Mails misclassified from vBulletin Forum Software
Noel Jones
njones at megan.vbhcs.org
Wed Sep 10 20:17:42 CEST 2014
On 9/10/2014 12:54 PM, Joerg Rohrer wrote:
> On 10-09-2014 19:03, Noel Jones wrote:
>> On 9/10/2014 11:47 AM, Joerg Rohrer wrote:
>>> Hi
>>>
>>> On 10-09-2014 15:59, Ralf Hildebrandt wrote:
>>>> * Joerg Rohrer <joerg at joergi.ch>:
>>>>
>>>> "file" is to blame:
>>>>
>>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) result line from
>>>>> file(1): p001: Python script, UTF-8 Unicode text executable\n
>>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) lookup_re("Python
>>>>> script, UTF-8 Unicode text executable") matches key
>>>>> "(?^i:\bexecutable\b)", result="exe"
>>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) lookup
>>>>> [map_full_type_to_short_type] => true, "Python script, UTF-8
>>>>> Unicode text executable" matches, result="exe",
>>>>> matching_key="(?^i:\134bexecutable\134b)"
>>>
>>> Thanks for all of your answers. It makes absolute sense that file is
>>> the culprit.
>>> But why this happen all of a sudden? There were no obvious changes
>>> one the system (file, amavis, postfix).
>>
>> Perhaps the email contents changed. Do you have one in quarantine
>> you can examine? Maybe run file on it by hand?
>>
>> Regardless, check to see if an update for file(1) is available.
>>
>>
>> -- Noel Jones
>
> Thanks Noel for the hint. Indeed there were a change in the header.
> see below. don't know if that could be the reason.
> --------
> bad mail:
>
> Content-Type: text/plain; charset="ISO-8859-1"
> Date: Fri, 05 Sep 2014 00:10:24 +0200
>
> good mail:
>
> Content-Type: text/plain; charset="UTF-8"
> Date: Mon, 08 Sep 2014 00:10:22 +020
> --------
>
> Am i right sending side has change this?
>
> Thanks
> Jörg
Yes, those headers are defined by the sender. I don't know if this
is what is causing the misclassification. I suppose if you were
curious enough, you could look in your file "magic" database to see
what your version of file uses to determines a Python script. "man
file" or "man magic" might help.
It's also possible that the new content has some UTF-8 non-ascii
characters that are tripping up file(1). That's my wild guess.
Does the new Date: header really have "+020" for the offset, or is
that a copy/paste failure? Not sure a 3 digit offset is allowed...
but I didn't bother to actually check. I suppose that's covered in
RFC5322.
-- Noel Jones
More information about the amavis-users
mailing list