[AMaViS-user] warnings for unchecked mail
Christian Roessner
is that normal that the pre11 version starts sending warnings to my postmaster account for UNCHECKED mails?
subject: UNCHECKED contents in mail FROM [some ip here] <what...@example.com>
content:
No viruses were found.
Content type: Unchecked
Internal reference code for the message is 18850-05/nI7IYYkd04LX
...
I have no warn* variables in my configuration included. So did the default change?
Christian
------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months. Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot org
Mark Martinec
> is that normal that the pre11 version starts sending warnings to my
> postmaster account for UNCHECKED mails?
>
> subject: UNCHECKED contents in mail FROM [some ip here]
> <what...@example.com>
> content:
> No viruses were found.
> Content type: Unchecked
> Internal reference code for the message is 18850-05/nI7IYYkd04LX
> ...
>
> I have no warn* variables in my configuration included. So did the default
> change?
It is normal, a default for %admin_maps_by_ccat has changed.
With 2.6.4 it was:
%admin_maps_by_ccat = (
CC_VIRUS, sub { ca('virus_admin_maps') },
CC_BANNED, sub { ca('banned_admin_maps') },
CC_SPAM, sub { ca('spam_admin_maps') },
CC_BADH, sub { ca('bad_header_admin_maps') },
);
now with 2.7.0 it is:
%admin_maps_by_ccat = (
CC_VIRUS, sub { ca('virus_admin_maps') },
CC_BANNED, sub { ca('banned_admin_maps') },
CC_UNCHECKED, sub { ca('virus_admin_maps') },
CC_SPAM, sub { ca('spam_admin_maps') },
CC_BADH, sub { ca('bad_header_admin_maps') },
);
To revert to previous behaviour, add the following to amavisd.conf:
delete $admin_maps_by_ccat{&CC_UNCHECKED};
I should have mentioned it in release notes.
Mark
Michael Scheidell
> now with 2.7.0 it is:
>
> %admin_maps_by_ccat = (
> CC_VIRUS, sub { ca('virus_admin_maps') },
> CC_BANNED, sub { ca('banned_admin_maps') },
> CC_UNCHECKED, sub { ca('virus_admin_maps') },
> CC_SPAM, sub { ca('spam_admin_maps') },
> CC_BADH, sub { ca('bad_header_admin_maps') },
> );
why would it be unchecked? what would make it unchecked? and don't I
want to know if an email us unchecked?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Eray Aslan
> what would trigger that?
> why would it be unchecked? what would make it unchecked?
Email submission with a regular excel xlsx file attached:
Dec 21 07:35:17 sunny amavis[29093]: () loaded policy bank "SUBMISSION"
Dec 21 07:35:17 sunny amavis[29093]: (29093-06) ESMTP::10026 /var/amavis/tmp/amavis-20101221T072915-29093-fQ6YxLE5: <us...@zeplin.net> -> <us...@zeplin.net> SIZE=1627585 Received: from mail.caf.com.tr ([127.0.0.1]) by localhost (sunny.caf.com.tr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <us...@zeplin.net>; Tue, 21 Dec 2010 07:35:17 +0000 (UTC)
Dec 21 07:35:18 sunny amavis[29093]: (29093-06) Checking: vVl2xuPfaj-Y SUBMISSION [a.b.c.d] <us...@zeplin.net> -> <us...@zeplin.net>
Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p004 1 Content-Type: multipart/mixed
Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p005 1/1 Content-Type: multipart/alternative
Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p001 1/1/1 Content-Type: text/plain, size: 41 B, name:
Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p002 1/1/2 Content-Type: text/html, size: 1961 B, name:
Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p003 1/2 Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, size: 1186624 B, name: List.xlsx
Dec 21 07:35:20 sunny amavis[29093]: (29093-06) Decoding of p003 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: Maximum number of files (1500) exceeded at /usr/sbin/amavisd line 7957.
Dec 21 07:35:20 sunny amavis[29093]: (29093-06) NOTICE: Virus scanning skipped: Maximum number of files (1500) exceeded at /usr/sbin/amavisd line 7957.
Dec 21 07:35:20 sunny amavis[29093]: (29093-06) truncating a message passed to SA at 410405 bytes, orig 1627586
[...]
