Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

francis picabia fpicabia at gmail.com
Thu Sep 20 17:22:40 CEST 2012


On Thu, Aug 30, 2012 at 12:25 PM, Mark Martinec
<Mark.Martinec+amavis at ijs.si> wrote:
> Francis,
>
>> Googling some more this morning and I suspect I have the same issue as bug
>> 48824 at Zimbra, mentioned in this forum item:
>>
>> http://www.zimbra.com/forums/administrators/41605-phishing-scam-not-detecte
>> d-amavisd-until-forwarded-spam-account.html
>>
>> I've found my amavisd.conf had this line commented out as per the example:
>>
>> # qr'^MAIL$', # retain full original message for virus checking
>>
>> I notice it is no longer commented out in the amavisd.conf-sample provided
>> with 2.6.6, so I've uncommented my config as well.  I'll see how this works
>> out.
>
> The qr'^MAIL$' in @keep_decoded_original_maps can be useful to aid
> a virus scanner detect some patterns which it would otherwise miss.
>
> However, this does not explain the different behaviour between
> an inbound and an outbound message, that you describe.
>
>> Here is a traced example of this problem.  The problem: a phishing block
>> is working only on outbound.  The inbound of the same email is not
>> being detected.

{ bad trace deleted }

> It is not the same message in these two cases,
> they have a different MIME structure. The second one
> is missing the multipart/related with a image/jpeg image.

Sorry about that.  I think I've done a better trace this time.
New message comes in on the MX with low spam score.
When user attempts to report it to anti-spam and anti-fraud
addresses, it is blocked successfully.  Both systems have
Sanesecurity additions and I can see the MX is blocking many
emails (122 Blocked INFECTED on Sanesecurity.Scam4.1615.UNOFFICIAL
in recent days).

Here is the log trace:


Inbound:

Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) LMTP::10024
/var/amavis/tmp/amavis-20120920T054800-01501:
<webooffice_reg0003 at att.net> -> <jdoe at exchange.example.com> SIZE=7484
Received: from mx20.example.com ([127.0.0.1]) by localhost
(mx20.example.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for
<jdoe at exchange.example.com>; Thu, 20 Sep 2012 05:52:40 -0300 (ADT)
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) dkim: VALID
Author+Sender+MailFrom signature by i=@att.net, From:
<webooffice_reg0003 at att.net>, a=rsa-sha256, c=relaxed/relaxed,
s=s1024, d=att.net
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) dkim: VALID
Author+Sender+MailFrom signature by i=webooffice_reg0003 at att.net,
From: <webooffice_reg0003 at att.net>, a=rsa-sha1, c=nofws, s=s1024,
d=att.net
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) Checking: 4fC2TL9pQ0w8
[98.139.213.38] <webooffice_reg0003 at att.net> ->
<jdoe at exchange.example.com>
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) p004 1 Content-Type:
multipart/mixed
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) p005 1/1 Content-Type:
multipart/alternative
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) p001 1/1/1 Content-Type:
text/plain, size: 50 B, name:
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) p002 1/1/2 Content-Type:
text/html, size: 166 B, name:
Sep 20 05:52:40 mx20 amavis[1501]: (01501-02) p003 1/2 Content-Type:
application/rtf, size: 2831 B, name: Please Read The Attachment For
Your Assistance Is Needed..rtf
Sep 20 05:52:42 mx20 amavis[1501]: (01501-02) SPAM-TAG,
<webooffice_reg0003 at att.net> -> <jdoe at exchange.example.com>, No,
score=5.413 tagged_above=0 required=6.2 tests=[DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25,
FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1,
FREEMAIL_REPLYTO_END_DIGIT=0.25, FSL_FREEMAIL_1=0.001,
HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=4,
RCVD_IN_DNSWL_NONE=-0.0001, T_FREEMAIL_DOC_PDF=0.01]
autolearn=disabled
Sep 20 05:52:42 mx20 amavis[1501]: (01501-02) FWD via SMTP:
<webooffice_reg0003 at att.net> -> <jdoe at exchange.example.com>,BODY=7BIT
250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
8DE6619CC8A
Sep 20 05:52:42 mx20 amavis[1501]: (01501-02) Passed CLEAN,
[98.139.213.38] [65.111.164.53] <webooffice_reg0003 at att.net> ->
<jdoe at exchange.example.com>, Message-ID:
<1348131158.32322.YahooMailClassic at web182206.mail.bf1.yahoo.com>,
mail_id: 4fC2TL9pQ0w8, Hits: 5.413, size: 7482, queued_as:
8DE6619CC8A, dkim_id=@att.net,webooffice_reg0003 at att.net, 2420 ms
Sep 20 05:52:42 mx20 amavis[1501]: (01501-02) TIMING-SA total 2093 ms
- parse: 3 (0.2%), extract_message_metadata: 11 (0.5%),
get_uri_detail_list: 0.67 (0.0%), tests_pri_-1000: 70 (3.4%),
tests_pri_-950: 2 (0.1%), tests_pri_-900: 2 (0.1%), tests_pri_-400:
1.86 (0.1%), tests_pri_0: 336 (16.1%), check_spf: 172 (8.2%),
poll_dns_idle: 1745 (83.4%), check_razor2: 95 (4.5%), tests_pri_500:
1623 (77.5%), get_report: 2 (0.1%)
Sep 20 05:52:42 mx20 amavis[1501]: (01501-02) TIMING [total 2427 ms] -
SMTP greeting: 2 (0%)0, SMTP LHLO: 1 (0%)0, SMTP pre-MAIL: 1 (0%)0,
SMTP pre-DATA-flush: 3 (0%)0, SMTP DATA: 38 (2%)2, check_init: 1
(0%)2, digest_hdr: 7 (0%)2, digest_body_dkim: 57 (2%)5, gen_mail_id: 4
(0%)5, mime_decode: 24 (1%)6, get-file-type3: 19 (1%)6,
decompose_part: 1 (0%)6, decompose_part: 0 (0%)7, parts_decode: 0
(0%)7, check_header: 1 (0%)7, AV-scan-1: 89 (4%)10, spam-wb-list: 2
(0%)10, SA parse: 4 (0%)10, SA check: 2084 (86%)96, update_cache: 10
(0%)97, decide_mail_destiny: 1 (0%)97, fwd-connect: 9 (0%)97,
fwd-mail-pip: 3 (0%)97, fwd-rcpt-pip: 0 (0%)97, fwd-data-chkpnt: 0
(0%)97, write-header: 2 (0%)97, fwd-data-contents: 0 (0%)97,
fwd-end-chkpnt: 47 (2%)99, prepare-dsn: 1 (0%)99, main_log_entry: 10
(0%)100, update_snmp: 3 (0%)100, SMTP pre-response: 0 (0%)100, SMTP
response: 0 (0%)100, unlink-4-files: 0 (0%)100, rundown: 1 (0%)100


Outbound:

