Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Missing header mail can't bounce, gets delivered unscanned

281 views
Skip to first unread message

Leonard den Ottolander

unread,
Jun 14, 2013, 5:58:26 PM6/14/13
to
Hello,

Lately I see a lot of mails like these come in unfiltered by
spamassassin.

System is CentOS 6.4, using amavisd-new-2.8.0-4.el6.noarch from EPEL.
Amavis configuration is mostly as shipped by Fedora, I can provide
details if needed, but I think the relevant part here is:

$final_bad_header_destiny = D_BOUNCE;

Full mail header (edited names and IPs but not the X-Quarantine-ID):

Return-Path: <>
X-Original-To: em...@domain.nl
Delivered-To: us...@domain.nl
Received: from localhost (localhost [127.0.0.1]) by mail.domain.nl
(Postfix) with ESMTP id D642542 for <em...@domain.nl>; Fri, 14
Jun 2013 12:51:54 +0200 (CEST)
X-Quarantine-ID: <Tw0-mNHoul_7>
X-Virus-Scanned: amavisd-new at domain.nl
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field:
"Date"
Received: from mail.domain.nl ([127.0.0.1]) by localhost
(mail.domain.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id
Tw0-mNHoul_7 for <em...@domain.nl>; Fri, 14 Jun 2013 12:51:54
+0200 (CEST)
X-Greylist: delayed 503 seconds by postgrey-1.34 at host.domain.nl;
Fri, 14 Jun 2013 12:51:54 CEST
Received: from remote.host.by (unknown
[1.1.1.1]) by mail.domain.nl (Postfix) with SMTP id 17C3440 for
<em...@domain.nl>; Fri, 14 Jun 2013 12:51:53 +0200 (CEST)
Received: from unknown (HELO localhost)
(fr...@domain.ru@2.2.2.2) by 1.1.1.1 with ESMTPA;
Fri, 14 Jun 2013 13:47:38 +0200
X-Originating-IP: 2.2.2.2
From: fr...@domain.ru
To: em...@domain.nl
Subject: It has the Potential to be a Major
Message-Id: <20130614105...@mail.domain.nl>
Date: Fri, 14 Jun 2013 12:51:54 +0200 (CEST)
X-Evolution-Source: pop://user%40dom...@pop.domain.nl/
Mime-Version: 1.0


If the subject hadn't given it away yet
$ spamassassin -t mail.txt | tail -21
identifies the mail as spam:

Content analysis details: (14.1 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.1 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?1.1.1.1>]
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[1.1.1.1 listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[1.1.1.1 listed in bl.score.senderscore.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[1.1.1.1 listed in bb.barracudacentral.org]
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[1.1.1.1 listed in dnsbl.sorbs.net]
1.3 RDNS_NONE Delivered to internal network by a host with
no rDNS
3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP
addr
1)


The missing date header puts the mail in quarantine and the missing
Return-Path breaks the bouncing so the mail gets sent without having
been scanned by spamassassin:

