'Re: (SCANNED)Re: defang_spam not working'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       amavis-user
Subject:    Re: (SCANNED)Re: defang_spam not working
From:       "Steve Scotter" <amavis-users () spectrumcs ! net>
Date:       2012-02-19 14:41:48
Message-ID: DIIE.00000204000035A0 () rainbow ! spectrumcs ! net
[Download RAW message or body]

Hi Mark,

Thanks for your reply.

I replied a about an hour later to my own post basically saying that setting \
$altermime = undef 'fixed' my issue, and abandoned trying to use altermine.

------------------------------------------------

Sorry for the school boy error of not providing version information...

# altermime --version
alterMIME v0.3.11 (November-2008) by Paul L Daniels - \
http://www.pldaniels.com/altermime

# amavisd -V
amavisd-new-2.7.0 (20110701)

# perl -v
This is perl 5, version 14, subversion 2 (v5.14.2) built for amd64-freebsd

# uname -a
FreeBSD untrustedhost.example.com 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 \
07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  \
amd64

------------------------------------------------

To try and help resolve this issue I've applied your attached patch, re-enabled \
altermime and sent a couple of test messages though but unfortunately the problem \
persists. The email arrives but is not defanged when altermime is enabled.

Please find attached sanitized amavisd logs of two "/usr/local/sbin/amavisd debug" \
sessions (one with altermime enabled, one with altermime disabled) and the emails \
that arrived.

If you need any more information or someone to test any further patches I'm happy to \
help.

Regards

Stephen Scotter
Systems Consultant
T. +44 (0) 7970 463925

-------- Original Message --------
Subject: (SCANNED)Re: defang_spam not working (16-Feb-2012 23:56)
From:    Mark Martinec <Mark.Martinec+amavis@ijs.si>
To:      amavis-users@spectrumcs.net

> Steve,
> 
> > I'm having problems with my amavis not defang'ing spam. Messages are having
> > their subject rewritten and X-SPAM-Headers but are not defang'd.
> > 
> > Could anyone shed any light on which settings I need to be paying attention
> > to? I've gone over my amavisd.conf with a find tooth comb to no avail.
> 
> Sorry for delay. While investigating what could potentially be the reason,
> I found two problems regarding defanging in 2.7.0, and I'm attaching
> a patch to fix these. The bug can only manifest itself under certain
> conditions, and you are not saying neither which version of amavisd and
> perl are you using, nor the defanging method of choice (like whether
> altermime is installed and enabled, or whether Anomy::Sanitizer is
> to be used for defanging).
> 
> Here is the description of the two problems addressed by the patch:
> 
> - fixed defanging by mimedefang, it was failing with perl 5.10 or later
> due to an unhandled "Insecure dependency in sprintf" while logging the
> result if the $log_level was 2 or higher, or when debugging was enabled;
> 
> - fixed defanging by Anomy::Sanitizer, it was failing with an error message:
> 
> "mangling by anomy failed: replacement size 0, mail will pass unmodified"
> 
> 
> > I'm using SQL backup with default policies. Recipients access is associated
> > with the "Default Policy" (ie *_lover's all N, bypass_*_checks all N,
> > spam_modifies_subj = Y, all over fields NULL).
> > 
> > $defang_virus  = 1;
> > $defang_banned = 1;
> > $defang_spam = 1;
> > $defang_bad_header = 1;
> > $defang_undecipherable = 1;
> > $defang_all = 1; //for testing purposes only
> > 
> > $sa_tag_level_deflt  = -9999; //add spam headers to all messages
> > $sa_tag2_level_deflt = 5.0; //anything >= 5 considered
> > $sa_kill_level_deflt = 10.0;//anything >= 10 is quarantined
> > $sa_quarantine_cutoff_level = 25;//anything >= 25 is discarded completely.
> > 
> > $final_virus_destiny = D_DISCARD;
> > $final_banned_destiny = D_BOUNCE;
> > $final_spam_destiny = D_DISCARD;
> > ##$final_bad_header_destiny = D_REJECT;
> > $final_bad_header_destiny = D_PASS;
> > 
> > While testing I checked to see if messages marked with a bad header are
> > being defang'd by sending a malformed email with two Subject: headers.
> > They also aren't being defang'd.
> > Is there any change I'm missing a perl module required to defang or is it
> > definitely a configuration issue?
> 
> Mail to local recipients with a bad header, or spam with score between
> tag2 and kill levels, should have been defanged, unless you are meeting the
> bug conditions above (perl >= 5.10, altermime installed, log level >= 2).
> 
> If you have altermime installed, try disabling it ($altermime = undef),
> or apply the patch. If the problem persists, I'd like to see the full
> log of the event (at $log_level=5).
> 
> Mark
> 
> 
> 
> To: amavis-users@amavis.org
> Cc: amavis-users@spectrumcs.net


