Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does
Mark Martinec
Mark.Martinec+amavis at ijs.si
Mon Sep 24 10:08:42 CEST 2012
Francis,
> >> Here is a traced example of this problem. The problem: a phishing block
> >> is working only on outbound. The inbound of the same email is not
> >> being detected.
>
> > It is not the same message in these two cases,
> > they have a different MIME structure. The second one
> > is missing the multipart/related with a image/jpeg image.
>
> Sorry about that. I think I've done a better trace this time.
> New message comes in on the MX with low spam score.
> When user attempts to report it to anti-spam and anti-fraud
> addresses, it is blocked successfully. Both systems have
> Sanesecurity additions and I can see the MX is blocking many
> emails (122 Blocked INFECTED on Sanesecurity.Scam4.1615.UNOFFICIAL
> in recent days). Here is the log trace
Again, it is not the same message:
Inbound:
p004 1 Content-Type: multipart/mixed
p005 1/1 Content-Type: multipart/alternative
p001 1/1/1 Content-Type: text/plain, size: 50 B, name:
p002 1/1/2 Content-Type: text/html, size: 166 B, name:
p003 1/2 Content-Type: application/rtf, size: 2831 B, name: Please ...
Outbound:
p004 1 Content-Type: multipart/mixed
p005 1/1 Content-Type: multipart/alternative
p001 1/1/1 Content-Type: text/plain, size: 6930 B, name:
p002 1/1/2 Content-Type: text/html, size: 17524 B, name:
p003 1/2 Content-Type: application/rtf, size: 2831 B, name: Please ...
See sizes of text/plain and text/html MIME parts,
they are quite different, although the application/rtf part
seems to be the same.
Mark
More information about the amavis-users
mailing list