$final_bad_header_destiny = D_BOUNCE and Return-Path: <>, mail gets delivered unscanned
Leonard den Ottolander
milter-greylist at ottolander.nl
Sat Jul 13 15:34:07 CEST 2013
Hello,
Lately I see a lot of mails like these come in unfiltered by
spamassassin.
System is CentOS 6.4, using amavisd-new-2.8.0-4.el6.noarch from EPEL.
Amavis configuration is mostly as shipped by Fedora, I can provide
details if needed, but I think the relevant part here is:
$final_bad_header_destiny = D_BOUNCE;
Full mail header (edited names and IPs but not the X-Quarantine-ID):
Return-Path: <>
X-Original-To: email at domain.nl
Delivered-To: user at domain.nl
Received: from localhost (localhost [127.0.0.1]) by mail.domain.nl
(Postfix) with ESMTP id D642542 for <email at domain.nl>; Fri, 14
Jun 2013 12:51:54 +0200 (CEST)
X-Quarantine-ID: <Tw0-mNHoul_7>
X-Virus-Scanned: amavisd-new at domain.nl
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field:
"Date"
Received: from mail.domain.nl ([127.0.0.1]) by localhost
(mail.domain.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id
Tw0-mNHoul_7 for <email at domain.nl>; Fri, 14 Jun 2013 12:51:54
+0200 (CEST)
X-Greylist: delayed 503 seconds by postgrey-1.34 at host.domain.nl;
Fri, 14 Jun 2013 12:51:54 CEST
Received: from remote.host.by (unknown
[1.1.1.1]) by mail.domain.nl (Postfix) with SMTP id 17C3440 for
<email at domain.nl>; Fri, 14 Jun 2013 12:51:53 +0200 (CEST)
Received: from unknown (HELO localhost)
(from at domain.ru@2.2.2.2) by 1.1.1.1 with ESMTPA;
Fri, 14 Jun 2013 13:47:38 +0200
X-Originating-IP: 2.2.2.2
From: from at domain.ru
To: email at domain.nl
Subject: It has the Potential to be a Major
Message-Id: <20130614105154.D642542 at mail.domain.nl>
Date: Fri, 14 Jun 2013 12:51:54 +0200 (CEST)
X-Evolution-Source: pop://user%40domain.nl@pop.domain.nl/
Mime-Version: 1.0
If the subject hadn't given it away yet
$ spamassassin -t mail.txt | tail -21
identifies the mail as spam:
Content analysis details: (14.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.1 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?1.1.1.1>]
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[1.1.1.1 listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[1.1.1.1 listed in bl.score.senderscore.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[1.1.1.1 listed in bb.barracudacentral.org]
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[1.1.1.1 listed in dnsbl.sorbs.net]
1.3 RDNS_NONE Delivered to internal network by a host with
no rDNS
3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP
addr
1)
The missing date header puts the mail in quarantine and the missing
Return-Path breaks the bouncing so the mail gets sent without having
been scanned by spamassassin:
Jun 14 12:51:52 host postfix/smtpd[2212]: warning: 1.1.1.1: hostname
remote.host.by verification failed: Name or service not known
Jun 14 12:51:52 host postfix/smtpd[2212]: connect from unknown[1.1.1.1]
Jun 14 12:51:54 host postgrey[2124]: action=pass, reason=triplet found,
delay=503, client_name=unknown, client_address=1.1.1.1,
recipient=email at domain.nl
Jun 14 12:51:54 host postfix/smtpd[2212]: 17C3440:
client=unknown[1.1.1.1]
Jun 14 12:51:54 host postfix/cleanup[2216]: 17C3440: message-id=<>
Jun 14 12:51:54 host postfix/qmgr[16541]: 17C3440: from=<>, size=1911,
nrcpt=1 (queue active)
Jun 14 12:51:54 host amavis[22277]: (22277-16) loaded policy bank
"MYNETS"
Jun 14 12:51:54 host amavis[22277]: (22277-16)
LMTP::10024 /var/spool/amavisd/tmp/amavis-20130614T045914-22277-5EuQaI7P: <> -> <email at domain.nl> SIZE=1911 Received: from mail.domain.nl ([127.0.0.1]) by localhost (mail.domain.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <email at domain.nl>; Fri, 14 Jun 2013 12:51:54 +0200 (CEST)
