Bad header quarantine question

Fri Nov 22 00:51:51 CET 2013

The log certainly implies that milter did a discard but the following log 
extract also has that milter discard but the quarantine has worked.

Therefore, my original question stands.

Cheers,
Stephen

Nov 20 08:31:49 server sendmail[22466]: rAJM1iLw022466: from=<fraud at aexp.com>, 
size=12719, class=0, nrcpts=1, 
msgid=<WMA97K0UERUF8DGU66ZTE2SK84JHXZLV9S1YIU at benparts.com.au>, bodytype=7BIT, 
proto=ESMTP, daemon=MTA, relay=[217.207.146.52]
Nov 20 08:31:49 server amavis[7647]: (07647) Request: AM.PDP  
/var/amavis/tmp/afrAJM1iLw022466: <fraud at aexp.com> -> <john at benparts.com.au>
Nov 20 08:31:49 server amavis[7647]: (07647) Checking: yB-v0PDIQaNu AM.PDP-
SOCK [217.207.146.52] <fraud at aexp.com> -> <john at benparts.com.au>
Nov 20 08:31:49 server amavis[7647]: (07647) WARN: MIME::Parser error: 
unexpected end of header
Nov 20 08:31:49 server amavis[7647]: (07647) p.path BANNED:1 
john at benparts.com.au: "P=p004,L=1,M=multipart/mixed | 
P=p002,L=1/2,M=application/zip,T=zip,N=SCAN_001_11192013_002.zip | 
P=p005,L=1/2/1,T=exe,T=exe-ms,N=SCAN_001_11192013_002.exe", matching_key="(?-
xism:^\\.(exe-ms|dll)$)"
Nov 20 08:31:50 server amavis[7647]: (07647) local delivery: <> -> banned-
quarantine, mbx=/var/virusmails/banned-yB-v0PDIQaNu
Nov 20 08:31:50 server amavis[7647]: (07647) SEND from 
<virusalert at benparts.com.au> -> 
<virusalert at benparts.com.au>,ENVID=AM.07647.20131119T220150Z at server.benparts.com.au 
250 2.0.0 from MTA(smtp:[127.0.0.1]:25): 250 2.0.0 rAJM1oQS022734 Message 
accepted for delivery
Nov 20 08:31:50 server amavis[7647]: (07647) Blocked BANNED (.exe,.exe-
ms,SCAN_001_11192013_002.exe) {DiscardedInbound,Quarantined}, AM.PDP-SOCK 
[217.207.146.52] [217.207.146.52] <fraud at aexp.com> -> <john at benparts.com.au>, 
quarantine: banned-yB-v0PDIQaNu, Queue-ID: rAJM1iLw022466, Message-ID: 
<WMA97K0UERUF8DGU66ZTE2SK84JHXZLV9S1YIU at benparts.com.au>, mail_id: yB-
v0PDIQaNu, Hits: -, size: 13110, 1113 ms
Nov 20 08:31:50 server sendmail[22466]: rAJM1iLw022466: Milter: data, discard
Nov 20 08:31:50 server sendmail[22466]: rAJM1iLw022466: discarded

On Thursday, November 21, 2013 09:14:21 PM tejas sarade wrote:
> >From the logs I can see that milter is discarding the mail.
> 
> I don't have much of the knowledge about sendmail and milter configuration.
> In this case amavis is trying to quarantine the mail but milter is telling
> sendmail to discard it.
> 
> 
> On Wed, Nov 20, 2013 at 3:43 AM, Stephen Davies via amavis-users <
> 
> amavis-users at amavis.org> wrote:
> > I thought that I had configured amavis to quarantine bad header mails but
> > the
> > quarantine is not happening.
> > 
> > The following mail log entries show that the bad header is detected and
> > apparently quarantined but there are no badh??? files in /var/virusmails.
> > 
> > What configuration glich could lead to this behaviour?
> > 
> > Cheers and thanks,
> > Stephen
> > 
> > PS. Comparable banned quarantine is working as expected.
> > 
> > Nov 20 05:39:30 server sendmail[4148]: rAJJ9Q6x004148: from=<>, size=328,
> > class=0, nrcpts=1, msgid=<
> > 201311191909.rAJJ9Q6x004148 at server.benparts.com.au>,
> > proto=SMTP, daemon=MTA, relay=mm-168-146-121-178.dynamic.pppoe.mgts.by
> > [178.121.146.168] (may be forged)
> > Nov 20 05:39:30 server amavis[12111]: (12111) Request: AM.PDP
> > /var/amavis/tmp/afrAJJ9Q6x004148: <> -> <john at benparts.com.au>
> > Nov 20 05:39:30 server amavis[12111]: (12111) Checking: Pgs1-MflCzLG
> > AM.PDP-
> > SOCK [178.121.146.168] <> -> <john at benparts.com.au>
> > Nov 20 05:39:31 server amavis[12111]: (12111) local delivery: <> -> bad-
> > header-quarantine, mbx=/var/virusmails/badh-Pgs1-MflCzLG
> > Nov 20 05:39:31 server amavis[12111]: (12111) Blocked BAD-HEADER-0
> > {DiscardedInbound,Quarantined}, AM.PDP-SOCK [178.121.146.168]
> > [46.60.149.217]
> > <> -> <john at benparts.com.au>, quarantine: badh-Pgs1-MflCzLG, Queue-ID:
> > rAJJ9Q6x004148, mail_id: Pgs1-MflCzLG, Hits: -, size: 532, 25 ms
> > Nov 20 05:39:31 server sendmail[4148]: rAJJ9Q6x004148: Milter: data,
> > discard
> > Nov 20 05:39:31 server sendmail[4148]: rAJJ9Q6x004148: discarded
> > 
> > --
> > 
> > =========================================================================
> > ==== Stephen Davies Consulting P/L                           Phone:
> > 08-8177 1595 Adelaide, South Australia.                               
> > Mobile:040 304 0583
> > Records & Collections Management.

-- 
=============================================================================
Stephen Davies Consulting P/L                           Phone: 08-8177 1595
Adelaide, South Australia.                                Mobile:040 304 0583
Records & Collections Management.