Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[AMaViS-user] Nested MIME Mail not passed to ClamAV - why?

15 views
Skip to first unread message

Thomas Gelf

unread,
Jun 11, 2009, 7:38:36 AM6/11/09
to
Hi list,

today I discovered a mail that made it through Amavisd-new, even if
policy for this user clearly states that mail should be scanned - but
as log files show it has been passed to Spamassassin, but not to any
Virus scanner. ClamAV on this host (and on other hosts) recognizes
this mail as spam.

Here are the log lines of the original (not catched) mail:

(13191-11-6) Checking: ObFusYq0movf mymx [1.2.3.4] <sen...@domain.tld>
-> <ma...@customer.tld>
(13191-11-6) p004 1 Content-Type: multipart/related
(13191-11-6) p005 1/1 Content-Type: multipart/alternative
(13191-11-6) p001 1/1/1 Content-Type: text/plain, size: 4410 B, name:
(13191-11-6) p002 1/1/2 Content-Type: text/html, size: 24530 B, name:
(13191-11-6) p003 1/2 Content-Type: image/jpeg, size: 8860 B, name:
image001.jpg
(13191-11-6) SPAM-TAG, <sen...@domain.tld> -> <ma...@customer.tld>, No,
score=-0.405 tagged_above=-999 required=3 tests=[AWL=-2.194,
BAYES_50=0.001, HTML_MESSAGE=0.001, URIBL_PH_SURBL=1.787]
(13191-11-6) smtp session most likely still valid (short idle 7.0 s)
(13191-11-6) FWD via SMTP: <sen...@domain.tld> ->
<ma...@customer.tld>,BODY=7BIT 250 2.0.0 Ok, id=13191-11-6, from
MTA([1.2.3.5]:25): 250 2.0.0 Ok: queued as A48B92948A8
(13191-11-6) Passed CLEAN, mymx [4.3.2.1] [4.3.2.2] <sen...@domain.tld>
-> <ma...@customer.tld>, Message-ID: <whatever@PC>, mail_id:
ObFusYq0movf, Hits: -0.405, size: 45705, pt: 24, queued_as: A48B92948A8,
6697 ms

As you can see, "run_av" does not appear in this lines. If I use the
whole mail as another mail's plain content, it is being caught:

(11166-04-2) Checking: ObFusgHsHsH6 mymx [1.2.3.4] <ano...@sender.tld>
-> <o...@mailbox.tld>
(11166-04-2) p001 1 Content-Type: text/plain, size: 53267 B, name:
(11166-04-2) run_av (ClamAV-clamd):
/var/lib/amavis/tmp/amavis-20090611T0123456-11166/parts INFECTED:
Phishing.Heuristics.Email.SpoofedDomain
(11166-04-2) virus_scan: (Phishing.Heuristics.Email.SpoofedDomain),
detected by 1 scanners: ClamAV-clamd
(11166-04-2) Virus Phishing.Heuristics.Email.SpoofedDomain matches
(constant:1), sender addr ignored
(11166-04-2) SEND via SQL
(DBI:mysql:database=somedb;host=mydb;port=3306): <ano...@sender.tld> ->
<o...@mailbox.tld>, mail_id ObFusgHsHsH6
(11166-04-2) Blocked INFECTED (Phishing.Heuristics.Email.SpoofedDomain),
mymx [5.4.3.2] [5.4.3.2] <ano...@sender.tld> -> <o...@mailbox.tld>,
quarantine: ObFusgHsHsH6[24], Message-ID: <what...@sender.tld>,
mail_id: ObFusgHsHsH6, Hits: -, size: 55589, pt: 24, 8138 ms

Is there something badly going wrong - or did I miss something? Please
note that qr'^MAIL$' is NOT part of my @keep_decoded_original_maps list,
that setting was what first seemed reasonable to me. But as run_av does
not even be called for the decoded MIME parts that's probably not the
issue here.

Any suggestions?