Jun 14 12:51:52 host postfix/smtpd[2212]: warning: 1.1.1.1: hostname
remote.host.by verification failed: Name or service not known
Jun 14 12:51:52 host postfix/smtpd[2212]: connect from unknown[1.1.1.1]
Jun 14 12:51:54 host postgrey[2124]: action=pass, reason=triplet found,
delay=503, client_name=unknown, client_address=1.1.1.1,
recipient=em...@domain.nl
Jun 14 12:51:54 host postfix/smtpd[2212]: 17C3440:
client=unknown[1.1.1.1]
Jun 14 12:51:54 host postfix/cleanup[2216]: 17C3440: message-id=<>
Jun 14 12:51:54 host postfix/qmgr[16541]: 17C3440: from=<>, size=1911,
nrcpt=1 (queue active)
Jun 14 12:51:54 host amavis[22277]: (22277-16) loaded policy bank
"MYNETS"
Jun 14 12:51:54 host amavis[22277]: (22277-16)
LMTP::10024 /var/spool/amavisd/tmp/amavis-20130614T045914-22277-5EuQaI7P: <> -> <em...@domain.nl> SIZE=1911 Received: from mail.domain.nl ([127.0.0.1]) by localhost (mail.domain.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <em...@domain.nl>; Fri, 14 Jun 2013 12:51:54 +0200 (CEST)
Jun 14 12:51:54 host amavis[22277]: (22277-16) Checking: Tw0-mNHoul_7
MYNETS <> -> <em...@domain.nl>
Jun 14 12:51:54 host amavis[22277]: (22277-16) p001 1 Content-Type:
text/plain, size: 1280 B, name:
Jun 14 12:51:54 host amavis[22277]: (22277-16) check_header: 7, Missing
required header field: "Date"
Jun 14 12:51:54 host amavis[22277]: (22277-16) bounce unverifiable,
originating, <> -> <em...@domain.nl>
Jun 14 12:51:54 host amavis[22277]: (22277-16) allow bad header section
from (sender=<>) <> -> <em...@domain.nl>: Missing required header field:
"Date"
Jun 14 12:51:54 host amavis[22277]: (22277-16) header_edits_for_quar: <>
-> <em...@domain.nl>, No, score=x tag=x tag2=x kill=x tests=[]
autolearn=unavailable
Jun 14 12:51:54 host amavis[22277]: (22277-16) local delivery: <> ->
bad-header-quarantine,
mbx=/var/spool/amavisd/quarantine/badh-Tw0-mNHoul_7
Jun 14 12:51:54 host amavis[22277]: (22277-16) dkim: candidate
originators: From:<fr...@domain.ru>
Jun 14 12:51:54 host amavis[22277]: (22277-16) dkim: not signing, empty
signing domain, From: <fr...@domain.ru>
Jun 14 12:51:54 host postfix/smtpd[2041]: connect from
localhost[127.0.0.1]
Jun 14 12:51:54 host postfix/smtpd[2041]: D642542:
client=localhost[127.0.0.1]
Jun 14 12:51:54 host postfix/cleanup[2216]: D642542:
message-id=<20130614105...@mail.domain.nl>
Jun 14 12:51:54 host postfix/smtpd[2041]: disconnect from
localhost[127.0.0.1]
Jun 14 12:51:54 host postfix/qmgr[16541]: D642542: from=<>, size=2574,
nrcpt=1 (queue active)
Jun 14 12:51:54 host amavis[22277]: (22277-16) FWD from <> ->
<em...@domain.nl>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025):
250 2.0.0 Ok: queued as D642542
Jun 14 12:51:54 host amavis[22277]: (22277-16) Passed BAD-HEADER-7
{RelayedInternal,Quarantined}, MYNETS [2.2.2.2] <> -> <em...@domain.nl>,
quarantine: badh-Tw0-mNHoul_7, mail_id: Tw0-mNHoul_7, Hits: -, size:
1911, queued_as: D642542, 131 ms
Jun 14 12:51:54 host postfix/lmtp[2217]: 17C3440: to=<em...@domain.nl>,
relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=1.2/0.01/0/0.13,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as D642542)
Jun 14 12:51:54 host amavis[22277]: (22277-16) size: 1911, TIMING [total
133 ms] - SMTP greeting: 1 (1%)1, SMTP LHLO: 0 (0%)1, SMTP pre-MAIL: 0
(0%)1, SMTP pre-DATA-flush: 1 (1%)2, SMTP DATA: 39 (30%)31, check_init:
0 (0%)31, digest_hdr: 0 (0%)32, digest_body_dkim: 0 (0%)32, mime_decode:
3 (2%)34, get-file-type1: 8 (6%)39, decompose_part: 1 (1%)40,
parts_decode: 0 (0%)40, check_header: 1 (0%)40, AV-scan-1: 4 (3%)43,
decide_mail_destiny: 0 (0%)43, notif-quar: 0 (0%)43, quar-hdrs: 0
(0%)44, stat-mbx: 1 (1%)44, open-mbx: 0 (0%)44, write-header: 0 (0%)45,
save-to-local-mailbox: 0 (0%)45, fwd-connect: 2 (2%)46, fwd-mail-pip: 1
(1%)47, fwd-rcpt-pip: 0 (0%)47, fwd-data-chkpnt: 0 (0%)47, write-header:
0 (0%)47, fwd-data-contents: 0 (0%)47, fwd-end-chkpnt: 65 (49%)96,
prepare-dsn: 0 (0%)96, main_log_entry: 3 (2%)98, update_snmp: 1 (1%)99,
SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-2-files:
0 (0%)100, rundown: 0 (0%)100
Jun 14 12:51:54 host postfix/qmgr[16541]: 17C3440: removed
Jun 14 12:51:54 host postfix/virtual[2220]: D642542:
to=<us...@domain.nl>, orig_to=<em...@domain.nl>, relay=virtual,
delay=0.11, delays=0.07/0.01/0/0.04, dsn=2.0.0, status=sent (delivered
to maildir)
Jun 14 12:51:54 host postfix/qmgr[16541]: D642542: removed
Jun 14 12:51:55 host postfix/smtpd[2212]: disconnect from
unknown[1.1.1.1]

And the mail gets delivered to my mailbox.

How can I assure that mail that fails to bounce at least gets scanned by
spamassassin?

Regards,
Leonard.

and...@adlibre.com.au

unread,
Sep 1, 2013, 11:10:59 PM9/1/13
to
On Saturday, 15 June 2013 07:58:26 UTC+10, Leonard den Ottolander wrote:

> Lately I see a lot of mails like these come in unfiltered by spamassassin.
>
> System is CentOS 6.4, using amavisd-new-2.8.0-4.el6.noarch from EPEL.
>

> Return-Path: <>

> X-Amavis-Alert: BAD HEADER SECTION, Missing required header field:
>
> "Date"
>


Did you ever solve this?

I'm having the exact same issue. Same OS / packages. If the spam is missing Return-Path and Date header then SA does not seem to be called.

Regards,

Andrew

and...@adlibre.com.au

unread,
Sep 1, 2013, 11:44:49 PM9/1/13
to
On Monday, 2 September 2013 13:10:59 UTC+10, and...@adlibre.com.au wrote:

> Did you ever solve this?
>

I've just found the rest of this (split) thread. I'll try $final_bad_header_destiny = D_PASS.

Did you report a bug for this?

Regards,

Andrew

cary.a...@gmail.com

unread,
Oct 3, 2013, 12:17:12 PM10/3/13
to
Hi, did you ever solve this problem? I'm having the same issue, and it's driving me batty.

Thanks.
0 new messages