To: Mark.Martinec+amavis@ijs.si
    amavis-users@amavis.org



DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have received \
this email in error, please notify the sender immediately and then delete it.  If you \
are not the intended recipient, you must not keep, use, disclose, copy or distribute \
this email without the authors prior permission.  We have taken precautions to \
minimise the risk of transmitting software viruses, but we advise you to carry out \
your own virus checks on any attachment to this message. We cannot accept liability \
for any loss or damage caused by software viruses. The information contained in this \
communication may be confidential and may be subject to the attorney-client \
privilege.  If you are the intended recipient and you do not wish to receive similar \
electronic messages from us in future then please respond to the sender to this \
effect.


["0.patch" (application/octet-stream)]

--- amavisd.orig	2011-07-01 17:21:07.000000000 +0100
+++ amavisd	2012-02-16 23:09:23.027107717 +0100
@@ -14092,9 +14092,11 @@
           or die "Can't rewind mail file: $!";
         $out_fh = IO::File->new;
-        $out_fh->open($repl_fn, O_CREAT|O_EXCL|O_RDWR, 0640)
+        $out_fh->open($repl_fn, O_CREAT|O_EXCL|O_WRONLY, 0640)
           or die "Can't create file $repl_fn: $!";
         binmode($out_fh,':bytes') or die "Can't cancel :utf8 mode: $!";
-        if ($enable_anomy_sanitizer &&
-            $mail_mangle !~ /^(?:altermime|disclaimer)\z/) {
+        if (lc $mail_mangle eq 'anomy' && !$enable_anomy_sanitizer) {
+          die 'Anomy requested, but $enable_anomy_sanitizer is false';
+        } elsif ($enable_anomy_sanitizer &&
+                 $mail_mangle !~ /^(?:altermime|disclaimer)\z/) {
           $actual_mail_mangle = 'anomy';
           $enable_anomy_sanitizer  or die "Anomy not available: $mail_mangle";
@@ -14105,4 +14107,10 @@
           my($ret) = $engine->sanitize($msginfo->mail_text, $out_fh);
           if ($e = $engine->error) { die $e }
+          # close flushes buffers, makes it possible to check file size below
+          $out_fh->close or die "Can't close file $repl_fn: $!";
+          # re-open as read-only
+          $out_fh = IO::File->new;
+          $out_fh->open($repl_fn,'<') or die "Can't open file $repl_fn: $!";
+          binmode($out_fh,':bytes') or die "Can't cancel :utf8 mode: $!";
         } else {  # use altermime for adding disclaimers or defanging
           $actual_mail_mangle = 'altermime';
@@ -14177,5 +14185,6 @@
           my($r,$status) = collect_results($proc_fh,$pid,$altermime,16384,[0]);
           undef $proc_fh; undef $pid;
-          do_log(2,"program $altermime said: %s",$$r)  if ref $r && $$r ne '';
+          do_log(2,"program %s said: %s",
+                   $altermime, $$r)  if ref $r && $$r ne '';
           $status == 0 or die "Program $altermime failed: $status, $$r";
           $out_fh = IO::File->new;

["amavisd-altermime-disabled.log" (application/octet-stream)]
["amavisd-altermime-enabled.log" (application/octet-stream)]
["(SPAM - Scored 6.892, Required 5)Test Spam Score 6 19022012
 140309.62.eml" (message/rfc822)]

