malware with BAD HEADER, MIME error not blocked

MI mi.lists at
Thu Mar 31 11:54:52 CEST 2016

There seems to be a wave of malware emails for which Amavis complains about a bad 
header, and then apparently skips the attachment scanning. So the mail goes through.

This is the header which Amavis adds to the email:

> X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse head;
>     error near:; Content-Transfer-Encoding: base64

Is there anything that can be done about that?

First, I don't really see what the MIME error may be. Nor does Thunderbird, which can 
extract the attachment.

Is there a way to ask amavis to check a single mail from the command-line with 
debugging output?

This is how one such mail looks. Maybe someone can spot what Amavis doesn't like in 
the headers?

> Content-Type: multipart/mixed; 
> boundary="Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA"
> ...
> Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))

> --Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/plain; charset=utf-8
> Dear hostmaster,
> [etc.]
> --Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA
> Content-Disposition: inline; filename="hostmaster_document_4876E9.rar"
> Content-Type: application/octet-stream; x-unix-mode=0600;
> name="hostmaster_document_4876E9.rar"
> Content-Transfer-Encoding: base64
> [etc.]
> bUB+83/0xD17AEAHAA==
> --Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA--

I don'twant to just blindly block any email with a bad header, from fear of blocking 
too many normal mails sent by a stupid client program.

More information about the amavis-users mailing list