$final_bad_header_destiny = D_BOUNCE and Return-Path: <>, mail gets delivered unscanned

Leonard den Ottolander milter-greylist at ottolander.nl
Tue Jul 16 22:53:58 CEST 2013


Hello Hans,

On Sun, 2013-07-14 at 22:33 +0200, Hans Spaans wrote:
> Invalid and undesired are two different this.

In that case I'm of the opinion that amavis should not hand this mail
back to postfix without scanning it with spamassassin and/or for viruses
first like it does other mails that are accepted onto the system. Seems
like a bug in amavis to me. Which is why I reported this behaviour in
the first place.

> Only in this case your system can't bounce it back as the return path is
> already empty. Like sad it isn't invalid, but undesired and that is why
> amavis has a default configuration set to or DISCARD or PASS messages.
> With BOUNCE amavis will send the DSN (Delivery Status Notification) and
> with REJECT the MTA will generate the DSN.
> 
> So setting it to PASS will solve you problem

It does, but it does not fix the situation where someone uses D_BOUNCE
and have the mail enter the system unscanned as it could not be bounced.

> > > Source routing, haven't seen that one for years. You're willing to
> > > publish the IP?
> > 
> > Well, actually all the messages that managed to get through by using
> > this "no return path" trick do this. Could be a dozen or more.
> 
> It isn't a trick but a special purpose address as you shouldn't block
> e-mail from that address. That was also why it was/is a populair address
> for Sender Address Verification.

I didn't mean the source routing to be the trick. The trick is the
crafting of the email message:

No date header so it gets put into quarantine assuming
$final_bad_header_destiny = D_BOUNCE. And adding an empty return path so
it drops from the quarantine, resulting in an email message that is
clearly spam handed back to postfix without it being scanned. I'm
assuming the missing date header is left out to trigger this behaviour
as there's probably quite a few Red Hat/CentOS and possibly Fedora
systems out there that are configured with this default.

> > This particular address has a name that suggests a dynamic IP network
> > under the domain vologda.ru (shpd-2-2-2-2.vologda.ru).
> 
> It appears to be gone :(

I should have put quotes around that hostname. The 2s of course still
are a substitution. I didn't feel like sharing any IPs on a public
mailing list. And since this seems to be a dynamic IP range the current
holder of this particular IP might not be the one sending me the spam.

> If memory serves me right the following config modification should be
> enough to DKIM sign your e-mail for authenticated users.

I'll look into this another time but thanks for the pointers. For now I
disabled signing. I was sloppy to leave it on as I didn't intend any
signing to happen.

Thanks,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research





More information about the amavis-users mailing list