malware with BAD HEADER, MIME error not blocked

Mark Martinec Mark.Martinec+amavis at
Thu Mar 31 15:09:34 CEST 2016

On 2016-03-31 11:54, MI wrote:
> There seems to be a wave of malware emails for which Amavis complains
> about a bad header, and then apparently skips the attachment scanning.
> So the mail goes through.
> This is the header which Amavis adds to the email:
>> X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse 
>> head;
>>     error near:; Content-Transfer-Encoding: base64
> Is there anything that can be done about that?
> First, I don't really see what the MIME error may be. Nor does
> Thunderbird, which can extract the attachment.

> This is how one such mail looks. Maybe someone can spot what Amavis
> doesn't like in the headers?

The error is in incorrectly wrapped Content-Type header field,
where the continuation line does not start with a space or tab,
so the broken MIME part does not get base64-decoded.

>> Content-Type: application/octet-stream; x-unix-mode=0600;
>> name="hostmaster_document_4876E9.rar"
>> Content-Transfer-Encoding: base64

> Is there a way to ask amavis to check a single mail from the
> command-line with debugging output?

Not really, although you can use the amavisd-submit utility
to feed a mail directly to an amavisd socket, and you may
use a policy bank to rise a log level on a mail submitted
through such dedicated socket.

> I don'twant to just blindly block any email with a bad header, from
> fear of blocking too many normal mails sent by a stupid client
> program.

You may use a SpamAssassin rule like the following to
capture such invalid wrap:

full   L_INV_NAME_WRAP /^Content-Type:.*\nname="/mi
score  L_INV_NAME_WRAP 20

Also, the SaneSecurity 3rd party rules to ClamAV seem to be
able to catch these.


More information about the amavis-users mailing list