Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

Fri Aug 24 20:41:26 CEST 2012

I have a user who likes to report his phishing and spam to banks,
or spam/fraud reporting email addresses.  It has revealed
amavis + clam are capable of stopping these.  That is good.
However I'd rather it had been blocked on the inbound and this
is what I'm having trouble with.  I don't understand how it is
getting in but being found only when outbound.

I know that clam + amavis is stopping some types of
malware and phishing on the inbound MX, as I can see these
in the logs (these are just sample matches, not a trace
for a particular email in and out):

/var/log/amavisd.9.gz:Aug 15 18:40:56 mailmx1 amavis[17355]:
(17355-08) Blocked INFECTED (Email.FBI.Scam), [217.146.176.150]
[76.97.214.250] <fbi.gov1 at aol.com> -> <user at myserver.example.com>,
quarantine: virus-B6GPM2MSO72A, Message-ID:
<53768.14962.bm at smtp129.mail.ukl.yahoo.com>, mail_id: B6GPM2MSO72A,
Hits: -, size: 10114, 121 ms

On the outbound SMTP, it can block outbound which had passed via the
server above:

/var/log/amavisd.6.gz:Aug 18 09:51:45 smtp1 amavis[2808]: (02808-19)
Blocked INFECTED (Heuristics.Phishing.Email.SSL-Spoof),
ORIGINATING/MYNETS LOCAL [XXX.YYY.200.97] [XXX.YYY.200.97] <> ->
<ibanking at ib.rbc.com>, quarantine: j/virus-jtffHFHT7zp1, Message-ID:
<b54ad7a4-9a15-49c8-8d8b-a09ffeb84101 at example.com>, mail_id:
jtffHFHT7zp1, Hits: -, size: 15455, 280 ms

My focus has been looking at the configuration which is specific to
ORIGINATING/MYNETS in
amavis/conf.d/50-user (SMTP where outbound catches it is debian)  Whatever it
has going on is the winning formula I'd think.

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 0,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  bypass_spam_checks_maps => ( [ "!.$mydomain", "." ] ),
  inet_acl => [ "127.0.0.0/8", "XXX.YYY.201.36", "XXX.YYY.201.37",
"XXX.YYY.201.19", "XXX.YYY.200.21", "XXX.YYY.200.5",  "XXX.YYY.201.5"
],
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

I can't see anything special making it work there.

I do notice some tagging on the MX server's logs, but it doesn't block:

/var/log/amavisd.9.gz:Aug 15 06:39:30 mailmx1 amavis[7654]: (07654-08)
run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20120815T063030-07654/parts INFECTED:
HTML.Phishing.Bank-1127
/var/log/amavisd.9.gz:Aug 15 06:39:30 mailmx1 amavis[7654]: (07654-08)
Turning AV infection into a spam report: score=0.1,
AV:HTML.Phishing.Bank-1127=0.1
/var/log/amavisd.9.gz:Aug 15 06:39:31 mailmx1 amavis[7654]: (07654-08)
SPAM-TAG, <www-data at sycoweb.com> -> <sdogra at exchange.example.com>, No,
score=5.694 tagged_above=0 required=6.2
tests=[AV:HTML.Phishing.Bank-1127=0.1, HTML_IMAGE_ONLY_16=1.048,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105, URIBL_PH_SURBL=3.44]
autolearn=disabled

Maybe these are the successes to build on.  What does it take to make
those into "Blocked INFECTED" cases?

I have a feeling there is a configuration problem I'm not seeing.