Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

Mark Martinec Mark.Martinec+amavis at ijs.si
Mon Sep 24 10:08:42 CEST 2012


Francis,

> >> Here is a traced example of this problem.  The problem: a phishing block
> >> is working only on outbound.  The inbound of the same email is not
> >> being detected.
> 
> > It is not the same message in these two cases,
> > they have a different MIME structure. The second one
> > is missing the multipart/related with a image/jpeg image.
> 
> Sorry about that.  I think I've done a better trace this time.
> New message comes in on the MX with low spam score.
> When user attempts to report it to anti-spam and anti-fraud
> addresses, it is blocked successfully.  Both systems have
> Sanesecurity additions and I can see the MX is blocking many
> emails (122 Blocked INFECTED on Sanesecurity.Scam4.1615.UNOFFICIAL
> in recent days). Here is the log trace

Again, it is not the same message:

Inbound:
p004 1 Content-Type: multipart/mixed
p005 1/1 Content-Type: multipart/alternative
p001 1/1/1 Content-Type: text/plain, size: 50 B, name:
p002 1/1/2 Content-Type: text/html, size: 166 B, name:
p003 1/2 Content-Type: application/rtf, size: 2831 B, name: Please ...

Outbound:
p004 1 Content-Type: multipart/mixed
p005 1/1 Content-Type: multipart/alternative
p001 1/1/1 Content-Type: text/plain, size: 6930 B, name:
p002 1/1/2 Content-Type: text/html, size: 17524 B, name:
p003 1/2 Content-Type: application/rtf, size: 2831 B, name: Please ...

See sizes of text/plain and text/html MIME parts,
they are quite different, although the application/rtf part
seems to be the same.

  Mark


More information about the amavis-users mailing list