spam quarantined and relayed

btb listsb-amavis at bitrate.net
Wed Jul 23 16:52:08 CEST 2014 

certain [but not all] messages detected to be spam are being both 
quarantined and relayed, and generating a notification message.  i'm 
having trouble understanding/figuring out what particular 
characteristics result in this outcome, and what setting[s] relate to 
it.  details:

== notification message ==
Return-Path: amavis at example.com
Received: from msa.example.com (LHLO msa.example.com) (10.3.70.10) by
  mda.example.com with LMTP; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
Received: from localhost (mfa.example.com [10.3.70.9])
	by msa.example.com (Postfix) with ESMTP id 3hJJb84pQBzJnJR
	for <postmaster at example.com>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
Content-Type: multipart/mixed; boundary="----------=_1406124884-4231-0"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
From: "Content-filter at mfa.example.com" <amavis at example.com>
Date: Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
Subject: Spam FROM [173.227.222.9]:14538
  <magnapubs++148+857779 at p.magnapubs.com>
To: <postmaster at example.com>
Message-ID: <SASeHI_Po1JO9s at mfa.example.com>

This is a multi-part message in MIME format...

------------=_1406124884-4231-0
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Content type: Spam
Internal reference code for the message is 04231-08-2/SeHI_Po1JO9s

First upstream SMTP client IP address: [173.227.222.9] mx9.mailzeen.net
According to a 'Received:' trace, the message apparently originated at:
   [173.227.222.9], mx9.maileen.net mx9.mailzeen.net [173.227.222.9]

Return-Path: <magnapubs++148+857779 at p.magnapubs.com>
From: "Magna Publications" <magnapubs at p.magnapubs.com>
Subject: Six reasons to attend The Teaching Professor Technology Conference
The message has been quarantined as: S/spam-SeHI_Po1JO9s.gz

The message WILL BE relayed to:
<user at example.com>

Spam scanner report:

------------=_1406124884-4231-0
Content-Type: text/rfc822-headers; name="header"
Content-Disposition: inline; filename="header"
Content-Transfer-Encoding: 7bit
Content-Description: Message header section

Return-Path: <magnapubs++148+857779 at p.magnapubs.com>
Received: from mx9.maileen.net (mx9.mailzeen.net [173.227.222.9])
	by mta1.example.com (Postfix) with ESMTP id 3hJJb83WGszJmxp
	for <user at example.com>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; d=p.magnapubs.com;s=magnapubs;
	c=relaxed/relaxed; q=dns/txt; t=1406124885;
	h=date:to:from:subject:content-transfer-encoding:list-unsubscribe:mime-version:content-type:content-length;
	bh=s+XgjWNhjyLTXD/LSSDtpYypBYk=;
	b=qzg0jsWumlBXUoSEYZMfHnVGGIUlDWjl6pNQRWWyKQudbFXgQhczg4HWthw+R+PoRgRnGJXgNwCbK9g2uvVnE30sLk58RViciN7CVzgRBohN/Vb8FgS+jvUygCm9AJkOQv+f2H4mIBdHGAzNQsTB3W/peNrRfJMt2NC159S2usI=
X-MailzeenID: magnapubs,148
X-IPRO:BLK, magnapubs, 857779, 119, 148
Date: Wed, 23 Jul 2014 07:02:02 -0500 (CDT)
To: user at example.com
From: "Magna Publications" <magnapubs at p.magnapubs.com>
Subject: Six reasons to attend The Teaching Professor Technology Conference
Importance: Normal
Content-Transfer-Encoding: 8bit
List-Unsubscribe: <http://ww1.magnapubs.com/unsub/119/857779X>
MIME-version: 1.0
Content-type: multipart/alternative;
     boundary="BoUnDaRyCmagnapubsM148D072314T"

------------=_1406124884-4231-0--

== amavis logs ==
Jul 23 10:14:44 mfa amavis[4231]: (04231-08-2) Passed SPAM 
{RelayedTaggedInbound,Quarantined}, external [173.227.222.9]:14538 
[173.227.222.9] <magnapubs++148+857779 at p.magnapubs.com> -> 
<user at example.com>, quarantine: S/spam-SeHI_Po1JO9s.gz, Queue-ID: 
3hJJb83WGszJmxp, mail_id: SeHI_Po1JO9s, Hits: -, size: 9196, queued_as: 
250 2.1.5 Delivery OK, 187 ms

