malware with BAD HEADER, MIME error not blocked
MI
mi.lists at alma.ch
Thu Mar 31 11:54:52 CEST 2016
There seems to be a wave of malware emails for which Amavis complains about a bad
header, and then apparently skips the attachment scanning. So the mail goes through.
This is the header which Amavis adds to the email:
> X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse head;
> error near:; Content-Transfer-Encoding: base64
Is there anything that can be done about that?
First, I don't really see what the MIME error may be. Nor does Thunderbird, which can
extract the attachment.
Is there a way to ask amavis to check a single mail from the command-line with
debugging output?
This is how one such mail looks. Maybe someone can spot what Amavis doesn't like in
the headers?
> Content-Type: multipart/mixed;
> boundary="Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA"
> ...
> Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))
>
>
> --Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/plain; charset=utf-8
>
> Dear hostmaster,
>
> [etc.]
>
> --Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA
> Content-Disposition: inline; filename="hostmaster_document_4876E9.rar"
> Content-Type: application/octet-stream; x-unix-mode=0600;
> name="hostmaster_document_4876E9.rar"
> Content-Transfer-Encoding: base64
>
> UmFyIRoHAM+QcwAADQAAAAAAAADN9nQgkCYAxwUAAE8hAAACsaEbYEZ1fkgdMwEAIgAAADMA
> [etc.]
> bUB+83/0xD17AEAHAA==
> --Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA--
I don'twant to just blindly block any email with a bad header, from fear of blocking
too many normal mails sent by a stupid client program.
More information about the amavis-users
mailing list