Discussion:
malware with BAD HEADER, MIME error not blocked
(too old to reply)
MI
2016-03-31 09:54:52 UTC
Permalink
There seems to be a wave of malware emails for which Amavis complains about a bad
header, and then apparently skips the attachment scanning. So the mail goes through.
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse head;
error near:; Content-Transfer-Encoding: base64
Is there anything that can be done about that?

First, I don't really see what the MIME error may be. Nor does Thunderbird, which can
extract the attachment.

Is there a way to ask amavis to check a single mail from the command-line with
debugging output?

This is how one such mail looks. Maybe someone can spot what Amavis doesn't like in
the headers?
Content-Type: multipart/mixed;
boundary="Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA"
...
Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))
--Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8
Dear hostmaster,
[etc.]
--Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA
Content-Disposition: inline; filename="hostmaster_document_4876E9.rar"
Content-Type: application/octet-stream; x-unix-mode=0600;
name="hostmaster_document_4876E9.rar"
Content-Transfer-Encoding: base64
UmFyIRoHAM+QcwAADQAAAAAAAADN9nQgkCYAxwUAAE8hAAACsaEbYEZ1fkgdMwEAIgAAADMA
[etc.]
bUB+83/0xD17AEAHAA==
--Apple-Mail=_66C921A9-3A78-2C0E-11CD-CB91C8E60FBA--
I don'twant to just blindly block any email with a bad header, from fear of blocking
too many normal mails sent by a stupid client program.
Mark.Martinec+ (Mark Martinec)
2016-03-31 13:09:34 UTC
Permalink
Post by MI
There seems to be a wave of malware emails for which Amavis complains
about a bad header, and then apparently skips the attachment scanning.
So the mail goes through.
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse
head;
error near:; Content-Transfer-Encoding: base64
Is there anything that can be done about that?
First, I don't really see what the MIME error may be. Nor does
Thunderbird, which can extract the attachment.
This is how one such mail looks. Maybe someone can spot what Amavis
doesn't like in the headers?
The error is in incorrectly wrapped Content-Type header field,
where the continuation line does not start with a space or tab,
so the broken MIME part does not get base64-decoded.
Post by MI
Content-Type: application/octet-stream; x-unix-mode=0600;
name="hostmaster_document_4876E9.rar"
Content-Transfer-Encoding: base64
Is there a way to ask amavis to check a single mail from the
command-line with debugging output?
Not really, although you can use the amavisd-submit utility
to feed a mail directly to an amavisd socket, and you may
use a policy bank to rise a log level on a mail submitted
through such dedicated socket.
Post by MI
I don'twant to just blindly block any email with a bad header, from
fear of blocking too many normal mails sent by a stupid client
program.
You may use a SpamAssassin rule like the following to
capture such invalid wrap:

full L_INV_NAME_WRAP /^Content-Type:.*\nname="/mi
score L_INV_NAME_WRAP 20

Also, the SaneSecurity 3rd party rules to ClamAV seem to be
able to catch these.


Mark
MI
2016-03-31 15:14:19 UTC
Permalink
Post by Mark.Martinec+ (Mark Martinec)
The error is in incorrectly wrapped Content-Type header field,
where the continuation line does not start with a space or tab,
so the broken MIME part does not get base64-decoded.
Thank you. Somehow, I overlooked that.

Wouldn't it be possible for Amavis to still check the attachment, despite the error?
It seems that MIME::Parser, while complaining about the bad header is still able to
extract it:

$ perl -MMIME::Parser -e 'my $p=MIME::Parser->new( ); $p->output_under("/tmp/x/"); my
$m=$p->parse(\*STDIN); warn $p->last_error(), "\n";' </tmp/badmail
error: couldn't parse head; error near:
Content-Transfer-Encoding: base64

$ ls -Al /tmp/x/msg-1459435568-17408-0/
total 8
-rw-rw-r-- 1 root root 3378 Mar 31 16:46 hostmaster_document_4876E9.rar
-rw-rw-r-- 1 root root 246 Mar 31 16:46 msg-17408-1.txt


So it would be nice if Amavis could still check the attachment if it could be extracted.

In the meantime I will try your other suggestions.

Thank you,

MI
Post by Mark.Martinec+ (Mark Martinec)
Post by MI
Content-Type: application/octet-stream; x-unix-mode=0600;
name="hostmaster_document_4876E9.rar"
Content-Transfer-Encoding: base64
Is there a way to ask amavis to check a single mail from the
command-line with debugging output?
Not really, although you can use the amavisd-submit utility
to feed a mail directly to an amavisd socket, and you may
use a policy bank to rise a log level on a mail submitted
through such dedicated socket.
Post by MI
I don'twant to just blindly block any email with a bad header, from
fear of blocking too many normal mails sent by a stupid client
program.
You may use a SpamAssassin rule like the following to
full L_INV_NAME_WRAP /^Content-Type:.*\nname="/mi
score L_INV_NAME_WRAP 20
Also, the SaneSecurity 3rd party rules to ClamAV seem to be
able to catch these.
Mark
Dave Dodd
2016-03-31 23:04:58 UTC
Permalink
Post by Mark.Martinec+ (Mark Martinec)
Post by MI
I don'twant to just blindly block any email with a bad header, from
fear of blocking too many normal mails sent by a stupid client
program.
You may use a SpamAssassin rule like the following to
full L_INV_NAME_WRAP /^Content-Type:.*\nname="/mi
score L_INV_NAME_WRAP 20
This is going to treat anything with the sort of broken header as spam.

1. Is there any way to "fix" the header so that content scanning could proceed ?

In my case this would avoid putting legitmate mail, sent by a broken client,
in quarantine.

2. Are there any know broken clients that create this sort of broken header
for legitimate email ?

-- Dave

Loading...