Amavis scoring on externally added headers?

Tom Hendrikx tom at whyscream.net
Wed Aug 15 23:17:39 CEST 2012 

Hi,

Lately I've received a few messages that ended up in my quarantine
without reason. Upon inspection, it seems that amavis uses CRM114
headers that were added by the sender, and scores on them.

My setup is amavisd-new 2.7.1, with only dspam as spamfilter, fed by
postfix (via content_filter). I don't have CRM114 installed or enabled
in amavis. OS is gentoo linux.

Attached mailheaders suggest that the sender uses an outgoing spamfilter
that adds dspam and crm114 headers. When the message arrives at my
mailserver, amavis feeds the message to dspam and adds headers as
requested. Somehow amavis *also* copies and re-adds the crm114 headers
from the remote system, and decides, based on that score, that the
message should be quarantined/tagged.

It seems to me that this is unwanted behaviour: AFAIK this could also be
used to convince amavis into adding a negative score based on external
headers, thereby compensating for positive scoring on spammy content,
making spammy messages pass the filter unblocked.

My current workaround is to remove/rename headers on incoming messages
that might interfere with amavis in postfix (before feeding the message
to amavis), but I'd still like to see that amavis can't be tricked into
this. Especially since I don't know which headers actually could be
'risky', since crm114 headers are being processed, but crm114 isn't
mentioned anywhere in amavis config.

