Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Chris, > I've still got the mystery of how his email gets in without being scored > by Amavis. When I run spamassassin on it, it gets a very high score. > Other spam gets filtered just fine. Somehow, this one spammer avoids it. Perhaps it was larger than $sa_mail_body_size_limit, or the recipient was declared a spam lover. Check the log, increase the log level if necessary. Mark - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Clifton: >> I am pretty sure amavisd-new does *not* work this way. It has an >> implicit list of checks to run on each incoming mail, starting with >> virus scanning, and works its way through them. If it's working this >> way for you, it may be the result of something funky in your Postfix >> configuration which is bypassing the routing through amavisd if it sees >> that header. >> >> How are you selecting the Postfix routing to content filtering? In >> main.cf, in master.cf, or otherwise? >> In /etc/postfix/master.cf: smtp inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 smtps inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 >> >>> I've temporarily added a filter to my postfix header_checks file to >>> reject >>> messages coming into my server that already have the X-Virus-Scanned >>> header added to them. This is not a good solution, because it also >>> blocks >>> my outgoing email. >>> >> >> A much better interim measure would be to strip the incoming headers, >> by simply replacing that REJECT with IGNORE in the same header_checks >> line. It's not a bad idea anyway to strip spam scan headers which >> could be mistaken for your own. >> >> -- Clifton >> I've checked, and there are no FILTER directives in my header_checks file. I'm still looking for anything I might have screwed up. The emails that leak through are forged to look as though they came from me. Normally, email that I send out *is* filtered by Amavis. I've had several emails get mistakenly spam filtered when I tried to send them. Thank you also to Gary for: $remove_existing_x_scanned_headers = 1; # default is to leave these alone. Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
You're correct. I did not test my 'discovery' properly before jumping to this conclusion. I appreciate the pointer to the IGNORE behavior. I'll endeavor to ignore any virus or spam filtering headers from incoming email. I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. Thank you again, Chris Shaker [EMAIL PROTECTED] Clifton Royston wrote: > On Sat, Feb 16, 2008 at 11:31:05AM -0800, Christopher J Shaker wrote: > >> You may all know about this, but it was new to me. >> >> Found a persistent spammer was sending email to my domain without >> any score information from amavis-new. >> >> After trying several possibilities, I finally realized that he was sending >> the email with a hand crafted 'X-Virus-Scanned' header that was identical >> to what my Amavis-new would have added. >> >> That seems to bypass scanning with Amavis-new! >> > > I am pretty sure amavisd-new does *not* work this way. It has an > implicit list of checks to run on each incoming mail, starting with > virus scanning, and works its way through them. If it's working this > way for you, it may be the result of something funky in your Postfix > configuration which is bypassing the routing through amavisd if it sees > that header. > > How are you selecting the Postfix routing to content filtering? In > main.cf, in master.cf, or otherwise? > > >> I've temporarily added a filter to my postfix header_checks file to reject >> messages coming into my server that already have the X-Virus-Scanned >> header added to them. This is not a good solution, because it also blocks >> my outgoing email. >> > > A much better interim measure would be to strip the incoming headers, > by simply replacing that REJECT with IGNORE in the same header_checks > line. It's not a bad idea anyway to strip spam scan headers which > could be mistaken for your own. > > -- Clifton > > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
