Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

Mark Martinec Mark.Martinec+amavis at ijs.si
Thu Aug 30 17:25:05 CEST 2012


Francis,

> Googling some more this morning and I suspect I have the same issue as bug
> 48824 at Zimbra, mentioned in this forum item:
> 
> http://www.zimbra.com/forums/administrators/41605-phishing-scam-not-detecte
> d-amavisd-until-forwarded-spam-account.html
> 
> I've found my amavisd.conf had this line commented out as per the example:
> 
> # qr'^MAIL$', # retain full original message for virus checking
> 
> I notice it is no longer commented out in the amavisd.conf-sample provided
> with 2.6.6, so I've uncommented my config as well.  I'll see how this works
> out.

The qr'^MAIL$' in @keep_decoded_original_maps can be useful to aid
a virus scanner detect some patterns which it would otherwise miss.

However, this does not explain the different behaviour between
an inbound and an outbound message, that you describe.

> Here is a traced example of this problem.  The problem: a phishing block
> is working only on outbound.  The inbound of the same email is not
> being detected.
> 
> This log trace shows it is getting blocked on the outbound (good):
> 
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
>   p004 1 Content-Type: multipart/related
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
>   p005 1/1 Content-Type: multipart/alternative
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
>   p001 1/1/1 Content-Type: text/plain, size: 7547 B, name:
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
>   p002 1/1/2 Content-Type: text/html, size: 21561 B, name:
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
>   p003 1/2 Content-Type: image/jpeg, size: 1107 B, name: image001.jpg
> 
> I looked at the quarantined file to find the prior queue id and trace
> it during the inbound.
> 
> On inbound, this same content showed as clean as shown in the
> amavis log file:
>
> Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08)
>   p003 1 Content-Type: multipart/alternative
> Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08)
>   p001 1/1 Content-Type: text/plain, size: 1679 B, name:
> Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08)
>   p002 1/2 Content-Type: text/html, size: 4459 B, name:

It is not the same message in these two cases,
they have a different MIME structure. The second one
is missing the multipart/related with a image/jpeg image.

  Mark


More information about the amavis-users mailing list