Amavis scoring on externally added headers?

Tom Hendrikx tom at
Wed Aug 15 23:17:39 CEST 2012


Lately I've received a few messages that ended up in my quarantine
without reason. Upon inspection, it seems that amavis uses CRM114
headers that were added by the sender, and scores on them.

My setup is amavisd-new 2.7.1, with only dspam as spamfilter, fed by
postfix (via content_filter). I don't have CRM114 installed or enabled
in amavis. OS is gentoo linux.

Attached mailheaders suggest that the sender uses an outgoing spamfilter
that adds dspam and crm114 headers. When the message arrives at my
mailserver, amavis feeds the message to dspam and adds headers as
requested. Somehow amavis *also* copies and re-adds the crm114 headers
from the remote system, and decides, based on that score, that the
message should be quarantined/tagged.

It seems to me that this is unwanted behaviour: AFAIK this could also be
used to convince amavis into adding a negative score based on external
headers, thereby compensating for positive scoring on spammy content,
making spammy messages pass the filter unblocked.

My current workaround is to remove/rename headers on incoming messages
that might interfere with amavis in postfix (before feeding the message
to amavis), but I'd still like to see that amavis can't be tricked into
this. Especially since I don't know which headers actually could be
'risky', since crm114 headers are being processed, but crm114 isn't
mentioned anywhere in amavis config.

-------------- next part --------------
Return-Path: <dovecot-bounces at redacted>
Delivered-To: tom at redacted
Received: from localhost (localhost [])
	by (Postfix) with ESMTP id 96CC5D003
	for <tom at redacted>; Mon, 13 Aug 2012 17:40:43 +0200 (CEST)
X-Amavis-GeoIP: France Gallardon
X-DSPAM-Processed: Mon Aug 13 17:40:43 2012
X-DSPAM-Confidence: 0.9899
X-DSPAM-Probability: 0.0000
X-Quarantine-ID: <IB9M-EbZeuyi>
X-Spam-Flag: YES
X-Spam-Score: 9.97
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.97 tagged_above=2 required=6.2
	tests=[DSPAM.UNSURE(9.97)=9.970] autolearn=unavailable
X-DSPAM-Result: Whitelisted
X-DSPAM-Signature: 10,50291ffb12801454163463
X-CRM114-Status: UNSURE ( 9.97 )
X-CRM114-CacheID: sfid-20120813_174013_388252_821DA2D0
Authentication-Results: (amavisd-new);
	dkim=pass (1024-bit key)
Received: from ([])
	by localhost ( []) (amavisd-new, port 10024)
	with ESMTP id IB9M-EbZeuyi for <tom at redacted>;
	Mon, 13 Aug 2012 17:40:42 +0200 (CEST)
Received: from ( [])
	by (Postfix) with ESMTP id 88373D002
	for <tom at redacted>; Mon, 13 Aug 2012 17:40:42 +0200 (CEST)
Received: from localhost.localdomain (kesa [])
	by (Postfix) with ESMTP id C39D71AE880F;
	Mon, 13 Aug 2012 18:40:16 +0300 (EEST)
X-Original-To: dovecot at redacted
Delivered-To: dovecot at redacted
Received: by (Postfix, from userid 502)
	id 65CA31AE881B; Mon, 13 Aug 2012 18:40:15 +0300 (EEST)
Received: from ( [])
	by (Postfix) with ESMTP id 279A01AE87EE
	for <dovecot at redacted>; Mon, 13 Aug 2012 18:40:15 +0300 (EEST)
Received: from (
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by (Postfix) with ESMTPS id 3Wwh323smLzXxdH;
	Mon, 13 Aug 2012 17:40:14 +0200 (CEST)
Authentication-Results: (amavisd-new);
	dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
	:from:from:date:date:message-id:received:received; s=starbridge;
	t=1344872410; bh=7o/q4uedwkkwJtgWTYQfpMRtojpggv18ejryUQXlJWA=; b=
X-DSPAM-Processed: Mon Aug 13 17:40:13 2012
X-DSPAM-Confidence: 0.5375
X-DSPAM-Probability: 0.2397
X-Quarantine-ID: <M_-V15Uxxolr>
X-Virus-Scanned: Mailstorm at
X-DSPAM-Result: Innocent
X-DSPAM-Signature: 50291fdd89902137112073
X-CRM114-Status: UNSURE ( 9.97 )
X-CRM114-CacheID: sfid-20120813_174013_388252_821DA2D0 
Received: from ([]) (using TLS with cipher
	by ( [])
	(amavisd-new, port 10017)
	with ESMTPS id M_-V15Uxxolr; Mon, 13 Aug 2012 17:40:10 +0200 (CEST)
Received: from [] ( [])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "tonio at redacted",
	Issuer "StartCom Class 1 Primary Intermediate Client CA" (verified OK))
	(Authenticated sender: tonio at redacted)
	by (Postfix) with ESMTPSA id 3Wwh2x45vPzLd8V;
	Mon, 13 Aug 2012 17:40:09 +0200 (CEST)
Message-ID: <50291FD3.30908 at>
Date: Mon, 13 Aug 2012 17:40:03 +0200
From: "tonio at redacted" <tonio at redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Dovecot Mailing List <dovecot at redacted>
References: <50210066.8040205 at> <50210FED.5020508 at>
	<4099152F-5AAB-4D45-9E69-3B220F47B222 at>
	<5021316A.4020105 at>
	<FC659EDB-12D8-42F2-87E0-6C38F6D52FC6 at>
	<50220A3E.407 at>
	<8A788394-7439-42AB-800F-3F5748B31806 at>
	<50236380.1070703 at>
	<3FD66FB3-39E1-44AC-8F87-5BDEDEDFEBC1 at>
	<F35CE1D7-1F0F-4EFB-A82D-1F6FD7BFCE7F at>
In-Reply-To: <F35CE1D7-1F0F-4EFB-A82D-1F6FD7BFCE7F at>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Timo Sirainen <tss at redacted>
Subject: Re: [Dovecot] pop3 proxying error
X-BeenThere: dovecot at redacted
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Dovecot Mailing List <>
List-Unsubscribe: <>,
	<mailto:dovecot-request at redacted?subject=unsubscribe>
List-Archive: <>
List-Post: <mailto:dovecot at redacted>
List-Help: <mailto:dovecot-request at redacted?subject=help>
List-Subscribe: <>,
	<mailto:dovecot-request at redacted?subject=subscribe>
Errors-To: dovecot-bounces at redacted
Sender: dovecot-bounces at redacted

More information about the amavis-users mailing list