Sep 20 10:10:19 smtp amavis[18853]: (18853-17) loaded policy bank
"MYNETS" over "ORIGINATING"
Sep 20 10:10:19 smtp amavis[18853]: (18853-17) LMTP::10026
/var/lib/amavis/tmp/amavis-20120920T100459-18853:
<john.doe at example.com> ->
<info at antifraudcentre.ca>,<spam at uce.gov>,<abuse at yahoo.com> Received:
from ankaa.example.com ([XXX.YYY.201.5]) by localhost
(smtp.example.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP;
Thu, 20 Sep 2012 10:10:19 -0300 (ADT)
Sep 20 10:10:19 smtp amavis[18853]: (18853-17) Checking: q+-C53-nraxi
ORIGINATING/MYNETS [XXX.YYY.200.97] <john.doe at example.com> ->
<info at antifraudcentre.ca>,<spam at uce.gov>,<abuse at yahoo.com>
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) p004 1 Content-Type:
multipart/mixed
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) p005 1/1 Content-Type:
multipart/alternative
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) p001 1/1/1
Content-Type: text/plain, size: 6930 B, name:
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) p002 1/1/2
Content-Type: text/html, size: 17524 B, name:
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) p003 1/2 Content-Type:
application/rtf, size: 2831 B, name: Please Read The Attachment For
Your Assistance Is Needed..rtf
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) run_av (ClamAV-clamd):
/var/lib/amavis/tmp/amavis-20120920T100459-18853/parts INFECTED:
Sanesecurity.Scam4.1615.UNOFFICIAL
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) virus_scan:
(Sanesecurity.Scam4.1615.UNOFFICIAL), detected by 1 scanners:
ClamAV-clamd
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) Virus
Sanesecurity.Scam4.1615.UNOFFICIAL matches (?-xism:.*), sender addr
ignored
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) local delivery: <> ->
virus-quarantine, mbx=/var/virusmails/q/virus-q+-C53-nraxi
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) dkim: candidate
originators: 2822.From:<virusalert at example.com>,
2821.mail_from:<virusalert at example.com>
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) dkim: signing (author),
From: <virusalert at example.com>, KEY.key_ind=>0, a=>rsa-sha256,
c=>relaxed/simple, d=>example.com, s=>ankaa, ttl=>1814400,
x=>1349961019.93888
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) SEND via SMTP:
<virusalert at example.com> ->
<virusalert at example.com>,ENVID=AM..20120920T131020Z at smtp.example.com
250 2.0.0 Ok, id=18853-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 460831F4505
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) Blocked INFECTED
(Sanesecurity.Scam4.1615.UNOFFICIAL), ORIGINATING/MYNETS LOCAL
[XXX.YYY.200.97] [XXX.YYY.200.97] <john.doe at example.com> ->
<info at antifraudcentre.ca>,<spam at uce.gov>,<abuse at yahoo.com>,
quarantine: q/virus-q+-C53-nraxi, Message-ID:
<F9123CB5B2AE9343BCCC27F22E2285C608D28D3B at exchange2.ad.example.com>,
mail_id: q+-C53-nraxi, Hits: -, size: 32110, 375 ms
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) TIMING [total 381 ms] -
SMTP greeting: 3 (1%)1, SMTP LHLO: 1 (0%)1, SMTP pre-MAIL: 1 (0%)1,
SMTP pre-DATA-flush: 3 (1%)2, SMTP DATA: 45 (12%)14, check_init: 1
(0%)14, digest_hdr: 4 (1%)15, digest_body_dkim: 1 (0%)15, gen_mail_id:
3 (1%)16, mime_decode: 30 (8%)24, get-file-type3: 26 (7%)31,
decompose_part: 2 (0%)31, parts_decode: 0 (0%)31, check_header: 2
(0%)32, AV-scan-1: 128 (34%)65, read_snmp_variables: 1 (0%)65,
best_try_originator: 2 (1%)66, update_cache: 1 (0%)66,
decide_mail_destiny: 3 (1%)67, notif-quar: 2 (0%)67, stat-mbx: 3
(1%)68, open-mbx: 0 (0%)68, write-header: 1 (0%)69,
save-to-local-mailbox: 1 (0%)69, write-header: 38 (10%)79,
fwd-data-dkim: 17 (5%)83, fwd-connect: 19 (5%)88, fwd-mail-pip: 17
(4%)93, fwd-rcpt-pip: 0 (0%)93, fwd-data-chkpnt: 0 (0%)93,
write-header: 1 (0%)93, fwd-data-contents: 4 (1%)94, fwd-end-chkpnt: 8
(2%)96, prepare-dsn: 2 (0%)96, main_log_entry: 8 (2%)99, update_snmp:
4 (1%)99, SMTP pre-response: 0 (0%)100, SMTP res...
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) ...ponse: 0 (0%)100,
unlink-4-files: 0 (0%)100, rundown: 1 (0%)100
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) smtp session rundown,
cache off, idle 29.4 s, smtp:[127.0.0.1]:10027, state ehlo
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) smtp session rundown,
sending QUIT
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) smtp session rundown,
closing session smtp:[127.0.0.1]:10027
Sep 20 10:10:20 smtp amavis[18853]: (18853-17) extra modules loaded:
unicore/lib/gc_sc/Digit.pl, unicore/lib/gc_sc/SpacePer.pl
Sep 20 10:10:43 smtp amavis[18853]: (18853-17) loaded policy bank "ORIGINATING"


Is there more I can supply to aid in finding the difference(s)?

I have the quarantined message on outbound.  The MX server is Redhat 5 with
amavisd-new 2.6.6 from DAG repository.  The SMTP server is Debian 6
with amavisd-new 2.6.4-3 with regular squeeze repository.  Both
systems can detect
Sanesecurity.Scam4.1615.UNOFFICIAL in a copy of the quarantined file
by manual run of clamscan.


More information about the amavis-users mailing list