== headers from the actual message ==
Return-Path: magnapubs++148+857779 at p.magnapubs.com
Received: from mfa.example.com (LHLO localhost) (10.3.70.9) by
  mda.example.com with LMTP; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
X-Quarantine-ID: <SeHI_Po1JO9s>
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: YES
X-Spam-Score: 64
X-Spam-Level: 
****************************************************************
X-Spam-Status: Yes, score=x required=5 BLACKLISTED tests=[]
	autolearn=unavailable
Authentication-Results: mfa.example.com (amavisd-new); dkim=fail 
(1024-bit key)
	reason="fail (message has been altered)" header.d=p.magnapubs.com
Received: from mta1.example.com ([10.3.70.5])
	by localhost (mfa.example.com [10.3.70.9]) (amavisd-new, port 11024)
	with LMTP id SeHI_Po1JO9s for <user at example.com>;
	Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
Received: from mx9.maileen.net (mx9.mailzeen.net [173.227.222.9])
	by mta1.example.com (Postfix) with ESMTP id 3hJJb83WGszJmxp
	for <user at example.com>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; d=p.magnapubs.com;s=magnapubs;
	c=relaxed/relaxed; q=dns/txt; t=1406124885;
	h=date:to:from:subject:content-transfer-encoding:list-unsubscribe:mime-version:content-type:content-length;
	bh=s+XgjWNhjyLTXD/LSSDtpYypBYk=;
	b=qzg0jsWumlBXUoSEYZMfHnVGGIUlDWjl6pNQRWWyKQudbFXgQhczg4HWthw+R+PoRgRnGJXgNwCbK9g2uvVnE30sLk58RViciN7CVzgRBohN/Vb8FgS+jvUygCm9AJkOQv+f2H4mIBdHGAzNQsTB3W/peNrRfJMt2NC159S2usI=
X-MailzeenID: magnapubs,148
X-IPRO:BLK, magnapubs, 857779, 119, 148
Date: Wed, 23 Jul 2014 07:02:02 -0500 (CDT)
To: user at example.com
From: "Magna Publications" <magnapubs at p.magnapubs.com>
Subject: ***SPAM*** Six reasons to attend The Teaching Professor Technology
	Conference
Importance: Normal
Content-Transfer-Encoding: 8bit
List-Unsubscribe: <http://ww1.magnapubs.com/unsub/119/857779X>
MIME-version: 1.0
Content-type: multipart/alternative;
     boundary="BoUnDaRyCmagnapubsM148D072314T"

== some hopefully relevant bits from the amavis config ==
$mydomain   = 'example.com';
$myhostname = "mfa.$mydomain";

my $mda_host = "mda.$mydomain";
my $msa_host = "msa.$mydomain";

my $external_port = '11024';
my $internal_port = '11026';
my $mda_lmtp_port = '7025';
my $internal_reinject_port = '11027';
my $p0f_analyzer_port = '10032';

my($default_recipient)  = "postmaster\@$mydomain";
my($default_sender)     = "amavis\@$mydomain";

$inet_socket_port = undef;
@listen_sockets=(":$external_port", ":$internal_port");

$forward_method     = "lmtp:[$mda_host]:$mda_lmtp_port";
$notify_method      = "smtp:[$msa_host]:$internal_reinject_port";
$requeue_method     = "lmtp:[localhost]:$external_port";

$enable_dkim_verification = 1;

$sa_tag_level_deflt     = undef;
$sa_tag2_level_deflt    = 5.0;
$sa_kill_level_deflt    = 100;
$sa_dsn_cutoff_level    = 10;

$final_virus_destiny        = D_DISCARD;
$final_banned_destiny       = D_DISCARD;
$final_spam_destiny         = D_PASS;
$final_bad_header_destiny   = D_PASS;

$virus_admin        = $default_recipient;
$spam_admin         = $default_recipient;
$warnbannedsender   = undef;
$warnbadhsender     = undef;

$mailfrom_notify_admin      = $default_sender;
$mailfrom_notify_spamadmin  = $default_sender;
$mailfrom_notify_recip      = $default_sender;
$mailfrom_to_quarantine     = $default_sender;

$interface_policy{$external_port} = 'external';
$policy_bank{'external'} = {
     os_fingerprint_method => "p0f:*:$p0f_analyzer_port",
};

$interface_policy{$internal_port} = 'internal';
$policy_bank{'internal'} = {
     inet_acl            => [ '127.0.0.0/8', '[::1]', '10.3.70.10/32', 
'10.3.70.11/32', '10.68.0.0/16' ],
     forward_method      => "smtp:[$msa_host]:$internal_reinject_port",
     requeue_method      => "lmtp:[localhost]:$internal_port",

     final_spam_destiny          => D_DISCARD,
     final_bad_header_destiny    => D_DISCARD,
};

thanks
-ben

More information about the amavis-users mailing list