Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

francis picabia fpicabia at
Fri Aug 24 20:41:26 CEST 2012

I have a user who likes to report his phishing and spam to banks,
or spam/fraud reporting email addresses.  It has revealed
amavis + clam are capable of stopping these.  That is good.
However I'd rather it had been blocked on the inbound and this
is what I'm having trouble with.  I don't understand how it is
getting in but being found only when outbound.

I know that clam + amavis is stopping some types of
malware and phishing on the inbound MX, as I can see these
in the logs (these are just sample matches, not a trace
for a particular email in and out):

/var/log/amavisd.9.gz:Aug 15 18:40:56 mailmx1 amavis[17355]:
(17355-08) Blocked INFECTED (Email.FBI.Scam), []
[] <fbi.gov1 at> -> <user at>,
quarantine: virus-B6GPM2MSO72A, Message-ID:
< at>, mail_id: B6GPM2MSO72A,
Hits: -, size: 10114, 121 ms

On the outbound SMTP, it can block outbound which had passed via the
server above:

/var/log/amavisd.6.gz:Aug 18 09:51:45 smtp1 amavis[2808]: (02808-19)
Blocked INFECTED (Heuristics.Phishing.Email.SSL-Spoof),
<ibanking at>, quarantine: j/virus-jtffHFHT7zp1, Message-ID:
<b54ad7a4-9a15-49c8-8d8b-a09ffeb84101 at>, mail_id:
jtffHFHT7zp1, Hits: -, size: 15455, 280 ms

My focus has been looking at the configuration which is specific to
amavis/conf.d/50-user (SMTP where outbound catches it is debian)  Whatever it
has going on is the winning formula I'd think.

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 0,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  bypass_spam_checks_maps => ( [ "!.$mydomain", "." ] ),
  inet_acl => [ "", "XXX.YYY.201.36", "XXX.YYY.201.37",
"XXX.YYY.201.19", "XXX.YYY.200.21", "XXX.YYY.200.5",  "XXX.YYY.201.5"
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option

I can't see anything special making it work there.

I do notice some tagging on the MX server's logs, but it doesn't block:

/var/log/amavisd.9.gz:Aug 15 06:39:30 mailmx1 amavis[7654]: (07654-08)
run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20120815T063030-07654/parts INFECTED:
/var/log/amavisd.9.gz:Aug 15 06:39:30 mailmx1 amavis[7654]: (07654-08)
Turning AV infection into a spam report: score=0.1,
/var/log/amavisd.9.gz:Aug 15 06:39:31 mailmx1 amavis[7654]: (07654-08)
SPAM-TAG, <www-data at> -> <sdogra at>, No,
score=5.694 tagged_above=0 required=6.2
tests=[AV:HTML.Phishing.Bank-1127=0.1, HTML_IMAGE_ONLY_16=1.048,

Maybe these are the successes to build on.  What does it take to make
those into "Blocked INFECTED" cases?

I have a feeling there is a configuration problem I'm not seeing.

More information about the amavis-users mailing list