Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

francis picabia fpicabia at gmail.com
Fri Aug 24 21:54:40 CEST 2012 

Here is a traced example of this problem.  The problem: a phishing block
is working only on outbound.  The inbound of the same email is not
being detected.

This log trace shows it is getting blocked on the outbound (good):

Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) loaded policy bank
"MYNETS" over "ORIGINATING"
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) LMTP::10026
/var/lib/amavis/tmp/amavis-20120824T012800-24986: <user1 at example.com>
-> <info at antifraudcentre.ca>,<abuse at bankofamerica.com>,<spam at uce.gov>
Received: from smtp1.example.com ([XXX.YYY.201.5]) by localhost
(smtp1.example.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP;
Fri, 24 Aug 2012 02:32:53 -0300 (ADT)
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) Checking: p1hXq8s9Q7ZQ
ORIGINATING/MYNETS [XXX.YYY.200.97] <user1 at example.com> ->
<info at antifraudcentre.ca>,<abuse at bankofamerica.com>,<spam at uce.gov>
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) p004 1 Content-Type:
multipart/related
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) p005 1/1 Content-Type:
multipart/alternative
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) p001 1/1/1
Content-Type: text/plain, size: 7547 B, name:
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) p002 1/1/2
Content-Type: text/html, size: 21561 B, name:
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) p003 1/2 Content-Type:
image/jpeg, size: 1107 B, name: image001.jpg
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) run_av (ClamAV-clamd):
/var/lib/amavis/tmp/amavis-20120824T012800-24986/parts INFECTED:
Heuristics.Phishing.Email.SpoofedDomain
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) virus_scan:
(Heuristics.Phishing.Email.SpoofedDomain), detected by 1 scanners:
ClamAV-clamd
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) Virus
Heuristics.Phishing.Email.SpoofedDomain matches (?-xism:.*), sender
addr ignored
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) local delivery: <> ->
virus-quarantine, mbx=/var/virusmails/p/virus-p1hXq8s9Q7ZQ
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) dkim: candidate
originators: 2822.From:<virusalert at example.com>,
2821.mail_from:<virusalert at example.com>
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) dkim: signing
(author), From: <virusalert at example.com>, KEY.key_ind=>0,
a=>rsa-sha256, c=>relaxed/simple, d=>example.com, s=>smtp1,
ttl=>1814400, x=>1347600773.12368
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) SEND via SMTP:
<virusalert at example.com> ->
<virusalert at example.com>,ENVID=AM..20120824T053253Z at smtp1.example.com
250 2.0.0 Ok, id=24986-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 5666F1F4488
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) Blocked INFECTED
(Heuristics.Phishing.Email.SpoofedDomain), ORIGINATING/MYNETS LOCAL
[XXX.YYY.200.97] [131.162.200.97] <user1 at example.com> ->
<info at antifraudcentre.ca>,<abuse at bankofamerica.com>,<spam at uce.gov>,
quarantine: p/virus-p1hXq8s9Q7ZQ, Message-ID:
<F9123CB5B2AE9343BCCC27F22E2285C608D13201 at exchange2.ad.example.com>,
mail_id: p1hXq8s9Q7ZQ, Hits: -, size: 34471, 259 ms
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) TIMING [total 264 ms]
- SMTP greeting: 3 (1%)1, SMTP LHLO: 1 (0%)2, SMTP pre-MAIL: 1 (0%)2,
SMTP pre-DATA-flush: 4 (2%)4, SMTP DATA: 38 (14%)18, check_init: 1
(0%)18, digest_hdr: 2 (1%)19, digest_body_dkim: 1 (0%)19, gen_mail_id:
1 (1%)20, mime_decode: 31 (12%)31, get-file-type3: 21 (8%)39,
parts_decode: 0 (0%)39, check_header: 2 (1%)40, AV-scan-1: 53 (20%)60,
read_snmp_variables: 1 (1%)61, best_try_originator: 2 (1%)61,
update_cache: 1 (0%)62, decide_mail_destiny: 3 (1%)63, notif-quar: 2
(1%)64, stat-mbx: 4 (2%)65, open-mbx: 0 (0%)65, write-header: 1
(0%)66, save-to-local-mailbox: 0 (0%)66, write-header: 40 (15%)81,
fwd-data-dkim: 17 (7%)88, fwd-connect: 3 (1%)89, fwd-mail-pip: 1
(1%)89, fwd-rcpt-pip: 0 (0%)89, fwd-data-chkpnt: 0 (0%)89,
write-header: 0 (0%)90, fwd-data-contents: 4 (1%)91, fwd-end-chkpnt: 9
(3%)94, prepare-dsn: 2 (1%)95, main_log_entry: 8 (3%)98, update_snmp:
4 (1%)99, SMTP pre-response: 0 (0%)99, SMTP response: 0 (0%)100,
unlink-3-fi...
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) ...les: 0 (0%)100,
rundown: 1 (0%)100
Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04) extra modules loaded:
unicore/lib/gc_sc/Digit.pl, unicore/lib/gc_sc/SpacePer.pl
Aug 24 02:48:56 smtp1 amavis[24986]: (24986-04) loaded policy bank "ORIGINATING"


I looked at the quarantined file to find the prior queue id and trace
it during the inbound.

