$final_bad_header_destiny = D_BOUNCE and Return-Path: <>, mail gets delivered unscanned

Hans Spaans hans at dailystuff.nl
Sat Jul 13 18:00:36 CEST 2013


Hello,

Leonard den Ottolander schreef op za 13-07-2013 om 15:34 [+0200]:
> Hello,
> 
> Lately I see a lot of mails like these come in unfiltered by
> spamassassin.
> 
> System is CentOS 6.4, using amavisd-new-2.8.0-4.el6.noarch from EPEL.
> Amavis configuration is mostly as shipped by Fedora, I can provide
> details if needed, but I think the relevant part here is:
> 
> $final_bad_header_destiny = D_BOUNCE;

The default is D_PASS, so did you change it or does Fedora supply amavis
with this setting? If the later is the case, then a bugreport may be
wise. Bouncing after an OK on the SMTP DATA phase will get you
blacklisted sooner or later. I prefer sooner btw ;-)

> Full mail header (edited names and IPs but not the X-Quarantine-ID):
> 
> Return-Path: <>
> X-Original-To: email at domain.nl
> Delivered-To: user at domain.nl
> Received: from localhost (localhost [127.0.0.1]) by mail.domain.nl
>  (Postfix) with ESMTP id D642542 for <email at domain.nl>; Fri, 14
>  Jun 2013 12:51:54 +0200 (CEST)
> X-Quarantine-ID: <Tw0-mNHoul_7>
> X-Virus-Scanned: amavisd-new at domain.nl
> X-Amavis-Alert: BAD HEADER SECTION, Missing required header field:
> "Date"

Nice notification, but a lot of mailgenerators forget these headers. You
may want to check your quarantine/logs to see if you don't lose any
e-mail from say your cable or energy company. This is also the reason
some checks in Postfix are not turned on as the do not solve a spam
issue, but will may make some mails "disappear".

> Received: from mail.domain.nl ([127.0.0.1]) by localhost
>  (mail.domain.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id
>  Tw0-mNHoul_7 for <email at domain.nl>; Fri, 14 Jun 2013 12:51:54
>  +0200 (CEST)
> X-Greylist: delayed 503 seconds by postgrey-1.34 at host.domain.nl;
>  Fri, 14 Jun 2013 12:51:54 CEST
> Received: from remote.host.by (unknown
>  [1.1.1.1]) by mail.domain.nl (Postfix) with SMTP id 17C3440 for
>  <email at domain.nl>; Fri, 14 Jun 2013 12:51:53 +0200 (CEST)
> Received: from unknown (HELO localhost)
>  (from at domain.ru@2.2.2.2) by 1.1.1.1 with ESMTPA;

Source routing, haven't seen that one for years. You're willing to
publish the IP?

>  Fri, 14 Jun 2013 13:47:38 +0200
> X-Originating-IP: 2.2.2.2
> From: from at domain.ru
> To: email at domain.nl
> Subject: It has the Potential to be a Major
> Message-Id: <20130614105154.D642542 at mail.domain.nl>
> Date: Fri, 14 Jun 2013 12:51:54 +0200 (CEST)
> X-Evolution-Source: pop://user%40domain.nl@pop.domain.nl/
> Mime-Version: 1.0
> 
> 
> If the subject hadn't given it away yet
> $ spamassassin -t mail.txt | tail -21
> identifies the mail as spam:
> 
> Content analysis details:   (14.1 points, 5.0 required)
> 
>  pts rule name              description
> ---- ----------------------
> --------------------------------------------------
>  1.1 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d
>  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
>              [Blocked - see <http://www.spamcop.net/bl.shtml?1.1.1.1>]
>  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
>                             [1.1.1.1 listed in zen.spamhaus.org]
>  0.7 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
>  1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
>                             https://senderscore.org/blacklistlookup/
>                           [1.1.1.1 listed in bl.score.senderscore.com]
>  1.6 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
>                            [1.1.1.1 listed in bb.barracudacentral.org]
>  0.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
> address
>                             [1.1.1.1 listed in dnsbl.sorbs.net]
>  1.3 RDNS_NONE              Delivered to internal network by a host with
> no rDNS
>  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
> addr
>                             1)
> 
> 
> The missing date header puts the mail in quarantine and the missing
> Return-Path breaks the bouncing so the mail gets sent without having
> been scanned by spamassassin:

Yes and no, the missing return-path is there to break the mail loop that
otherwise could emerge. It is a special case, you may want to read RFC
2822 if I'm not mistaken.

> 
<cut>
> 
> And the mail gets delivered to my mailbox.

You have setup amavis to use your address as an administrator address or
something like it?

> How can I assure that mail that fails to bounce at least gets scanned by
> spamassassin?

Reading your logs, your DKIM setup appears to be broken as it tries to
sign a non-local domain, but doesn't has the right keys luckily. You may
want to follow the submission port style signing if you mix a receiving
MTA with a sending MTA on the same box.

Hans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130713/9824e7ef/attachment.sig>


More information about the amavis-users mailing list