Dec 21 07:35:23 sunny amavis[29093]: (29093-06) FWD from <us...@zeplin.net> -> <us...@zeplin.net>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 879E439E372
Dec 21 07:35:23 sunny amavis[29093]: (29093-06) Passed UNCHECKED, SUBMISSION LOCAL [a.b.c.d] [a.b.c.d] <us...@zeplin.net> -> <us...@zeplin.net>, quarantine: lo...@example.com, Message-ID: <000601cba0e1$791b2920$6b517b60$@net>, mail_id: vVl2xuPfaj-Y, Hits: -2.394, size: 1627586, queued_as: 879E439E372, dkim_new=originating:zeplin.net, 5857 ms
--
Eray
Michael Scheidell
> Maximum number of files (1500) exceeded at /usr/sbin/amavisd line 7957
might amavisd be wrong in this assumption?
does amavisd-new 2.6.2 do the same thing?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
------------------------------------------------------------------------------
Clifton Royston
> On Tue, Dec 21, 2010 at 02:12:27PM -0500, Michael Scheidell wrote:
> > what would trigger that?
> > why would it be unchecked? what would make it unchecked?
>
> Email submission with a regular excel xlsx file attached:
>
> Dec 21 07:35:17 sunny amavis[29093]: () loaded policy bank "SUBMISSION"
> Dec 21 07:35:17 sunny amavis[29093]: (29093-06) ESMTP::10026 /var/amavis/tmp/amavis-20101221T072915-29093-fQ6YxLE5: <us...@zeplin.net> -> <us...@zeplin.net> SIZE=1627585 Received: from mail.caf.com.tr ([127.0.0.1]) by localhost (sunny.caf.com.tr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <us...@zeplin.net>; Tue, 21 Dec 2010 07:35:17 +0000 (UTC)
> Dec 21 07:35:18 sunny amavis[29093]: (29093-06) Checking: vVl2xuPfaj-Y SUBMISSION [a.b.c.d] <us...@zeplin.net> -> <us...@zeplin.net>
> Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p004 1 Content-Type: multipart/mixed
> Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p005 1/1 Content-Type: multipart/alternative
> Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p001 1/1/1 Content-Type: text/plain, size: 41 B, name:
> Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p002 1/1/2 Content-Type: text/html, size: 1961 B, name:
> Dec 21 07:35:18 sunny amavis[29093]: (29093-06) p003 1/2 Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, size: 1186624 B, name: List.xlsx
Most likely a problem with the "file" program's identification of
file type. Check whether you need updates to your copy of the program
or to the magic file it uses for file identification.
The .xlsx format does use Zip compression but it's not a standard zip
file, and that might be why this one appears to zip to unpack to a
ridiculous number of files. It shouldn't be getting unzipped in the
first place.
-- Clifton
--
Clifton Royston -- clif...@iandicomputing.com / clif...@lava.net
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
Mark Martinec
> %admin_maps_by_ccat = (
> CC_UNCHECKED, sub { ca('virus_admin_maps') },
> what would trigger that?
> why would it be unchecked? what would make it unchecked?
> and don't I want to know if an email us unchecked?
A content is considered unchecked when some part is either:
- encrypted/scrambled/password protected
- an archive cannot be decoded, e.g when it is damaged
- further decoding is cancled because file or recursion
sanity limits are exceeded
- all virus scanners failed (this one is new with 2.7.0)
Eray Aslan wrote:
> Email submission with a regular excel xlsx file attached:
>
> (29093-06) p003 1/2 Content-Type: application/vnd.openxmlformats-
> officedocument.spreadsheetml.sheet, size: 1186624 B, name: List.xlsx
> (29093-06) Decoding of p003 (Zip archive data, at least v2.0 to extract)
> failed, leaving it unpacked: Maximum number of files (1500) exceeded
> at /usr/sbin/amavisd line 7957.
> (29093-06) NOTICE: Virus scanning skipped: Maximum number of files
> (1500) exceeded at /usr/sbin/amavisd line 7957.
> (29093-06) truncating a message passed to SA at 410405 bytes, orig 1627586
> (29093-06) Passed UNCHECKED, SUBMISSION LOCAL [a.b.c.d] [a.b.c.d] ...
Looks like the archive contained more than 1500 members.
Check the message and try unzipping it manually to make sure.
Clifton Royston wrote:
> Most likely a problem with the "file" program's identification of
> file type. [...]
> The .xlsx format does use Zip compression but it's not a standard zip
> file, and that might be why this one appears to zip to unpack to a
> ridiculous number of files. It shouldn't be getting unzipped in the
> first place.
I disagree. If a content _can_ be unpacked further by any means
available, it should be. Same goes for jar archives, which often
contain hundreds of small files. One can retain the archive
to be passed to a virus scanner along with its members
(@keep_decoded_original_maps), or disable some decoders,
if you like.
Mark