What does "UNCHECKED" really mean?
ea80.net
info at ea80.net
Mon Jun 16 11:51:36 CEST 2025
Hi,
It could be a password-protected zip attachment that prevents the virus scanner from opening and scanning the contents…
regards
MK
Von: amavis-users <amavis-users-bounces+info=ea80.net at amavis.org<mailto:amavis-users-bounces+info=ea80.net at amavis.org>> Im Auftrag von Nick Tait
Gesendet: Montag, 16. Juni 2025 11:24
An: Amavis Users Mailing List <amavis-users at amavis.org<mailto:amavis-users at amavis.org>>
Betreff: What does "UNCHECKED" really mean?
Hi list.
It appears that every email one of my users receives from a particular company logs "Passed UNCHECKED {AcceptedInbound}", but for the life of me I've been unable to understand exactly what this means, or why it is doing it for just one sender. Initially I had assumed that something had prevented the email from being SPAM-checked and/or virus-scanned, but I took a closer look at one of these emails, and it contains headers to the contrary...
I'm using Postfix with Amavis invoked as a milter with SpamAssassin and ClamAV.
These are the messages I see in (Postfix) mail logs for one particular example:
2025-06-09T20:38:01.159392+12:00 mx postfix/smtpd[66941]: connect from XXX[XXX]
2025-06-09T20:38:01.982297+12:00 mx postfix/smtpd[66941]: Anonymous TLS connection established from XXX[XXX]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-06-09T20:38:04.114647+12:00 mx policyd-spf[66963]: : prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=XXX; helo=XXX; envelope-from=XXX at XXX; receiver=<UNKNOWN>
2025-06-09T20:38:04.165040+12:00 mx policyd-spf[66968]: : prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=XXX; helo=XXX; envelope-from=XXX at XXX; receiver=<UNKNOWN>
2025-06-09T20:38:04.170630+12:00 mx postfix/smtpd[66941]: 29982A0F3D: client=XXX[XXX]
2025-06-09T20:38:04.372133+12:00 mx postfix/cleanup[66969]: 29982A0F3D: message-id=<XXX>
2025-06-09T20:38:06.990525+12:00 mx opendkim[1174]: 29982A0F3D: message has signatures from XXX, XXX
2025-06-09T20:38:06.990875+12:00 mx opendkim[1174]: 29982A0F3D: DKIM verification successful
2025-06-09T20:38:06.991081+12:00 mx opendkim[1174]: 29982A0F3D: s=XXX d=XXX a=rsa-sha256 SSL
2025-06-09T20:38:06.993404+12:00 mx opendmarc[1172]: implicit authentication service: mx.tait.net.nz
2025-06-09T20:38:06.994461+12:00 mx opendmarc[1172]: 29982A0F3D: SPF(mailfrom): XXX pass
2025-06-09T20:38:07.169121+12:00 mx opendmarc[1172]: 29982A0F3D: XXX pass
2025-06-09T20:38:07.180201+12:00 mx amavis[65876]: (65876-07) Checking: DYupweuONgIb AM.PDP-SOCK [XXX] <XXX at XXX> -> <XXX at tait.net.nz><mailto:XXX at tait.net.nz>
2025-06-09T20:38:08.883015+12:00 mx amavis[65876]: (65876-07) Passed UNCHECKED {AcceptedInbound}, AM.PDP-SOCK [XXX] [XXX] <XXX at XXX> -> <XXX at tait.net.nz><mailto:XXX at tait.net.nz>, Queue-ID: 29982A0F3D, Message-ID: <XXX>, mail_id: DYupweuONgIb, Hits: -2.403, size: 10828, 1706 ms
2025-06-09T20:38:08.890559+12:00 mx postfix/qmgr[14097]: 29982A0F3D: from=<XXX at XXX>, size=10269, nrcpt=1 (queue active)
2025-06-09T20:38:08.925566+12:00 mx postfix/smtp[66972]: Verified TLS connection established to XXX[XXX]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
2025-06-09T20:38:08.980830+12:00 mx postfix/smtp[66972]: 29982A0F3D: to=<XXX at tait.net.nz><mailto:XXX at tait.net.nz>, relay=XXX[XXX]:25, delay=6.4, delays=6.3/0.01/0.07/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as EE0C7E61010)
2025-06-09T20:38:08.981461+12:00 mx postfix/qmgr[14097]: 29982A0F3D: removed
2025-06-09T20:38:09.093713+12:00 mx postfix/smtpd[66941]: disconnect from XXX[XXX] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
These headers were added to the message during the processing above:
X-Virus-Scanned: Debian amavis at tait.net.nz
X-Spam-Flag: NO
X-Spam-Score: -2.403
X-Spam-Level:
X-Spam-Status: No, score=-2.403 required=6.31 tests=[DKIMWL_WL_MED=-0.001,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_PASS=-0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: mx.tait.net.nz; dmarc=pass (p=none dis=none) header.from=XXX
Authentication-Results: mx.tait.net.nz; spf=pass smtp.mailfrom=XXX
Authentication-Results: mx.tait.net.nz;
dkim=pass (2048-bit key; unprotected) header.d=XXX header.i=@XXX<mailto:header.i=@XXX> header.a=rsa-sha256 header.s=XXX header.b=fQ/8+1td;
dkim=pass (2048-bit key; unprotected) header.d=XXX header.i=@XXX<mailto:header.i=@XXX> header.a=rsa-sha256 header.s=XXX header.b=cdSF0Aeu;
dkim-atps=neutral
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=XXX; helo=XXX; envelope-from=XXX at XXX; receiver=<UNKNOWN>
Received: from XXX (XXX [XXX])
by mx.tait.net.nz (Postfix) with ESMTPS id 29982A0F3D
for <XXX at tait.net.nz><mailto:XXX at tait.net.nz>; Mon, 09 Jun 2025 20:38:02 +1200 (NZST)
As you can see the headers above show that the message was SPAM-checked and virus-scanned.
So what exactly does UNCHECKED mean then?
Thanks,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20250616/305a63ef/attachment.htm>
More information about the amavis-users
mailing list