--
Regards,
	Tom
-------------- next part --------------
Return-Path: <dovecot-bounces at redacted>
Delivered-To: tom at redacted
Received: from localhost (localhost [127.0.0.1])
	by christine.whyscream.net (Postfix) with ESMTP id 96CC5D003
	for <tom at redacted>; Mon, 13 Aug 2012 17:40:43 +0200 (CEST)
X-Amavis-GeoIP: France Gallardon
X-DSPAM-Processed: Mon Aug 13 17:40:43 2012
X-DSPAM-Confidence: 0.9899
X-DSPAM-Probability: 0.0000
X-Quarantine-ID: <IB9M-EbZeuyi>
X-Spam-Flag: YES
X-Spam-Score: 9.97
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.97 tagged_above=2 required=6.2
	tests=[DSPAM.UNSURE(9.97)=9.970] autolearn=unavailable
X-DSPAM-Result: Whitelisted
X-DSPAM-Signature: 10,50291ffb12801454163463
X-CRM114-Status: UNSURE ( 9.97 )
X-CRM114-CacheID: sfid-20120813_174013_388252_821DA2D0
Authentication-Results: christine.whyscream.net (amavisd-new);
	dkim=pass (1024-bit key) header.d=starbridge.org
Received: from christine.whyscream.net ([127.0.0.1])
	by localhost (christine.whyscream.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id IB9M-EbZeuyi for <tom at redacted>;
	Mon, 13 Aug 2012 17:40:42 +0200 (CEST)
Received: from dovecot.org (dovecot.org [193.210.130.67])
	by christine.whyscream.net (Postfix) with ESMTP id 88373D002
	for <tom at redacted>; Mon, 13 Aug 2012 17:40:42 +0200 (CEST)
Received: from localhost.localdomain (kesa [127.0.0.1])
	by dovecot.org (Postfix) with ESMTP id C39D71AE880F;
	Mon, 13 Aug 2012 18:40:16 +0300 (EEST)
X-Original-To: dovecot at redacted
Delivered-To: dovecot at redacted
Received: by dovecot.org (Postfix, from userid 502)
	id 65CA31AE881B; Mon, 13 Aug 2012 18:40:15 +0300 (EEST)
Received: from smtp.spamguard.fr (smtp.spamguard.fr [188.165.159.52])
	by dovecot.org (Postfix) with ESMTP id 279A01AE87EE
	for <dovecot at redacted>; Mon, 13 Aug 2012 18:40:15 +0300 (EEST)
Received: from mailstorm3.spamguard.fr (mailstorm3.spamguard.fr
	[87.98.168.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by smtp.spamguard.fr (Postfix) with ESMTPS id 3Wwh323smLzXxdH;
	Mon, 13 Aug 2012 17:40:14 +0200 (CEST)
Authentication-Results: mailstorm3.spamguard.fr (amavisd-new);
	dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
	header.d=starbridge.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=starbridge.org;
	h=content-transfer-encoding:content-type:content-type
	:in-reply-to:references:subject:subject:mime-version:user-agent
	:from:from:date:date:message-id:received:received; s=starbridge;
	t=1344872410; bh=7o/q4uedwkkwJtgWTYQfpMRtojpggv18ejryUQXlJWA=; b=
	Z5o2E0RoORy/pTPhzFOnjuN/rIvc+uQ8gOhHcl9qvB076rHPmqDp08ZkW3QhHoUx
	kBcr1naU/UxbR8UlIXPCM3bIu/X3wq4nDFYJMZrLIPK9v1MhffrFeaXb+8jXRdy6
	wlbPxJllz57b6zWGNcWeZEck8rogbidfALsavAkLnPA=
X-DSPAM-Processed: Mon Aug 13 17:40:13 2012
X-DSPAM-Confidence: 0.5375
X-DSPAM-Probability: 0.2397
X-Quarantine-ID: <M_-V15Uxxolr>
X-Virus-Scanned: Mailstorm at spamguard.fr
X-DSPAM-Result: Innocent
X-DSPAM-Signature: 50291fdd89902137112073
X-CRM114-Status: UNSURE ( 9.97 )
X-CRM114-CacheID: sfid-20120813_174013_388252_821DA2D0 
Received: from smtp.spamguard.fr ([188.165.159.52]) (using TLS with cipher
	AES256-GCM-SHA384)
	by mailstorm3.spamguard.fr (mailstorm3.spamguard.fr [87.98.168.176])
	(amavisd-new, port 10017)
	with ESMTPS id M_-V15Uxxolr; Mon, 13 Aug 2012 17:40:10 +0200 (CEST)
Received: from [10.0.1.20] (spike.starbridge.org [88.178.208.34])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "tonio at redacted",
	Issuer "StartCom Class 1 Primary Intermediate Client CA" (verified OK))
	(Authenticated sender: tonio at redacted)
	by smtp.spamguard.fr (Postfix) with ESMTPSA id 3Wwh2x45vPzLd8V;
	Mon, 13 Aug 2012 17:40:09 +0200 (CEST)
Message-ID: <50291FD3.30908 at starbridge.org>
Date: Mon, 13 Aug 2012 17:40:03 +0200
From: "tonio at redacted" <tonio at redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Dovecot Mailing List <dovecot at redacted>
References: <50210066.8040205 at starbridge.org> <50210FED.5020508 at starbridge.org>
	<4099152F-5AAB-4D45-9E69-3B220F47B222 at iki.fi>
	<5021316A.4020105 at starbridge.org>
	<FC659EDB-12D8-42F2-87E0-6C38F6D52FC6 at iki.fi>
	<50220A3E.407 at starbridge.org>
	<8A788394-7439-42AB-800F-3F5748B31806 at iki.fi>
	<50236380.1070703 at starbridge.org>
	<3FD66FB3-39E1-44AC-8F87-5BDEDEDFEBC1 at iki.fi>
	<F35CE1D7-1F0F-4EFB-A82D-1F6FD7BFCE7F at iki.fi>
In-Reply-To: <F35CE1D7-1F0F-4EFB-A82D-1F6FD7BFCE7F at iki.fi>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Timo Sirainen <tss at redacted>
Subject: Re: [Dovecot] pop3 proxying error
X-BeenThere: dovecot at redacted
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
	<mailto:dovecot-request at redacted?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot>
List-Post: <mailto:dovecot at redacted>
List-Help: <mailto:dovecot-request at redacted?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
	<mailto:dovecot-request at redacted?subject=subscribe>
Errors-To: dovecot-bounces at redacted
Sender: dovecot-bounces at redacted

More information about the amavis-users mailing list