From: blat@spectrumcs.net
Subject: (SPAM - Scored 6.892, Required 5)Test Spam Score 6 19/02/2012
 14:03:09.62
To: test@spectrumcs.net
Date: Sun, 19 Feb 2012 14:03:09 +0000
Priority: normal
X-Priority: 3 (Normal)
Importance: normal
X-Mailer: David by Tobit Software, Germany, Mime Converter 101.20
X-David-Sym: 0
X-David-Flags: 0
Message-ID: <01ccef0f$Blat.v2.6.2$376d309f$16830a182ffa8@spectrumcs.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----_=_NextPart_000_0059C2F1.4F410198"

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_000_0059C2F1.4F410198
Content-Type: text/plain;
 charset="utf-8"
Content-Transfer-Encoding: base64

KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqDQpTcGFtIGRldGVjdGlvbiBzb2Z0d2FyZSwgcnVubmluZyBv
biB0aGUgc3lzdGVtICJjcmltc29uLnNwZWN0cnVtY3MubmV0IiwgaGFzDQppZGVudGlmaWVkIHRo
aXMgaW5jb21pbmcgZW1haWwgYXMgcG9zc2libGUgc3BhbS4gIFRoZSBvcmlnaW5hbCBtZXNzYWdl
DQpoYXMgYmVlbiBhdHRhY2hlZCB0byB0aGlzIHNvIHlvdSBjYW4gdmlldyBpdCAoaWYgaXQgaXNu
J3Qgc3BhbSkuDQoNCklmIHlvdSB3aXNoIHRoZSBzZW5kZXIgb2YgdGhpcyBhZGRyZXNzIHRvIGJl
IHdoaXRlbGlzdGVkLCBwbGVhc2UgZ28gdG8gdGhlDQpmb2xsb3dpbmcgd2VicGFnZSBhbmQgZW50
ZXIgeW91ciBkZXRhaWxzIGFuZCB0aGUgc2VuZGVycyBlbWFpbCBhZGRyZXNzLg0KaHR0cDovL3do
aXRlbGlzdC5zcGVjdHJ1bWNzLm5ldA0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqDQoNCklmIHlvdSBo
YXZlIGFueSBxdWVzdGlvbnMsIGNvbnRhY3QgU3BlY3RydW0gQ29tcHV0ZXIgU29sdXRpb25zIGZv
ciBmdXRoZXIgaW5mb3JtYXRpb24uDQoNCktpbmQgcmVnYXJkcw0KDQpTcGVjdHJ1bSBDb21wdXRl
ciBTb2x1dGlvbnMNCg0KQ29udGVudCBwcmV2aWV3OiAgU3BlY3RydW1UZXN0U3BhbVBhdHRlcm4x
MjM0IFsuLi5dIA0KDQpDb250ZW50IGFuYWx5c2lzIGRldGFpbHM6ICAgKDYuOSBwb2ludHMsIDUu
MCByZXF1aXJlZCkNCg0KIHB0cyBydWxlIG5hbWUgICAgICAgICAgICAgIGRlc2NyaXB0aW9uDQot
LS0tIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0NCiAxLjMgUkNWRF9JTl9SUF9STkJMICAgICAgICBSQkw6IFJl
bGF5IGluIFJOQkwsDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgaHR0cHM6Ly9zZW5kZXJz
Y29yZS5vcmcvYmxhY2tsaXN0bG9va3VwLw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgWzc4
LjE0NC4yMTMuMTgwIGxpc3RlZCBpbiBibC5zY29yZS5zZW5kZXJzY29yZS5jb21dDQogMy41IEJB
WUVTXzk5ICAgICAgICAgICAgICAgQk9EWTogQmF5ZXMgc3BhbSBwcm9iYWJpbGl0eSBpcyA5OSB0
byAxMDAlDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgW3Njb3JlOiAwLjk5OTldDQogNi4w
IExPQ0FMX1RFU1QwNiAgICAgICAgICAgQk9EWTogVGhpcyBpcyBhIHVuaXF1ZSBwaHJhc2UgdG8g
dHJpZ2dlciBhIHBvc2l0aXZlDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgc2NvcmUNCiAw
LjAgRlNMX0hFTE9fTk9OX0ZRRE5fMSAgICBGU0xfSEVMT19OT05fRlFETl8xDQogLTEyIExPQ0FM
X1RFU1RuVEVTVCAgICAgICAgVGhpcyBpcyBhIHVuaXF1ZSBwaHJhc2UgdG8gdHJpZ2dlciBhIG5l
Z2l0aXZlIHNjb3JlDQogMy4zIFJDVkRfSU5fUEJMICAgICAgICAgICAgUkJMOiBSZWNlaXZlZCB2
aWEgYSByZWxheSBpbiBTcGFtaGF1cyBQQkwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBb
NzguMTQ0LjIxMy4xODAgbGlzdGVkIGluIHplbi5zcGFtaGF1cy5vcmddDQogMS4zIFRSQUNLRVJf
SUQgICAgICAgICAgICAgQk9EWTogSW5jb3Jwb3JhdGVzIGEgdHJhY2tpbmcgSUQgbnVtYmVyDQog
MS4wIFJETlNfRFlOQU1JQyAgICAgICAgICAgRGVsaXZlcmVkIHRvIGludGVybmFsIG5ldHdvcmsg
YnkgaG9zdCB3aXRoDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgZHluYW1pYy1sb29raW5n
IHJETlMNCiAwLjAgSEVMT19OT19ET01BSU4gICAgICAgICBSZWxheSByZXBvcnRzIGl0cyBkb21h
aW4gaW5jb3JyZWN0bHkNCiAyLjUgVE9fTk9fQlJLVFNfRElSRUNUICAgICBUbzogbWlzZm9ybWF0
dGVkIGFuZCBkaXJlY3QtdG8tTVgNCg0KDQpUbzogdGVzdEBzcGVjdHJ1bWNzLm5ldA0K

