Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Mark Martinec wrote: Chris, Also, your hints about debugging info from amavisd-new got me reading about the auto whitelist. Used the following config commands: /etc/mail/spamassassin/local.cf: use_auto_whitelist 0 /usr/local/sbin/amavisd.conf: $sa_auto_whitelist = 0; $sa_auto_whitelist has no effect since version 3.0.0 or SpamAssassin, the use_auto_whitelist (in local.cf) is the only control. Mark: My /usr/local/sbin/amavisd does not contain 'use_auto_whitelist'. Appears that I am running amavisd-new-2.5.3, which explains that. Which version do you recommend we use? Seems to have disabled the auto whitelist for me, so that I can run spamassassin on every email. I prefer that behavior. SpamAssassin AWL just adds score points. It does not control whether a message is to be checked or not. See Mail::SpamAssassin::Plugin::AWL man page. Mark Yeah, but it adds so many points that some spam forged to appear as if I sent it ended up with huge negative scores... Thank you, Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Chris, Also, your hints about debugging info from amavisd-new got me reading about the auto whitelist. Used the following config commands: /etc/mail/spamassassin/local.cf: use_auto_whitelist 0 /usr/local/sbin/amavisd.conf: $sa_auto_whitelist = 0; $sa_auto_whitelist has no effect since version 3.0.0 or SpamAssassin, the use_auto_whitelist (in local.cf) is the only control. Seems to have disabled the auto whitelist for me, so that I can run spamassassin on every email. I prefer that behavior. SpamAssassin AWL just adds score points. It does not control whether a message is to be checked or not. See Mail::SpamAssassin::Plugin::AWL man page. Mark - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Amavis Users: Thank you very much for the help in getting this sorted. One of your questions got me thinking, so I reconfigured postfix for global filtering in main.cf, instead of in master.cf. I had not remembered that I was not filtering email sent to the submission port. Also, your hints about debugging info from amavisd-new got me reading about the auto whitelist. Used the following config commands: /etc/mail/spamassassin/local.cf: use_auto_whitelist 0 /usr/local/sbin/amavisd.conf: $sa_auto_whitelist = 0; Seems to have disabled the auto whitelist for me, so that I can run spamassassin on every email. I prefer that behavior. Thank you again, Chris Shaker Christopher J Shaker wrote: I tried to disable the auto whitelist, using /etc/mail/spamassassin/local.cf: ... use_auto_whitelist 0 ^ bayes_auto_learn1 dns_available yes ok_locales en report_safe 1 rewrite_header Subject *SPAM* skip_rbl_checks 0 use_bayes 1 use_pyzor 1 ... - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
It appears the cuprit is the auto whitelist (AWL): Feb 19 01:37:04 linux postfix/smtpd[567]: connect from anna.int.kiev.ua[194.242.60.75] Feb 19 01:37:05 linux postfix/smtpd[567]: 516D1404B4: client=anna.int.kiev.ua[194.242.60.75] Feb 19 01:37:06 linux postfix/cleanup[667]: 516D1404B4: message-id=[EMAIL PROTECTED] Feb 19 01:37:06 linux postfix/qmgr[32311]: 516D1404B4: from=[EMAIL PROTECTED], size=6724, nrcpt=1 (queue active) Feb 19 01:37:06 linux amavis[32325]: (32325-08) process_request: fileno sock=12, STDIN=0, STDOUT=1 Feb 19 01:37:06 linux amavis[32325]: (32325-09) ESMTP::10024 /var/spool/amavis/tmp/amavis-20080219T010829-32325: [EMAIL PROTECTED] - [EMAIL PROTECTED] SIZE=6724 Received: from linux.shaker-net.com ([127.0.0.1]) by localhost (linux.shaker-net.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for [EMAIL PROTECTED]; Tue, 19 Feb 2008 01:37:06 -0800 (PST) Feb 19 01:37:06 linux amavis[32325]: (32325-09) body hash: 521b19d4698d37a4f109534fb83cbcf3 Feb 19 01:37:06 linux amavis[32325]: (32325-09) Checking: nHrkh2qSatmQ [EMAIL PROTECTED] - [EMAIL PROTECTED] Feb 19 01:37:06 linux amavis[32325]: (32325-09) 2822.From: [EMAIL PROTECTED], 2821.Mail_From: [EMAIL PROTECTED] Feb 19 01:37:06 linux amavis[32325]: (32325-09) p001 1 Content-Type: text/html, size: 5950 B, name: Feb 19 01:37:06 linux amavis[32325]: (32325-09) Checking for banned types and filenames Feb 19 01:37:06 linux amavis[32325]: (32325-09) collect banned table[0]: [EMAIL PROTECTED], tables: DEFAULT=Amavis::Lookup::RE=ARRAY(0x8a43c18) Feb 19 01:37:06 linux amavis[32325]: (32325-09) p.path [EMAIL PROTECTED]: P=p001,L=1,M=text/html,T=html Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using ClamAV-clamd: (built-in interface) Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using (ClamAV-clamd) on dir: CONTSCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n Feb 19 01:37:06 linux amavis[32325]: (32325-09) ClamAV-clamd: Connecting to socket /var/lib/clamav/clamd-socket Feb 19 01:37:06 linux amavis[32325]: (32325-09) ClamAV-clamd: Sending CONTSCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n to UNIX socket /var/lib/clamav/clamd-socket Feb 19 01:37:06 linux amavis[32325]: (32325-09) ask_av (ClamAV-clamd): /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts CLEAN Feb 19 01:37:06 linux amavis[32325]: (32325-09) ClamAV-clamd result: clean Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using AVG Anti-Virus: (built-in interface) Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using (AVG Anti-Virus) on dir: SCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n Feb 19 01:37:06 linux amavis[32325]: (32325-09) AVG Anti-Virus: Connecting to socket 127.0.0.1:5 Feb 19 01:37:06 linux amavis[32325]: (32325-09) AVG Anti-Virus: Sending SCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n to INET socket 127.0.0.1:5 Feb 19 01:37:06 linux amavis[32325]: (32325-09) ask_av (AVG Anti-Virus): /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts CLEAN Feb 19 01:37:06 linux amavis[32325]: (32325-09) AVG Anti-Virus result: clean Feb 19 01:37:07 linux postfix/smtpd[567]: disconnect from anna.int.kiev.ua[194.242.60.75] Feb 19 01:37:34 linux amavis[32325]: (32325-09) spam_scan: score=-109.401 autolearn=no tests=[AWL=-135.491,BAYES_80=2,CONTENT_RETURN=2.9,FAKE_MSN=3.9,FREE=1.9,GIF=2.9,HTML_MESSAGE=0.2,MIME_HTML_ONLY=0.9,URIBL_AB_SURBL=1.86,URIBL_BLACK=1.955,URIBL_JP_SURBL=1.501,URIBL_OB_SURBL=1.5,URIBL_SC_SURBL=0.474,URIBL_WS_SURBL=2.9,VIRUS_CLEAN=0.3,WORD_HAS_PIPE=0.9] Feb 19 01:37:34 linux amavis[32325]: (32325-09) do_notify_and_quar: ccat=Clean (1,0) (1:Clean, 0:CatchAll) ccat_block=(), q_mth=, qar_mth= Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp creating socket by IO::Socket::INET: 127.0.0.1 Feb 19 01:37:34 linux postfix/smtpd[672]: connect from localhost.shaker-net.com[127.0.0.1] Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to greeting: 220 linux.shaker-net.com ESMTP Spamkiller on SuSE Linux 7.3 (i686) Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd EHLO localhost Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to EHLO: 250 linux.shaker-net.com\nPIPELINING\nSIZE 1073741824\nETRN\n8BITMIME Feb 19 01:37:34 linux amavis[32325]: (32325-09) AUTH not needed, user='', MTA offers '' Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd MAIL FROM:[EMAIL PROTECTED] Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd RCPT TO:[EMAIL PROTECTED] Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd DATA Feb 19 01:37:34 linux postfix/smtpd[672]: 6E8F1404B6: client=localhost.shaker-net.com[127.0.0.1] Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to MAIL (pip): 250 Ok Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to RCPT (pip) ([EMAIL PROTECTED]): 250 2.1.0 Ok, id=32325-09, from MTA([127.0.0.1]:10025): 250 Ok Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to DATA: 354 End data with
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Hi Christopher, I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. Message larger than sa_mail_body_size_limit? HTH, Wolfgang -- Wolfgang Cernohorsky Email: [EMAIL PROTECTED] ZID, Abt. Kommunikation WWW: http://www.vu-wien.ac.at/ Vet.Med.Univ. WienPhone: +43-1-25077 /1602 Fax: /1690 Veterinaerplatz 1 A-1210 Vienna, Austria - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Christopher J Shaker wrote: Clifton: I am pretty sure amavisd-new does *not* work this way. It has an implicit list of checks to run on each incoming mail, starting with virus scanning, and works its way through them. If it's working this way for you, it may be the result of something funky in your Postfix configuration which is bypassing the routing through amavisd if it sees that header. How are you selecting the Postfix routing to content filtering? In main.cf, in master.cf, or otherwise? In /etc/postfix/master.cf: smtp inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 smtps inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 so only mail received via smtp is filtered. The Received headers should tell what route the message