Best regards,
Thomas Gelf


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Mark Martinec

unread,
Jun 11, 2009, 8:17:43 AM6/11/09
to
Thomas,

> today I discovered a mail that made it through Amavisd-new, even if
> policy for this user clearly states that mail should be scanned - but
> as log files show it has been passed to Spamassassin, but not to any
> Virus scanner. ClamAV on this host (and on other hosts) recognizes
> this mail as spam.
>
> Here are the log lines of the original (not catched) mail:
>
> (13191-11-6) Checking: ObFusYq0movf mymx [1.2.3.4] <sen...@domain.tld>
> -> <ma...@customer.tld>
> (13191-11-6) p004 1 Content-Type: multipart/related
> (13191-11-6) p005 1/1 Content-Type: multipart/alternative
> (13191-11-6) p001 1/1/1 Content-Type: text/plain, size: 4410 B, name:
> (13191-11-6) p002 1/1/2 Content-Type: text/html, size: 24530 B, name:
> (13191-11-6) p003 1/2 Content-Type: image/jpeg, size: 8860 B, name:
> image001.jpg
> (13191-11-6) SPAM-TAG, <sen...@domain.tld> -> <ma...@customer.tld>, No,
> score=-0.405 tagged_above=-999 required=3 tests=[AWL=-2.194,

> As you can see, "run_av" does not appear in this lines. If I use the


> whole mail as another mail's plain content, it is being caught:
>
> (11166-04-2) Checking: ObFusgHsHsH6 mymx [1.2.3.4] <ano...@sender.tld>
> -> <o...@mailbox.tld>
> (11166-04-2) p001 1 Content-Type: text/plain, size: 53267 B, name:
> (11166-04-2) run_av (ClamAV-clamd):
> /var/lib/amavis/tmp/amavis-20090611T0123456-11166/parts INFECTED:
> Phishing.Heuristics.Email.SpoofedDomain

Perhaps ma...@customer.tld has bypass_virus_checks while o...@mailbox.tld
does not? Elevated log level would tell. (but see further on)

> Is there something badly going wrong - or did I miss something?
> Please note that qr'^MAIL$' is NOT part of my @keep_decoded_original_maps
> list, that setting was what first seemed reasonable to me.

Having qr'^MAIL$' in @keep_decoded_original_maps seems reasonable
to me too. If the 'Phishing.Heuristics.Email.SpoofedDomain' test
in ClamAV checks a mail header section, the absence of qr'^MAIL$'
would explain what you are seing.

> But as run_av does not even be called for the decoded MIME parts
> that's probably not the issue here.

What is your log level? The "run_av (ClamAV-clamd): ..." log entry
is reported at log level 2 when infected, but at log level 3 when clean.

Mark

Thomas Gelf

unread,
Jun 11, 2009, 9:25:53 AM6/11/09
to
Mark Martinec wrote:
> Perhaps ma...@customer.tld has bypass_virus_checks while o...@mailbox.tld
> does not? Elevated log level would tell. (but see further on)

No, that's what we immediately verified - as it's the most obvious
explaination.

> Having qr'^MAIL$' in @keep_decoded_original_maps seems reasonable
> to me too. If the 'Phishing.Heuristics.Email.SpoofedDomain' test
> in ClamAV checks a mail header section, the absence of qr'^MAIL$'
> would explain what you are seing.
>
>> But as run_av does not even be called for the decoded MIME parts
>> that's probably not the issue here.
>
> What is your log level? The "run_av (ClamAV-clamd): ..." log entry
> is reported at log level 2 when infected, but at log level 3 when clean.

That's it! Log level is 2 - and as I didn't know this detail the
posted log lines confused me. qr'^MAIL$' would have been the solution
if the log line has been there - but is wasn't. But with this infor-
mation the whole thing changes, it IS the solution.

Thank you very much Mark! Thank you for your immediate and precise
reply - and for all the great work you're doing for this project!
Can't wait to drink some beer with you in Berlin ;-)

Cheers,
Thomas

0 new messages