------_=_NextPart_000_0059C2F1.4F410198
Content-Type: message/rfc822;
 name="message.eml"
Content-Transfer-Encoding: 7Bit
Content-Disposition: attachment;
 filename="message.eml";
 modification-date="Sun, 19 Feb 2012 14:05:12 +0000"

Return-Path: <blat@spectrumcs.net>
Received: from SCOTTERW7201006 (host-78-144-213-180.as13285.net [78.144.213.180])
	by crimson.spectrumcs.net (Postfix) with ESMTP id 26BD01ABD4B
	for <test@spectrumcs.net>; Sun, 19 Feb 2012 14:04:45 +0000 (GMT)
Date: Sun, 19 Feb 2012 14:03:09 +0000
From: blat@spectrumcs.net
To: test@spectrumcs.net
X-Mailer: Blat v2.6.2 w/GSS encryption, a Win32 SMTP/NNTP mailer http://www.blat.net
Message-ID: <01ccef0f$Blat.v2.6.2$376d309f$16830a182ffa8@spectrumcs.net>
Subject: Test Spam Score 6 19/02/2012 14:03:09.62
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=ISO-8859-1

SpectrumTestSpamPattern1234
------_=_NextPart_000_0059C2F1.4F410198--


["(SPAM - Scored 5.582, Required 5)Test Spam Score 6 19022012
 140459.72.eml" (message/rfc822)]

From: blat@spectrumcs.net
Subject: (SPAM - Scored 5.582, Required 5)Test Spam Score 6 19/02/2012
 14:04:59.72
To: test@spectrumcs.net
Date: Sun, 19 Feb 2012 14:04:59 +0000
Priority: normal
X-Priority: 3 (Normal)
Importance: normal
X-Mailer: David by Tobit Software, Germany, Mime Converter 101.20
X-David-Sym: 0
X-David-Flags: 0
Message-ID: <01ccef0f$Blat.v2.6.2$790eb023$169e8f2a56dda@spectrumcs.net>
MIME-Version: 1.0
Content-Type: text/plain;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7Bit

SpectrumTestSpamPattern1234

To: test@spectrumcs.net



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic