Package: amavisd-new Version: 1:2.10.1-1 Severity: minor Dear Maintainer,
In short: A trojan was delivered as mail attachment to a user though amavis is configured to block this kind of attachments. Amavis claimed that it couldn't check the attachment because of a "BAD HEADER SECTION", but the headers - afai can see - are well formed and interpretable. The story: A user called me, that he had received several suspicious mails. I moved those mails into quarantine and inspected them. The mails, three in total, all contained a zipped file as attachment and this file contained javascript (filename.js). Amavis is configured to block zip-files containing ..js-file, so I wondered why this mails had gone through. A further investigation showed, that amavis claimed the attachments to be unreadable due to a bad header. That is not uncommon, this special kind of trojans is spreaded in vast amounts during the past few days, and it is in fact mostly unreadable due to miscrafted headers. But in any other case I investigated, not one of several tested mail clients was able to read the attachment, no unzipper was able to unzip it. But in this special case, all the three mails the user had got where perfectly readable and unzippable with any tested client. So I wonder, why amavis claims a bad header. Fortunately this user did not open the attachment and double click the .js... And now it becomes queer: I tried to attach one of these mails to my bug report, but sending the report failed because... this time amavis was able to read the headers, it was able to check the attachment, found the trojan and subsequently blocked the outgoing mail. So I will now resend this report without sample and hope to be able to upload it later. -- System Information: Debian Release: 8.3 APT prefers stable APT policy: (700, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
