On 11/10/2014 02:32 AM, Rich Wales wrote:
This *AXB_XRCVD_8B8* rule seems excessively broad to me. It seems it could wrongly catch e-mail that was legitimately Amavis-scanned on its way out by a server whose name just happened to be eight characters long.I think a better rule would take advantage of other anomalies with these fake header lines, such as the following: * There is an *extraneous semicolon* before the "for" clause. There should be only one semicolon in a "Received:" line -- namely, the one just before the date/time stamp. * There is *no "from" clause*. A valid "Received:" line from an amavisd-new scan will always have a "from" clause -- and further, I believe a valid "from" clause from amavisd-new will always reference "localhost". * The "Received:" line from a real amavisd-new scan *shouldn't be the chronologically first* (physically last) "Received:" line. The first "Received:" line (time-wise) happens when a message is initially delivered to the local mail software; a genuine outbound amavisd-new scan will generate the chronologically *second* (physically second-to-last) "Received:" line. * The *port number is strange*. While it is not absolutely mandatory for an amavisd-new installation to use port 10024, I believe it is pretty much unheard of for amavisd-new to be set up to listen on ports like 7693, 7686, 7684, or 17196. Here is a sample rule which will detect the extraneous semicolon. header BOGUS_RCVD_AMAVIS Received =~ /\(amavisd-new,\s+port\s+\d+\).+;\s*for\b/
do we have your permission to add this rule to SA's masscheck / autopromoting ?
