking: DYupweuONgIb AM.PDP-SOCK [XXX] <XXX@XXX> -> <x...@tait.net.nz><mailto:x...@tait.net.nz> 2025-06-09T20:38:08.883015+12:00 mx amavis[65876]: (65876-07) Passed UNCHECKED {AcceptedInbound}, AM.PDP-SOCK [XXX] [XXX] <XXX@XXX> -> <x...@tait.net.nz><mailto:x...@tait.net.nz>, Queue-ID: 29982A0F3D, Message-ID: <XXX>, mail_id: DYupweuONgIb, Hits: -2.403, size: 10828, 1706 ms 2025-06-09T20:38:08.890559+12:00 mx postfix/qmgr[14097]: 29982A0F3D: from=<XXX@XXX>, size=10269, nrcpt=1 (queue active) 2025-06-09T20:38:08.925566+12:00 mx postfix/smtp[66972]: Verified TLS connection established to XXX[XXX]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) 2025-06-09T20:38:08.980830+12:00 mx postfix/smtp[66972]: 29982A0F3D: to=<x...@tait.net.nz><mailto:x...@tait.net.nz>, relay=XXX[XXX]:25, delay=6.4, delays=6.3/0.01/0.07/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as EE0C7E61010) 2025-06-09T20:38:08.981461+12:00 mx postfix/qmgr[14097]: 29982A0F3D: removed 2025-06-09T20:38:09.093713+12:00 mx postfix/smtpd[66941]: disconnect from XXX[XXX] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8 These headers were added to the message during the processing above: X-Virus-Scanned: Debian amavis at tait.net.nz X-Spam-Flag: NO X-Spam-Score: -2.403 X-Spam-Level: X-Spam-Status: No, score=-2.403 required=6.31 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_PASS=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: mx.tait.net.nz; dmarc=pass (p=none dis=none) header.from=XXX Authentication-Results: mx.tait.net.nz; spf=pass smtp.mailfrom=XXX Authentication-Results: mx.tait.net.nz; dkim=pass (2048-bit key; unprotected) header.d=XXX header.i=@XXX<mailto:header.i=@XXX> header.a=rsa-sha256 header.s=XXX header.b=fQ/8+1td; dkim=pass (2048-bit key; unprotected) header.d=XXX header.i=@XXX<mailto:header.i=@XXX> header.a=rsa-sha256 header.s=XXX header.b=cdSF0Aeu; dkim-atps=neutral Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=XXX; helo=XXX; envelope-from=XXX@XXX; receiver=<UNKNOWN> Received: from XXX (XXX [XXX]) by mx.tait.net.nz (Postfix) with ESMTPS id 29982A0F3D for <x...@tait.net.nz><mailto:x...@tait.net.nz>; Mon, 09 Jun 2025 20:38:02 +1200 (NZST) As you can see the headers above show that the message was SPAM-checked and virus-scanned. So what exactly does UNCHECKED mean then? Thanks, Nick.
