Amavis scoring on externally added headers?

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Aug 17 21:16:57 CEST 2012


Tom,

> Lately I've received a few messages that ended up in my quarantine
> without reason. Upon inspection, it seems that amavis uses CRM114
> headers that were added by the sender, and scores on them.
> 
> My setup is amavisd-new 2.7.1, with only dspam as spamfilter, fed by
> postfix (via content_filter). I don't have CRM114 installed or enabled
> in amavis. OS is gentoo linux.
> 
> Attached mailheaders suggest that the sender uses an outgoing spamfilter
> that adds dspam and crm114 headers. When the message arrives at my
> mailserver, amavis feeds the message to dspam and adds headers as
> requested. Somehow amavis *also* copies and re-adds the crm114 headers
> from the remote system, and decides, based on that score, that the
> message should be quarantined/tagged.

I see. This happens when an external scanner is involved, and
when parsing its result all recognized header fields are picked up.
It should only pick its own kind.

> It seems to me that this is unwanted behaviour: AFAIK this could also be
> used to convince amavis into adding a negative score based on external
> headers, thereby compensating for positive scoring on spammy content,
> making spammy messages pass the filter unblocked.
> 
> My current workaround is to remove/rename headers on incoming messages
> that might interfere with amavis in postfix (before feeding the message
> to amavis),

Good idea.

> but I'd still like to see that amavis can't be tricked into
> this. Especially since I don't know which headers actually could be
> 'risky', since crm114 headers are being processed, but crm114 isn't
> mentioned anywhere in amavis config.

Agreed. Back to the drawing board...

  Mark


More information about the amavis-users mailing list