Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Mark Martinec wrote: Chris, Also, your hints about debugging info from amavisd-new got me reading about the auto whitelist. Used the following config commands: /etc/mail/spamassassin/local.cf: use_auto_whitelist 0 /usr/local/sbin/amavisd.conf: $sa_auto_whitelist = 0; $sa_auto_whitelist has no effect since version 3.0.0 or SpamAssassin, the use_auto_whitelist (in local.cf) is the only control. Mark: My /usr/local/sbin/amavisd does not contain 'use_auto_whitelist'. Appears that I am running amavisd-new-2.5.3, which explains that. Which version do you recommend we use? Seems to have disabled the auto whitelist for me, so that I can run spamassassin on every email. I prefer that behavior. SpamAssassin AWL just adds score points. It does not control whether a message is to be checked or not. See Mail::SpamAssassin::Plugin::AWL man page. Mark Yeah, but it adds so many points that some spam forged to appear as if I sent it ended up with huge negative scores... Thank you, Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Amavis Users: Thank you very much for the help in getting this sorted. One of your questions got me thinking, so I reconfigured postfix for global filtering in main.cf, instead of in master.cf. I had not remembered that I was not filtering email sent to the submission port. Also, your hints about debugging info from amavisd-new got me reading about the auto whitelist. Used the following config commands: /etc/mail/spamassassin/local.cf: use_auto_whitelist 0 /usr/local/sbin/amavisd.conf: $sa_auto_whitelist = 0; Seems to have disabled the auto whitelist for me, so that I can run spamassassin on every email. I prefer that behavior. Thank you again, Chris Shaker Christopher J Shaker wrote: I tried to disable the auto whitelist, using /etc/mail/spamassassin/local.cf: ... use_auto_whitelist 0 ^ bayes_auto_learn1 dns_available yes ok_locales en report_safe 1 rewrite_header Subject *SPAM* skip_rbl_checks 0 use_bayes 1 use_pyzor 1 ... - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
with CRLF.CRLF Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd QUIT Feb 19 01:37:34 linux postfix/cleanup[667]: 6E8F1404B6: message-id=[EMAIL PROTECTED] Feb 19 01:37:34 linux postfix/smtpd[672]: disconnect from localhost.shaker-net.com[127.0.0.1] Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to data-dot ([EMAIL PROTECTED]): 250 Ok: queued as 6E8F1404B6 Feb 19 01:37:34 linux postfix/qmgr[32311]: 6E8F1404B6: from=[EMAIL PROTECTED], size=7176, nrcpt=1 (queue active) Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to QUIT: 221 Bye Feb 19 01:37:34 linux postfix/local[673]: 6E8F1404B6: to=[EMAIL PROTECTED], relay=local, delay=0, status=sent (delivered to maildir) Feb 19 01:37:34 linux amavis[32325]: (32325-09) FWD via SMTP: [EMAIL PROTECTED] - [EMAIL PROTECTED], 250 2.6.0 Ok, id=32325-09, from MTA([127.0.0.1]:10025): 250 Ok: queued as 6E8F1404B6 Feb 19 01:37:34 linux postfix/qmgr[32311]: 6E8F1404B6: removed Feb 19 01:37:34 linux amavis[32325]: (32325-09) Passed CLEAN, [194.242.60.75] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: nHrkh2qSatmQ, Hits: -109.401, size: 6709, queued_as: 6E8F1404B6, 28328 ms Feb 19 01:37:34 linux amavis[32325]: (32325-09) TIMING [total 28367 ms] - SMTP greeting: 2 (0%)0, SMTP EHLO: 1 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 2 (0%)0, SMTP DATA: 78 (0%)0, check_init: 1 (0%)0, digest_hdr: 0 (0%)0, digest_body: 0 (0%)0, gen_mail_id: 1 (0%)0, mime_decode: 7 (0%)0, get-file-type1: 18 (0%)0, parts_decode: 0 (0%)0, check_header: 1 (0%)0, AV-scan-1: 53 (0%)1, AV-scan-2: 326 (1%)2, spam-wb-list: 2 (0%)2, SA parse: 3 (0%)2, SA check: 27464 (97%)99, update_cache: 7 (0%)99, decide_mail_destiny: 1 (0%)99, fwd-connect: 26 (0%)99, fwd-mail-pip: 3 (0%)99, fwd-rcpt-pip: 0 (0%)99, fwd-data-chkpnt: 0 (0%)99, write-header: 1 (0%)99, fwd-data-contents: 0 (0%)99, fwd-end-chkpnt: 324 (1%)100, prepare-dsn: 1 (0%)100, main_log_entry: 43 (0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-1-files: 0 (0%)100, rundown: 0 (0%)100 Feb 19 01:37:34 linux postfix/smtp[668]: 516D1404B4: to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=29, status=sent (250 Ok: queued as 6E8F1404B6) Feb 19 01:37:34 linux amavis[32325]: (32325-09) load: 8 %, total idle 1605.757 s, busy 139.642 s Feb 19 01:37:34 linux postfix/qmgr[32311]: 516D1404B4: removed Thank you, Chris Shaker MrC wrote: Christopher J Shaker wrote: Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, [121.27.33.247] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms Looks to me like it is getting a '-300' score from some rule that I can't find. The email comes in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. That email address is *not* in the whitelist in /etc/mail/spamassassin/local.cf When