Mails misclassified from vBulletin Forum Software

Noel Jones njones at megan.vbhcs.org
Wed Sep 10 20:17:42 CEST 2014 

On 9/10/2014 12:54 PM, Joerg Rohrer wrote:
> On 10-09-2014 19:03, Noel Jones wrote:
>> On 9/10/2014 11:47 AM, Joerg Rohrer wrote:
>>> Hi
>>>
>>> On 10-09-2014 15:59, Ralf Hildebrandt wrote:
>>>> * Joerg Rohrer <joerg at joergi.ch>:
>>>>
>>>> "file" is to blame:
>>>>
>>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) result line from
>>>>> file(1): p001: Python script, UTF-8 Unicode text executable\n
>>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) lookup_re("Python
>>>>> script, UTF-8 Unicode text executable") matches key
>>>>> "(?^i:\bexecutable\b)", result="exe"
>>>>> Sep 10 15:21:00 alpha amavis[8825]: (08825-01) lookup
>>>>> [map_full_type_to_short_type] => true,  "Python script, UTF-8
>>>>> Unicode text executable" matches, result="exe",
>>>>> matching_key="(?^i:\134bexecutable\134b)"
>>>
>>> Thanks for all of your answers. It makes absolute sense that file is
>>> the culprit.
>>> But why this happen all of a sudden? There were no obvious changes
>>> one the system (file, amavis, postfix).
>>
>> Perhaps the email contents changed.  Do you have one in quarantine
>> you can examine?  Maybe run file on it by hand?
>>
>> Regardless, check to see if an update for file(1) is available.
>>
>>
>>   -- Noel Jones
> 
> Thanks Noel for the hint. Indeed there were a change in the header.
> see below. don't know if that could be the reason.
> --------
> bad mail:
> 
> Content-Type: text/plain; charset="ISO-8859-1"
> Date: Fri, 05 Sep 2014 00:10:24 +0200
> 
> good mail:
> 
> Content-Type: text/plain; charset="UTF-8"
> Date: Mon, 08 Sep 2014 00:10:22 +020
> --------
> 
> Am i right sending side has change this?
> 
> Thanks
> Jörg


Yes, those headers are defined by the sender.  I don't know if this
is what is causing the misclassification.  I suppose if you were
curious enough, you could look in your file "magic" database to see
what your version of file uses to determines a Python script. "man
file" or "man magic" might help.

It's also possible that the new content has some UTF-8 non-ascii
characters that are tripping up file(1).  That's my wild guess.

Does the new Date: header really have "+020" for the offset, or is
that a copy/paste failure?  Not sure a 3 digit offset is allowed...
 but I didn't bother to actually check.  I suppose that's covered in
RFC5322.


  -- Noel Jones

More information about the amavis-users mailing list