On inbound, this same content showed as clean as shown in the amavis log file:


Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) FWD via SMTP:
<notification at security.com> -> <user1 at exchange.example.com>,BODY=7BIT
250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
4605F19CC82
Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) Passed CLEAN,
[216.136.82.71] [66.162.247.82] <notification at security.com> ->
<user1 at exchange.example.com>, Message-ID:
<20120824031451.D9C2C102E4 at relay-5.dlfw.twtelecom.net>, mail_id:
e9O2HVhjmcX6, Hits: 1.598, size: 8270, queued_as: 4605F19CC82, 1218 ms
[root at mailmx1 etc]# zgrep 13305-08 /var/log/amavisd.1.gz
Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08) LMTP::10024
/var/amavis/tmp/amavis-20120824T000543-13305:
<notification at security.com> -> <user1 at exchange.example.com> SIZE=8270
BODY=7BIT Received: from mailmx1.example.com ([127.0.0.1]) by
localhost (mailmx1.example.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP for <user1 at exchange.example.com>; Fri, 24 Aug 2012 00:15:03
-0300 (ADT)
Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08) Checking:
e9O2HVhjmcX6 [216.136.82.71] <notification at security.com> ->
<user1 at exchange.example.com>
Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08) p003 1 Content-Type:
multipart/alternative
Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08) p001 1/1
Content-Type: text/plain, size: 1679 B, name:
Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08) p002 1/2
Content-Type: text/html, size: 4459 B, name:
Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) SPAM-TAG,
<notification at security.com> -> <user1 at exchange.example.com>, No,
score=1.598 tagged_above=0 required=6.2
tests=[FORGED_MUA_MOZILLA=1.596, HTML_MESSAGE=0.001,
NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001]
autolearn=disabled
Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) FWD via SMTP:
<notification at security.com> -> <user1 at exchange.example.com>,BODY=7BIT
250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
4605F19CC82
Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) Passed CLEAN,
[216.136.82.71] [66.162.247.82] <notification at security.com> ->
<user1 at exchange.example.com>, Message-ID:
<20120824031451.D9C2C102E4 at relay-5.dlfw.twtelecom.net>, mail_id:
e9O2HVhjmcX6, Hits: 1.598, size: 8270, queued_as: 4605F19CC82, 1218 ms
Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) TIMING-SA total 1038
ms - parse: 4 (0.4%), extract_message_metadata: 35 (3.3%),
get_uri_detail_list: 4 (0.4%), tests_pri_-1000: 18 (1.7%),
tests_pri_-950: 2 (0.2%), tests_pri_-900: 3 (0.2%), tests_pri_-400: 2
(0.2%), tests_pri_0: 927 (89.2%), check_dkim_adsp: 49 (4.7%),
check_spf: 412 (39.7%), poll_dns_idle: 344 (33.1%), check_razor2: 234
(22.5%), tests_pri_500: 6 (0.6%), get_report: 4 (0.4%)
Aug 24 00:15:04 mailmx1 amavis[13305]: (13305-08) TIMING [total 1225
ms] - SMTP greeting: 3 (0%)0, SMTP LHLO: 1 (0%)0, SMTP pre-MAIL: 1
(0%)0, SMTP pre-DATA-flush: 3 (0%)1, SMTP DATA: 39 (3%)4, check_init:
1 (0%)4, digest_hdr: 2 (0%)4, digest_body_dkim: 0 (0%)4, gen_mail_id:
1 (0%)4, mime_decode: 19 (2%)6, get-file-type2: 20 (2%)7,
decompose_part: 1 (0%)7, parts_decode: 0 (0%)7, check_header: 1 (0%)7,
AV-scan-1: 10 (1%)8, spam-wb-list: 2 (0%)8, SA parse: 5 (0%)9, SA
check: 1027 (84%)93, update_cache: 11 (1%)94, decide_mail_destiny: 1
(0%)94, fwd-connect: 7 (1%)94, fwd-mail-pip: 3 (0%)94, fwd-rcpt-pip: 0
(0%)95, fwd-data-chkpnt: 0 (0%)95, write-header: 2 (0%)95,
fwd-data-contents: 1 (0%)95, fwd-end-chkpnt: 48 (4%)99, prepare-dsn: 1
(0%)99, main_log_entry: 11 (1%)100, update_snmp: 3 (0%)100, SMTP
pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-2-files: 0
(0%)100, rundown: 1 (0%)100


What configuration is missing on my inbound so this can be detected
and blocked as it is
for outbound?

More information about the amavis-users mailing list