you run the messages through spamassassin only, amavis-specific score adjustments will not occur, so the scores will differ. Increase amavis' $log_level to 3, and look for the tests and scores in the log lines: ... tests= See which tests and scores are present. MrC When I run the leaking email message through spamassassin manually, it comes up with a score of 58.4, quite different from what amavis-new reported above! Subject: *SPAM* February 73% OFF Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on linux.shaker-net.com X-Spam-Level: ** X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF, HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Here is the /var/log/mail entry from the email that leaked past Amavis-new: Feb 18 15:07:11 linux postfix/smtpd[19386]: connect from unknown[121.27.33.247] Feb 18 15:07:12 linux postfix/smtpd[19386]: 3BFD9404B1: client=unknown[121.27.33.247] Feb 18 15:07:13 linux postfix/cleanup[19387]: 3BFD9404B1: message-id=[EMAIL PROTECTED] Feb 18 15:07:13 linux postfix/qmgr[31362]: 3BFD9404B1: from=[EMAIL PROTECTED], size=3514, nrcpt=1 (queue active) Feb 18 15:07:14 linux postfix/smtpd[19386]: disconnect from unknown[121.27.33.247] Feb 18 15:07:33 linux postfix/smtpd[19392]: connect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/smtpd[19392]: 7C4FA404B4: client=localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/cleanup[19387]: 7C4FA404B4: message-id=[EMAIL PROTECTED] Feb 18 15:07:33 linux postfix/qmgr[31362]: 7C4FA404B4: from=[EMAIL PROTECTED], size=3966, nrcpt=1 (queue active) Feb 18 15:07:33 linux postfix/smtpd[19392]: disconnect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, [121.27.33.247] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms Looks to me like it is getting a '-300' score from some rule that I can't find. The email comes in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. That email address is *not* in the whitelist in /etc/mail/spamassassin/local.cf When I run the leaking email message through spamassassin manually, it comes up with a score of 58.4, quite different from what amavis-new reported above! I've attached the output of spamassasin on running the leaking email as a gzip file. Hopefully, that will pass through the email. Thank you, Chris Shaker I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
[Sending again as ASCII] Here is the /var/log/mail entry from the email that leaked past Amavis-new: Feb 18 15:07:11 linux postfix/smtpd[19386]: connect from unknown[121.27.33.247] Feb 18 15:07:12 linux postfix/smtpd[19386]: 3BFD9404B1: client=unknown[121.27.33.247] Feb 18 15:07:13 linux postfix/cleanup[19387]: 3BFD9404B1: message-id=[EMAIL PROTECTED] Feb 18 15:07:13 linux postfix/qmgr[31362]: 3BFD9404B1: from=[EMAIL PROTECTED], size=3514, nrcpt=1 (queue active) Feb 18 15:07:14 linux postfix/smtpd[19386]: disconnect from unknown[121.27.33.247] Feb 18 15:07:33 linux postfix/smtpd[19392]: connect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/smtpd[19392]: 7C4FA404B4: client=localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux postfix/cleanup[19387]: 7C4FA404B4: message-id=[EMAIL PROTECTED] Feb 18 15:07:33 linux postfix/qmgr[31362]: 7C4FA404B4: from=[EMAIL PROTECTED], size=3966, nrcpt=1 (queue active) Feb 18 15:07:33 linux postfix/smtpd[19392]: disconnect from localhost.shaker-net.com[127.0.0.1] Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, [121.27.33.247] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms Looks to me like it is getting a '-300' score from some rule that I can't find. The email comes in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. That email address is *not* in the whitelist in /etc/mail/spamassassin/local.cf When I run the leaking email message through spamassassin manually, it comes up with a score of 58.4, quite different from what amavis-new reported above! Received: from localhost by linux.shaker-net.com with SpamAssassin (version 3.2.4); Mon, 18 Feb 2008 20:31:17 -0800 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* February 73% OFF Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on linux.shaker-net.com X-Spam-Level: ** X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF, HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4 X-Spam-Report: * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: roundpast.com] * 0.3 VIRUS_CLEAN Prolific and stubborn spammer * 3.9 FAKE_MSN Fake mailer signature used by Spammers * 2.9 UNKNOWN Probable Spammer * 2.9 OFF Often used in Spam * 1.9 PERCENT Often used in Spam * 1.8 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words * 0.2 HTML_MESSAGE BODY: HTML included in message * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9900] * 0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: roundpast.com] * 2.9 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: roundpast.com] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: roundpast.com] * 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: roundpast.com] * 0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: roundpast.com] * 2.9 GIF RAW: Hiding Spam in a GIF image * 2.9 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?121.27.33.247] * 5.