Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does
Mark Martinec
Mark.Martinec+amavis at ijs.si
Thu Aug 30 17:25:05 CEST 2012
Francis,
> Googling some more this morning and I suspect I have the same issue as bug
> 48824 at Zimbra, mentioned in this forum item:
>
> http://www.zimbra.com/forums/administrators/41605-phishing-scam-not-detecte
> d-amavisd-until-forwarded-spam-account.html
>
> I've found my amavisd.conf had this line commented out as per the example:
>
> # qr'^MAIL$', # retain full original message for virus checking
>
> I notice it is no longer commented out in the amavisd.conf-sample provided
> with 2.6.6, so I've uncommented my config as well. I'll see how this works
> out.
The qr'^MAIL$' in @keep_decoded_original_maps can be useful to aid
a virus scanner detect some patterns which it would otherwise miss.
However, this does not explain the different behaviour between
an inbound and an outbound message, that you describe.
> Here is a traced example of this problem. The problem: a phishing block
> is working only on outbound. The inbound of the same email is not
> being detected.
>
> This log trace shows it is getting blocked on the outbound (good):
>
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
> p004 1 Content-Type: multipart/related
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
> p005 1/1 Content-Type: multipart/alternative
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
> p001 1/1/1 Content-Type: text/plain, size: 7547 B, name:
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
> p002 1/1/2 Content-Type: text/html, size: 21561 B, name:
> Aug 24 02:32:53 smtp1 amavis[24986]: (24986-04)
> p003 1/2 Content-Type: image/jpeg, size: 1107 B, name: image001.jpg
>
> I looked at the quarantined file to find the prior queue id and trace
> it during the inbound.
>
> On inbound, this same content showed as clean as shown in the
> amavis log file:
>
> Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08)
> p003 1 Content-Type: multipart/alternative
> Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08)
> p001 1/1 Content-Type: text/plain, size: 1679 B, name:
> Aug 24 00:15:03 mailmx1 amavis[13305]: (13305-08)
> p002 1/2 Content-Type: text/html, size: 4459 B, name:
It is not the same message in these two cases,
they have a different MIME structure. The second one
is missing the multipart/related with a image/jpeg image.
Mark
More information about the amavis-users
mailing list