amavis / tag subject / virus

Today we got a suspiciously good looking e-mail in the inbox. Someone who supposedly got a reminder about an unpaid invoice from us.

The mail contained a zip-file with two scans. The first was a PDF, the second was an executable (a virus obviously).

So.. where was the Amavis virus/spam scanner in all this?

Show headers revealed that something was detected:

X-Amavis-Alert: BANNED, message contains .exe,scan2/HP scan scan
  =?iso-8859-1?Q?HYJKIOPH5600002.=E2=80=AEfdp.exe?=

Then why weren’t we informed?

It turns out that Amavis has a $sa_spam_subject_tag configuration option to flag spam, but there was no such option for the BANNED message.

Here, a quick fix:

--- /usr/sbin/amavisd-new.orig  2013-09-26 08:57:24.961937001 +0200
+++ /usr/sbin/amavisd-new 2013-09-26 09:01:32.193936979 +0200
@@ -1540,7 +1540,7 @@ BEGIN {
   );
   %subject_tag_maps_by_ccat = (
     CC_VIRUS,       [ '***INFECTED*** ' ],
-    CC_BANNED,      undef,
+    CC_BANNED,      [ '***VIRUS?*** ' ],
     CC_UNCHECKED,   sub { [ c('undecipherable_subject_tag') ] }, # not by-recip
     CC_SPAM,        undef,
     CC_SPAMMY.',1', sub { ca('spam_subject_tag3_maps') },

Now these infected messages stand out a little better.