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [121.27.33.247 listed in zen.spamhaus.org] * 1.9 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: roundpast.com] * 2.9 RDNS_NONE Delivered to trusted network by a host with no rDNS * 14 AWL AWL: From: address is in the auto white-list MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_47BA5B95.FC4A69D0 This is a multi-part message in MIME format. ... - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
You're correct. I did not test my 'discovery' properly before jumping to this conclusion. I appreciate the pointer to the IGNORE behavior. I'll endeavor to ignore any virus or spam filtering headers from incoming email. I've still got the mystery of how his email gets in without being scored by Amavis. When I run spamassassin on it, it gets a very high score. Other spam gets filtered just fine. Somehow, this one spammer avoids it. Thank you again, Chris Shaker [EMAIL PROTECTED] Clifton Royston wrote: On Sat, Feb 16, 2008 at 11:31:05AM -0800, Christopher J Shaker wrote: You may all know about this, but it was new to me. Found a persistent spammer was sending email to my domain without any score information from amavis-new. After trying several possibilities, I finally realized that he was sending the email with a hand crafted 'X-Virus-Scanned' header that was identical to what my Amavis-new would have added. That seems to bypass scanning with Amavis-new! I am pretty sure amavisd-new does *not* work this way. It has an implicit list of checks to run on each incoming mail, starting with virus scanning, and works its way through them. If it's working this way for you, it may be the result of something funky in your Postfix configuration which is bypassing the routing through amavisd if it sees that header. How are you selecting the Postfix routing to content filtering? In main.cf, in master.cf, or otherwise? I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. A much better interim measure would be to strip the incoming headers, by simply replacing that REJECT with IGNORE in the same header_checks line. It's not a bad idea anyway to strip spam scan headers which could be mistaken for your own. -- Clifton - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Clifton: I am pretty sure amavisd-new does *not* work this way. It has an implicit list of checks to run on each incoming mail, starting with virus scanning, and works its way through them. If it's working this way for you, it may be the result of something funky in your Postfix configuration which is bypassing the routing through amavisd if it sees that header. How are you selecting the Postfix routing to content filtering? In main.cf, in master.cf, or otherwise? In /etc/postfix/master.cf: smtp inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 smtps inet n - y - 2 smtpd -o content_filter=smtp:[127.0.0.1]:10024 I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. A much better interim measure would be to strip the incoming headers, by simply replacing that REJECT with IGNORE in the same header_checks line. It's not a bad idea anyway to strip spam scan headers which could be mistaken for your own. -- Clifton I've checked, and there are no FILTER directives in my header_checks file. I'm still looking for anything I might have screwed up. The emails that leak through are forged to look as though they came from me. Normally, email that I send out *is* filtered by Amavis. I've had several emails get mistakenly spam filtered when I tried to send them. Thank you also to Gary for: $remove_existing_x_scanned_headers = 1; # default is to leave these alone. Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
You may all know about this, but it was new to me. Found a persistent spammer was sending email to my domain without any score information from amavis-new. After trying several possibilities, I finally realized that he was sending the email with a hand crafted 'X-Virus-Scanned' header that was identical to what my Amavis-new would have added. That seems to bypass scanning with Amavis-new! I've temporarily added a filter to my postfix header_checks file to reject messages coming into my server that already have the X-Virus-Scanned header added to them. This is not a good solution, because it also blocks my outgoing email. Has anyone else run into this? Thank you, Chris Shaker - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/