Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[AMaViS-user] Message-ID:

12 views
Skip to first unread message

Chris Lee

unread,
Oct 26, 2004, 2:57:11 AM10/26/04
to
Hi All,

I am now written a amavisd-new log analysis program by PHP and found the
following log entries:

1. Diplicate Message-ID (Message-ID: Message-ID:)

Oct 24 07:45:13 mta amavis[1766]: (01766-03) Passed SPAM, [69.191.176.163]
<ixnqn...@naturesfurnace.com> -> <hidden destination email>, quarantine:
spam-44a7831b6ce6ca9c009ac4589c1fea5f-20041024-074506-01766-03, Message-ID:
Message-ID: <KTYOMMO$oxjW$O4S6@>, Hits: 23.884, 6314 ms

2. Space after Message-ID and before comma (com> , Hits:)

Oct 25 10:44:10 mta amavis[9821]: (09821-06) Passed SPAM, [68.72.174.219]
<KLQGAUE...@miho-nakayama.com> -> <hidden destination email>,
quarantine: spam-45f2552b0c3593eff4364b2103a1849b-20041025-104401-09821-06,
Message-ID: <6.5.6.3.5.577938...@xwvysic.tamil.com> , Hits:
14.647, 9624 ms

3. No ">" for Message-ID (Message-ID: <K[20,)
Oct 25 13:40:33 mta amavis[13975]: (13975-09) Passed SPAM, [76.72.52.200]
<dvwvb...@obsidiana.com.ar> -> <hidden destination email>, quarantine:
spam-d41d8cd98f00b204e9800998ecf8427e-20041025-134031-13975-09, Message-ID:
<K[20, Hits: 24.301, 2862 ms

Is it normal?

I am using amavisd-new-2.2.0-rc1, Postfix 2.0.18 (rpm)

Regards,
Chris Lee


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Clifton Royston

unread,
Oct 26, 2004, 12:34:00 PM10/26/04
to
On Tue, Oct 26, 2004 at 02:58:35PM +0800, Chris Lee wrote:
> I am now written a amavisd-new log analysis program by PHP and found the
> following log entries:
>
> 1. Diplicate Message-ID (Message-ID: Message-ID:)
>
> Oct 24 07:45:13 mta amavis[1766]: (01766-03) Passed SPAM, [69.191.176.163]
> <ixnqn...@naturesfurnace.com> -> <hidden destination email>, quarantine:
> spam-44a7831b6ce6ca9c009ac4589c1fea5f-20041024-074506-01766-03, Message-ID:
> Message-ID: <KTYOMMO$oxjW$O4S6@>, Hits: 23.884, 6314 ms

I would not be surprised if this were actually in the original spam.

> 2. Space after Message-ID and before comma (com> , Hits:)
>
> Oct 25 10:44:10 mta amavis[9821]: (09821-06) Passed SPAM, [68.72.174.219]
> <KLQGAUE...@miho-nakayama.com> -> <hidden destination email>,
> quarantine: spam-45f2552b0c3593eff4364b2103a1849b-20041025-104401-09821-06,
> Message-ID: <6.5.6.3.5.577938...@xwvysic.tamil.com> , Hits:
> 14.647, 9624 ms

Not sure on this; it might be an amavisd parsing error. Generally
there shouldn't be whitespace after the Message-ID but I don't know
that it's illegal per se.

> 3. No ">" for Message-ID (Message-ID: <K[20,)
> Oct 25 13:40:33 mta amavis[13975]: (13975-09) Passed SPAM, [76.72.52.200]
> <dvwvb...@obsidiana.com.ar> -> <hidden destination email>, quarantine:
> spam-d41d8cd98f00b204e9800998ecf8427e-20041025-134031-13975-09, Message-ID:
> <K[20, Hits: 24.301, 2862 ms

This is very common in certain kinds of malformed spam. Almost
always the body and remainder of headers are truncated, following that
[20 somewhere in the headers. My best theory is that it's some kind of
broken spamware which aborts on some input string sequence triggered by
the [ + digits.

-- Clifton

--
Clifton Royston -- clif...@tikitechnologies.com
Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed? Did you ever walk with ten cats on your head?
Did you ever milk this kind of cow? Well we can do it. We know how.
If you never did, you should. These things are fun, and fun is good.
-- Dr. Seuss

Mark Martinec

unread,
Oct 27, 2004, 9:59:44 AM10/27/04
to
Chris,

> I am now written a amavisd-new log analysis program by PHP

Good.

> and found the following log entries:
>

> 1. Duplicate Message-ID (Message-ID: Message-ID:)


>
> Oct 24 07:45:13 mta amavis[1766]: (01766-03) Passed SPAM, [69.191.176.163]
> <ixnqn...@naturesfurnace.com> -> <hidden destination email>, quarantine:
> spam-44a7831b6ce6ca9c009ac4589c1fea5f-20041024-074506-01766-03, Message-ID:
> Message-ID: <KTYOMMO$oxjW$O4S6@>, Hits: 23.884, 6314 ms

As Clifton wrote, it is most likely this was in the actual mail.
It is an illegal Message-ID alright. I'll think of some solution
for the 2.2.0 release to get whitespace and newlines in such illegal
Message-ID protected in the log (e.g. space turned into \040 or
something), to facilitate log parsing.

> 2. Space after Message-ID and before comma (com> , Hits:)

This must have come from the original mail as well.
The whitespace quoting will help here too.

> 3. No ">" for Message-ID (Message-ID: <K[20,)
> Oct 25 13:40:33 mta amavis[13975]: (13975-09) Passed SPAM, [76.72.52.200]
> <dvwvb...@obsidiana.com.ar> -> <hidden destination email>, quarantine:
> spam-d41d8cd98f00b204e9800998ecf8427e-20041025-134031-13975-09, Message-ID:
> <K[20, Hits: 24.301, 2862 ms
>

> Is it normal?

If such junk was actually in the mail, this is normal.
When parsing, look for the /, / to terminate the Message-ID:,
and I'll see that no blank is present withing the string.

Mark


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

0 new messages