Jun 14 12:51:54 host amavis[22277]: (22277-16) Checking: Tw0-mNHoul_7
MYNETS <> -> <email at domain.nl>
Jun 14 12:51:54 host amavis[22277]: (22277-16) p001 1 Content-Type:
text/plain, size: 1280 B, name:
Jun 14 12:51:54 host amavis[22277]: (22277-16) check_header: 7, Missing
required header field: "Date"
Jun 14 12:51:54 host amavis[22277]: (22277-16) bounce unverifiable,
originating, <> -> <email at domain.nl>
Jun 14 12:51:54 host amavis[22277]: (22277-16) allow bad header section
from (sender=<>) <> -> <email at domain.nl>: Missing required header field:
"Date"
Jun 14 12:51:54 host amavis[22277]: (22277-16) header_edits_for_quar: <>
-> <email at domain.nl>, No, score=x tag=x tag2=x kill=x tests=[]
autolearn=unavailable
Jun 14 12:51:54 host amavis[22277]: (22277-16) local delivery: <> ->
bad-header-quarantine,
mbx=/var/spool/amavisd/quarantine/badh-Tw0-mNHoul_7
Jun 14 12:51:54 host amavis[22277]: (22277-16) dkim: candidate
originators: From:<from at domain.ru>
Jun 14 12:51:54 host amavis[22277]: (22277-16) dkim: not signing, empty
signing domain, From: <from at domain.ru>
Jun 14 12:51:54 host postfix/smtpd[2041]: connect from
localhost[127.0.0.1]
Jun 14 12:51:54 host postfix/smtpd[2041]: D642542:
client=localhost[127.0.0.1]
Jun 14 12:51:54 host postfix/cleanup[2216]: D642542:
message-id=<20130614105154.D642542 at mail.domain.nl>
Jun 14 12:51:54 host postfix/smtpd[2041]: disconnect from
localhost[127.0.0.1]
Jun 14 12:51:54 host postfix/qmgr[16541]: D642542: from=<>, size=2574,
nrcpt=1 (queue active)
Jun 14 12:51:54 host amavis[22277]: (22277-16) FWD from <> ->
<email at domain.nl>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025):
250 2.0.0 Ok: queued as D642542
Jun 14 12:51:54 host amavis[22277]: (22277-16) Passed BAD-HEADER-7
{RelayedInternal,Quarantined}, MYNETS [2.2.2.2] <> -> <email at domain.nl>,
quarantine: badh-Tw0-mNHoul_7, mail_id: Tw0-mNHoul_7, Hits: -, size:
1911, queued_as: D642542, 131 ms
Jun 14 12:51:54 host postfix/lmtp[2217]: 17C3440: to=<email at domain.nl>,
relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=1.2/0.01/0/0.13,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as D642542)
Jun 14 12:51:54 host amavis[22277]: (22277-16) size: 1911, TIMING [total
133 ms] - SMTP greeting: 1 (1%)1, SMTP LHLO: 0 (0%)1, SMTP pre-MAIL: 0
(0%)1, SMTP pre-DATA-flush: 1 (1%)2, SMTP DATA: 39 (30%)31, check_init:
0 (0%)31, digest_hdr: 0 (0%)32, digest_body_dkim: 0 (0%)32, mime_decode:
3 (2%)34, get-file-type1: 8 (6%)39, decompose_part: 1 (1%)40,
parts_decode: 0 (0%)40, check_header: 1 (0%)40, AV-scan-1: 4 (3%)43,
decide_mail_destiny: 0 (0%)43, notif-quar: 0 (0%)43, quar-hdrs: 0
(0%)44, stat-mbx: 1 (1%)44, open-mbx: 0 (0%)44, write-header: 0 (0%)45,
save-to-local-mailbox: 0 (0%)45, fwd-connect: 2 (2%)46, fwd-mail-pip: 1
(1%)47, fwd-rcpt-pip: 0 (0%)47, fwd-data-chkpnt: 0 (0%)47, write-header:
0 (0%)47, fwd-data-contents: 0 (0%)47, fwd-end-chkpnt: 65 (49%)96,
prepare-dsn: 0 (0%)96, main_log_entry: 3 (2%)98, update_snmp: 1 (1%)99,
SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-2-files:
0 (0%)100, rundown: 0 (0%)100
Jun 14 12:51:54 host postfix/qmgr[16541]: 17C3440: removed
Jun 14 12:51:54 host postfix/virtual[2220]: D642542:
to=<user at domain.nl>, orig_to=<email at domain.nl>, relay=virtual,
delay=0.11, delays=0.07/0.01/0/0.04, dsn=2.0.0, status=sent (delivered
to maildir)
Jun 14 12:51:54 host postfix/qmgr[16541]: D642542: removed
Jun 14 12:51:55 host postfix/smtpd[2212]: disconnect from
unknown[1.1.1.1]
And the mail gets delivered to my mailbox.
How can I assure that mail that fails to bounce at least gets scanned by
spamassassin?
Regards,
Leonard.
More information about the amavis-users
mailing list