This *AXB_XRCVD_8B8* rule seems excessively broad to me. It seems it
could wrongly catch e-mail that was legitimately Amavis-scanned on its
way out by a server whose name just happened to be eight characters long.
I think a better rule would take advantage of other anomalies with these
fake header lines, such as the following:
* There is an *extraneous semicolon* before the "for" clause. There
should be only one semicolon in a "Received:" line -- namely, the
one just before the date/time stamp.
* There is *no "from" clause*. A valid "Received:" line from an
amavisd-new scan will always have a "from" clause -- and further, I
believe a valid "from" clause from amavisd-new will always reference
"localhost".
* The "Received:" line from a real amavisd-new scan *shouldn't be the
chronologically first* (physically last) "Received:" line. The
first "Received:" line (time-wise) happens when a message is
initially delivered to the local mail software; a genuine outbound
amavisd-new scan will generate the chronologically *second*
(physically second-to-last) "Received:" line.
* The *port number is strange*. While it is not absolutely mandatory
for an amavisd-new installation to use port 10024, I believe it is
pretty much unheard of for amavisd-new to be set up to listen on
ports like 7693, 7686, 7684, or 17196.
Here is a sample rule which will detect the extraneous semicolon.
header BOGUS_RCVD_AMAVIS Received =~
/\(amavisd-new,\s+port\s+\d+\).+;\s*for\b/
--
*Rich Wales*
Palo Alto, CA
ri...@richw.org
