{{tag>Utilities utility amavis anti-spam email filter}}

====== Releasing messages from Amavis Quarantine ======

{{:utilities:amavis-logo.jpg?200 |}}

** What is Amavis? **

[[https://en.wikipedia.org/wiki/Amavis | Amavis]] is a free spam blocking tool that is often used with Unix/Linux mail servers. It’s supposed to “learn” what is spam (unwanted email) and what isn’t. However, sometimes messages get sent to you and you can’t find it in your smap/junk folder. This is because it never made it to your mailbox. You might be saying, “Hay, wait a minute! You just said it finds spam and I have a spam folder!”. Right, each mailbox has a junk folder, but it’s the job of Amavis to keep the really bad messages from even getting to your mailbox.

 

==== How does Amavis work? ====

Let’s now go into how Amavis determines good and bad messages. Like most spam blocking tools, it uses an algorithm (formula) to calculate a numerical score. This score is determined by many rules, such as no from address. This is a violation of the email protocol, but old mail servers and programs allowed this. Each message starts with a value of 0 (zero). If this is seen by the tool, it would add a value of, say +2. Then it would check the next rule. Maybe the next rule is to not allow the word “kill” as it’s not a nice word or action. The value of this rule might be set to +5. So now the spam score of this message is 7. When all of the rules have been tested, it receives a final spam score. Finally, the configuration within Amavis will set some thresholds.

Below is an example of what the thresholds might be:

^ Threshold	^ Action                ^
| 3.0	        | Mark as “***SPAM***”  |
| 5.0	        | Quarantine            |
| 8.0	        | Kill/delete/reject    |


So in our example from above, the score is 7, greater than 5.0, but less than 8.0. Therefore, the message is Quarantined. This means that it is held in a separate place away from all mailboxes.

 

==== Releasing the message(s) ====

Now that we have quarantined message(s), we need a way to release them to the mailbox; assuming that you have already determined that this is the all important, missing message. Luckily, we have an easy tool to do this: amavisd-release <id>.

Now comes the hard part. How do we find the <id> if we can’t find the message? It’s in the MySQL database.

<note warning>
You must have a basic understanding of SQL and how to run database queries! Otherwise, you could lose data; or worse, stop the entire mail process from working without a recoverable backup. Which, by the way, is a good plug. ALWAYS TAKE A BACKUP BEFORE MAKING CHANGES!.
</note>

OK. Let’s get into the DB and start looking for the message.

<code>
mysql> show tables;
+-------------------+
| Tables_in_amavisd |
+-------------------+
| maddr             |
| mailaddr          |
| msgrcpt           |
| msgs              |
| policy            |
| quarantine        |
| users             |
| wblist            |
+-------------------+
8 rows in set (0.00 sec)
</code>

Inside the amavisd database, I have the above tables. The quarantine table looks
promising. Let's look in there.
Below are some headers from the spam_text field.

<code>
X-Envelope-To: <xxxxxx@yyyyyyyyyy.zzz
X-Envelope-To-Blocked: <xxxxxx@yyyyyyyyyy.zzz
X-Quarantine-ID: <01MmWEBktepN
X-Amavis-Alert: BAD HEADER SECTION MIME error: error: part did not end with
expected boundary
X-Spam-Flag: YES
X-Spam-Score: 7.219
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.219 tag=0 tag2=5 kill=6.31    <===================
tests=[DNS_FROM_AHBL_RHSBL=2.438, HTML_MESSAGE=0.001,
RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01, URIBL_DBL_SPAM=1.7, URIBL_WS_SURBL=0.1533]
autolearn=no
Received: from mail.yyyyyyyyy.zzz ([127.0.0.1])
by localhost (mail.mail.yyyyyyyyy.zzz [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 01MmWEBktepN for <xxxxxx@mail.yyyyyyyyy.zzz>;    <==============
Wed, 12 Aug 2015 11:17:25 -0700 (PDT)
Received: from unwanted.sender.com (unknown [1.2.3.4])
by mail.mail.yyyyyyyyy.zzz (Postfix) with ESMTP id 4AAFB145F5  <==============
for <xxxxx@mail.yyyyyyyyy.zzz>; Wed, 12 Aug 2015 11:17:24 -0700 (PDT)
Mime-Version: 1.0
Date: Wed, 12 Aug 2015 13:09:43 -0600
Subject: We Could Save You Thousands
Message-ID: <MDIxNTcxNDMxNDc1ODUyOTY3Mzk4YmYyYjZkMjc2YjQ_@mx8.mibswain.com>
To: <xxxxx@mail.yyyyyyyyy.zzz>
<b>From: “Refinancing” <unwanted@spam.com></b>
Content-type: multipart/alternative; boundary=”=MDIxNTcxNDMxNDc1ODUyOTY3Mzk4YmYyYjZkMjc2YjQ_”

–=MDIxNTcxNDMxNDc1ODUyOTY3Mzk4YmYyYjZkMjc2YjQ_
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
</code>

The marked lines above are of particular interest to us. You can see the spam score (score=7.219) and the Quarantine-ID.  If you know the sender of the message, then you can query the database for all message with this address in the spam_text field.

 

==== Query the database for the sender ====

<file>
mysql> select mail_text from quarantine where mail_text like '%spam.com%';

...

2 rows in set (0.00 sec)
</file>

Now that I have the message content, I can look for the quarantine-id (01MmWEBktepN in this case).

 

==== Actually releasing the message ====

Armed with the quarantine-id, we can release the message using the amavisd-release command.

<file bash>
$ sudo amavisd-release 01MmWEBktepN
[sudo] password for user: 
250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BBD26146A8
</file>

You should now be able to find the message in your inbox or junk folder.