took. you can also search for the Message-Id in postfix logs. I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. A much better interim measure would be to strip the incoming headers, by simply replacing that REJECT with IGNORE in the same header_checks line. It's not a bad idea anyway to strip spam scan headers which could be mistaken for your own. -- Clifton I've checked, and there are no FILTER directives in my header_checks file. I'm still looking for anything I might have screwed up. The emails that leak through are forged to look as though they came from me. Normally, email that I send out *is* filtered by Amavis. I've had several emails get mistakenly spam filtered when I tried to send them. Thank you also to Gary for: $remove_existing_x_scanned_headers = 1; # default is to leave these alone. Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Here is the /var/log/mail entry from the email that leaked past Amavis-new: Feb 18 15:07:11 linux postfix/smtpd[19386]: connect from unknown[121.27.33.247] Feb 18 15:07:12 linux postfix/smtpd[19386]: 3BFD9404B1: client=unknown[121.27.33.247] Feb 18 15:07:13 linux postfix/cleanup[19387]: 3BFD9404B1: message-id=[EMAIL PROTECTED] Feb 18 15:07:13 linux postfix/qmgr[31362]: 3BFD9404B1: from=[EMAIL PROTECTED], size=3514, nrcpt=1 (queue active) Feb 18 15:07:14 linux postfix/smtpd[19386]: disconnect from unknown[121.27.33.247] Feb 18 15:07:33 linux postfix/smtpd[19392]: connect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/smtpd[19392]: 7C4FA404B4: client=localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/cleanup[19387]: 7C4FA404B4: message-id=[EMAIL PROTECTED] Feb 18 15:07:33 linux postfix/qmgr[31362]: 7C4FA404B4: from=[EMAIL PROTECTED], size=3966, nrcpt=1 (queue active) Feb 18 15:07:33 linux postfix/smtpd[19392]: disconnect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, [121.27.33.247] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms Looks to me like it is getting a '-300' score from some rule that I can't find. The email comes in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. That email address is *not* in the whitelist in /etc/mail/spamassassin/local.cf When I run the leaking email message through spamassassin manually, it comes up with a score of 58.4, quite different from what amavis-new reported above! I've attached the output of spamassasin on running the leaking email as a gzip file. Hopefully, that will pass through the email. Thank you, Chris Shaker I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
[Sending again as ASCII] Here is the /var/log/mail entry from the email that leaked past Amavis-new: Feb 18 15:07:11 linux postfix/smtpd[19386]: connect from unknown[121.27.33.247] Feb 18 15:07:12 linux postfix/smtpd[19386]: 3BFD9404B1: client=unknown[121.27.33.247] Feb 18 15:07:13 linux postfix/cleanup[19387]: 3BFD9404B1: message-id=[EMAIL PROTECTED] Feb 18 15:07:13 linux postfix/qmgr[31362]: 3BFD9404B1: from=[EMAIL PROTECTED], size=3514, nrcpt=1 (queue active) Feb 18 15:07:14 linux postfix/smtpd[19386]: disconnect from unknown[121.27.33.247] Feb 18 15:07:33 linux postfix/smtpd[19392]: connect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/smtpd[19392]: 7C4FA404B4: client=localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/cleanup[19387]: 7C4FA404B4: message-id=[EMAIL PROTECTED] Feb 18 15:07:33 linux postfix/qmgr[31362]: 7C4FA404B4: from=[EMAIL PROTECTED], size=3966, nrcpt=1 (queue active) Feb 18 15:07:33 linux postfix/smtpd[19392]: disconnect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, [121.27.33.247] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms Looks to me like it is getting a '-300' score from some rule that I can't find. The email comes in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. That email address is *not* in the whitelist in /etc/mail/spamassassin/local.cf When I run the leaking email message through spamassassin manually, it comes up with a score of 58.4, quite different from what amavis-new reported above! Received: from localhost by linux.shaker-net.com with SpamAssassin (version 3.2.4); Mon, 18 Feb 2008 20:31:17 -0800 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* February 73% OFF Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on linux.shaker-net.com X-Spam-Level: ** X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF, HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4 X-Spam-Report: * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: roundpast.com] * 0.3 VIRUS_CLEAN Prolific and stubborn spammer * 3.9 FAKE_MSN Fake mailer signature used by Spammers * 2.9 UNKNOWN Probable Spammer * 2.9 OFF Often used in Spam * 1.9 PERCENT Often used in Spam * 1.8 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words * 0.2 HTML_MESSAGE BODY: HTML included in message * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9900] * 0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: roundpast.com] * 2.9 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: roundpast.com] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: roundpast.com] * 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: roundpast.com] * 0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: roundpast.com] * 2.9 GIF RAW: Hiding Spam in a GIF image * 2.9 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?121.27.33.247] * 5.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [121.27.33.247 listed in zen.spamhaus.org] * 1.9 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: roundpast.com] * 2.9 RDNS_NONE Delivered to trusted network by a host with no rDNS * 14 AWL AWL: From: address is in the auto white-list MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_47BA5B95.FC4A69D0 This is a multi-part message in MIME format. ... - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Christopher J Shaker wrote: Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, [121.27.33.247] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms Looks to me like it is getting a '-300' score from some rule that I can't find. The email comes in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. That email address is *not* in the whitelist in /etc/mail/spamassassin/local.cf When you run the messages through spamassassin only, amavis-specific score adjustments will not occur, so the scores will differ. Increase amavis' $log_level to 3, and look for the tests and scores in the log lines: ... tests= See which tests and scores are present. MrC When I run the leaking email message through spamassassin manually, it comes up with a score of 58.4, quite different from what amavis-new reported above! Subject: *SPAM* February 73% OFF Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on linux.shaker-net.com X-Spam-Level: ** X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF, HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
You're correct. I did not test my 'discovery' properly before jumping to this conclusion. I appreciate the pointer to the IGNORE behavior. I'll endeavor to ignore any virus or spam filtering headers from incoming email. I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. Thank you again, Chris Shaker [EMAIL PROTECTED] Clifton Royston wrote: On Sat, Feb 16, 2008 at 11:31:05AM -0800, Christopher J Shaker wrote: You may all know about this, but it was new to me. Found a persistent spammer was sending email to my domain without any score information from amavis-new. After trying several possibilities, I finally realized that he was sending the email with a hand crafted 'X-Virus-Scanned' header that was identical to what my Amavis-new would have added. That seems to bypass scanning with Amavis-new! I am pretty sure amavisd-new does *not* work this way. It has an implicit list of checks to run on each incoming mail, starting with virus scanning, and works its way through them. If it's working this way for you, it may be the result of something funky in your Postfix configuration which is bypassing the routing through amavisd if it sees that header. How are you selecting the Postfix routing to content filtering? In main.cf, in master.cf, or otherwise? I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. A much better interim measure would be to strip the incoming headers, by simply replacing that REJECT with IGNORE in the same header_checks line. It's not a bad idea anyway to strip spam scan headers which could be mistaken for your own. -- Clifton - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Clifton: I am pretty sure amavisd-new does *not* work this way. It has an implicit list of checks to run on each incoming mail, starting with virus scanning, and works its way through them. If it's working this way for you, it may be the result of something funky in your Postfix configuration which is bypassing the routing through amavisd if