Re: [AMaViS-user] white-listed spam

mouss Wed, 08 Feb 2006 13:49:46 -0800

Les Ault a écrit :
> One of my users just received some spam that made it past 
> amavisd/SpamAssassin; The 
> message was your average text formatted "mortgage" spam.
> 
> This message has been blocked by amavisd/SpamAssassin in the past so I did 
> some 
> checking and found the envelope sender on this message was different. The 
> envelope 
> sender's address contains a space; the original message has an envelope 
> sender of:
> 
>    MAIL FROM: <"[EMAIL PROTECTED] ">
> 
> When this message passes through my setup, the amavisd log shows that the 
> sender is 
> white-listed. I have checked my white-list file and also deleted the 
> /var/amavisd/.spamassassin/auto-whitelist.db file and the message is always 
> passed with 
> the same result. If I remove the space from the envelope sender making it:
> 
>    MAIL FROM: <"[EMAIL PROTECTED]">
> 
> then amavisd/SpamAssassin correctly identifies and quarantines the message; I 
> would 
> appreciate any ideas on how to fix this. I am running the following software 
> versions:
> 
> OpenBSD 3.6
> Postfix 2.10
> amavisd-new-2.2.0 (20041102) 
> Spamassassin 3.0.1
> 
> Here are the relevant log entries:
> 
> ---------------- Begin Original Message --------------------
> Feb  7 16:13:00 mta1 postfix/smtpd[3729]: connect from localhost[127.0.0.1]
> Feb  7 16:13:00 mta1 postfix/smtpd[3729]: NOQUEUE: client=localhost[127.0.0.1]
> Feb  7 16:13:00 mta1 amavis[32152]: (32152-02) ESMTP::10024 
> /var/amavisd/tmp/amavis-20060207T160942-32152: <[EMAIL PROTECTED] > -> 
> <[EMAIL PROTECTED]> Received: BODY=8BITMIME from mta1.markmansdiamonds.com 
> ([127.0.0.1]) by localhost (mta1.markmansdiamonds.com [127.0.0.1]) 
> (amavisd-new, port 10024) with ESMTP id 32152-02 for <[EMAIL PROTECTED]>; 
> Tue,  7 Feb 2006 16:13:00 -0500 (EST)
> Feb  7 16:13:00 mta1 amavis[32152]: (32152-02) Checking: [127.0.0.1] <"[EMAIL 
> PROTECTED] "> -> <[EMAIL PROTECTED]>
> Feb  7 16:13:00 mta1 amavis[32152]: (32152-02) p001 1 Content-Type: 
> text/html, size: 622 B, name:
> Feb  7 16:13:01 mta1 amavis[32152]: (32152-02) wbl: whitelisted sender 
> <[EMAIL PROTECTED] >
> Feb  7 16:13:01 mta1 amavis[32152]: (32152-02) SPAM-TAG, <"[EMAIL PROTECTED] 
> "> -> <[EMAIL PROTECTED]>, No, hits=x tagged_above=-50 required=3.75 
> WHITELISTED
> Feb  7 16:13:01 mta1 amavis[32152]: (32152-02) FWD via SMTP: 
> [127.0.0.1]:10025 <[EMAIL PROTECTED] > -> <[EMAIL PROTECTED]>
> Feb  7 16:13:01 mta1 postfix/smtpd[19530]: connect from localhost[127.0.0.1]
> Feb  7 16:13:01 mta1 postfix/smtpd[19530]: 1E0EE91EF1: 
> client=localhost[127.0.0.1]
> Feb  7 16:13:01 mta1 postfix/cleanup[30349]: 1E0EE91EF1: message-id=<[EMAIL 
> PROTECTED]>
> Feb  7 16:13:01 mta1 postfix/qmgr[3198]: 1E0EE91EF1: from=<[EMAIL 
> PROTECTED]>, size=2460, nrcpt=1 (queue active)
> Feb  7 16:13:01 mta1 postfix/smtpd[19530]: disconnect from 
> localhost[127.0.0.1]
> Feb  7 16:13:01 mta1 amavis[32152]: (32152-02) Passed, <[EMAIL PROTECTED] > 
> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: -
> Feb  7 16:13:01 mta1 amavis[32152]: (32152-02) Passed CLEAN, <[EMAIL 
> PROTECTED] > -> <[EMAIL PROTECTED]>, Hits: -, tag=-50, tag2=3.75, kill=3.75, 
> L/Y/0/0
> Feb  7 16:13:01 mta1 amavis[32152]: (32152-02) TIMING [total 471 ms] - SMTP 
> EHLO: 6 (1%), SMTP pre-MAIL: 2 (0%), SMTP pre-DATA-flush: 10 (2%), SMTP DATA: 
> 1 (0%), body_hash: 1 (0%), mime_decode: 41 (9%), get-file-type1: 31 (7%), 
> decompose_part: 3 (1%), parts_decode: 0 (0%), AV-scan-1: 18 (4%), 
> spam-wb-list: 5 (1%), update_cache: 1 (0%), fwd-connect: 50 (11%), 
> fwd-xforward: 1 (0%), fwd-mail-from: 4 (1%), fwd-rcpt-to: 46 (10%), 
> write-header: 9 (2%), fwd-data: 1 (0%), fwd-data-end: 195 (41%), fwd-rundown: 
> 5 (1%), main_log_entry: 30 (6%), update_snmp: 0 (0%), unlink-1-files: 7 (1%), 
> rundown: 1 (0%)Feb  7 16:13:01 mta1 postfix/cleanup[30349]: 61B4B91EF2: 
> message-id=<[EMAIL PROTECTED]>
> ----------------  End  Original Message --------------------


Seems like a bug somewhere.
- what/who/when/... added the space? the postfix line shows the right
sender (no space and no quotes). do you have any canonical maps in
postfix that contain such bogus conversion? if not, sounds like a
net::smtp or amavisd bug

- even then, you should check your whitelists.
PS. "[EMAIL PROTECTED] " is an address with no domain part (so it's local).


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] white-listed spam

Reply via email to