malware with BAD HEADER, MIME error not blocked
Mark Martinec
Mark.Martinec+amavis at ijs.si
Thu Mar 31 15:09:34 CEST 2016
On 2016-03-31 11:54, MI wrote:
> There seems to be a wave of malware emails for which Amavis complains
> about a bad header, and then apparently skips the attachment scanning.
> So the mail goes through.
>
> This is the header which Amavis adds to the email:
>
>> X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse
>> head;
>> error near:; Content-Transfer-Encoding: base64
>
> Is there anything that can be done about that?
>
> First, I don't really see what the MIME error may be. Nor does
> Thunderbird, which can extract the attachment.
> This is how one such mail looks. Maybe someone can spot what Amavis
> doesn't like in the headers?
The error is in incorrectly wrapped Content-Type header field,
where the continuation line does not start with a space or tab,
so the broken MIME part does not get base64-decoded.
>> Content-Type: application/octet-stream; x-unix-mode=0600;
>> name="hostmaster_document_4876E9.rar"
>> Content-Transfer-Encoding: base64
> Is there a way to ask amavis to check a single mail from the
> command-line with debugging output?
Not really, although you can use the amavisd-submit utility
to feed a mail directly to an amavisd socket, and you may
use a policy bank to rise a log level on a mail submitted
through such dedicated socket.
> I don'twant to just blindly block any email with a bad header, from
> fear of blocking too many normal mails sent by a stupid client
> program.
You may use a SpamAssassin rule like the following to
capture such invalid wrap:
full L_INV_NAME_WRAP /^Content-Type:.*\nname="/mi
score L_INV_NAME_WRAP 20
Also, the SaneSecurity 3rd party rules to ClamAV seem to be
able to catch these.
Mark
More information about the amavis-users
mailing list