it sees that header. How are you selecting the Postfix routing to content filtering? In main.cf, in master.cf, or otherwise? In /etc/postfix/master.cf: smtp inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 smtps inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. A much better interim measure would be to strip the incoming headers, by simply replacing that REJECT with IGNORE in the same header_checks line. It's not a bad idea anyway to strip spam scan headers which could be mistaken for your own. -- Clifton I've checked, and there are no FILTER directives in my header_checks file. I'm still looking for anything I might have screwed up. The emails that leak through are forged to look as though they came from me. Normally, email that I send out *is* filtered by Amavis. I've had several emails get mistakenly spam filtered when I tried to send them. Thank you also to Gary for: $remove_existing_x_scanned_headers = 1; # default is to leave these alone. Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Chris, I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. Perhaps it was larger than $sa_mail_body_size_limit, or the recipient was declared a spam lover. Check the log, increase the log level if necessary. Mark - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
On 2/16/08, Christopher J Shaker wrote: You may all know about this, but it was new to me. Found a persistent spammer was sending email to my domain without any score information from amavis-new. After trying several possibilities, I finally realized that he was sending the email with a hand crafted 'X-Virus-Scanned' header that was identical to what my Amavis-new would have added. That seems to bypass scanning with Amavis-new! I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. Has anyone else run into this? Thank you, Chris Shaker This is not a definitive answer, but in my experience amavisd-new would not bypass itself because of a previous X-Virus-Scanned header. BTW, you can tell amavisd-new to remove these headers by setting: $remove_existing_x_scanned_headers = 1; # default is to leave these alone. It's more likely you already have a header_check that checks for the X-Virus-Scanned header and then uses a FILTER directive to bypass amavisd-new. I would check for that. My guess you created this in order to bypass scanning for outbound mail, but this would not be a good approach. A better approach would be to use a policy bank. However, I am guessing here. http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks http://www200.pair.com/mecham/spam/bypassing.html -- Gary V - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
On Sat, Feb 16, 2008 at 11:31:05AM -0800, Christopher J Shaker wrote: You may all know about this, but it was new to me. Found a persistent spammer was sending email to my domain without any score information from amavis-new. After trying several possibilities, I finally realized that he was sending the email with a hand crafted 'X-Virus-Scanned' header that was identical to what my Amavis-new would have added. That seems to bypass scanning with Amavis-new! I am pretty sure amavisd-new does *not* work this way. It has an implicit list of checks to run on each incoming mail, starting with virus scanning, and works its way through them. If it's working this way for you, it may be the result of something funky in your Postfix configuration which is bypassing the routing through amavisd if it sees that header. How are you selecting the Postfix routing to content filtering? In main.cf, in master.cf, or otherwise? I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. A much better interim measure would be to strip the incoming headers, by simply replacing that REJECT with IGNORE in the same header_checks line. It's not a bad idea anyway to strip spam scan headers which could be mistaken for your own. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Chris, Found a persistent spammer was sending email to my domain without any score information from amavis-new. After trying several possibilities, I finally realized that he was sending the email with a hand crafted 'X-Virus-Scanned' header that was identical to what my Amavis-new would have added. That seems to bypass scanning with Amavis-new! It doesn't. A previous X-Virus-Scanned header field has no influence on amavisd-new operations. Mark - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
