Table of Contents

, , , , ,

Releasing messages from Amavis Quarantine

What is Amavis?

Amavis is a free spam blocking tool that is often used with Unix/Linux mail servers. It’s supposed to “learn” what is spam (unwanted email) and what isn’t. However, sometimes messages get sent to you and you can’t find it in your smap/junk folder. This is because it never made it to your mailbox. You might be saying, “Hay, wait a minute! You just said it finds spam and I have a spam folder!”. Right, each mailbox has a junk folder, but it’s the job of Amavis to keep the really bad messages from even getting to your mailbox.

How does Amavis work?

Let’s now go into how Amavis determines good and bad messages. Like most spam blocking tools, it uses an algorithm (formula) to calculate a numerical score. This score is determined by many rules, such as no from address. This is a violation of the email protocol, but old mail servers and programs allowed this. Each message starts with a value of 0 (zero). If this is seen by the tool, it would add a value of, say +2. Then it would check the next rule. Maybe the next rule is to not allow the word “kill” as it’s not a nice word or action. The value of this rule might be set to +5. So now the spam score of this message is 7. When all of the rules have been tested, it receives a final spam score. Finally, the configuration within Amavis will set some thresholds.

Below is an example of what the thresholds might be:

Threshold Action
3.0 Mark as “*SPAM*”
5.0 Quarantine
8.0 Kill/delete/reject

So in our example from above, the score is 7, greater than 5.0, but less than 8.0. Therefore, the message is Quarantined. This means that it is held in a separate place away from all mailboxes.

Releasing the message(s)

Now that we have quarantined message(s), we need a way to release them to the mailbox; assuming that you have already determined that this is the all important, missing message. Luckily, we have an easy tool to do this: amavisd-release <id>.

Now comes the hard part. How do we find the <id> if we can’t find the message? It’s in the MySQL database.

You must have a basic understanding of SQL and how to run database queries! Otherwise, you could lose data; or worse, stop the entire mail process from working without a recoverable backup. Which, by the way, is a good plug. ALWAYS TAKE A BACKUP BEFORE MAKING CHANGES!.

OK. Let’s get into the DB and start looking for the message. 

mysql> show tables;
+-------------------+
| Tables_in_amavisd |
+-------------------+
| maddr             |
| mailaddr          |
| msgrcpt           |
| msgs              |
| policy            |
| quarantine        |
| users             |
| wblist            |
+-------------------+
8 rows in set (0.00 sec)

Inside the amavisd database, I have the above tables. The quarantine table looks promising. Let's look in there. Below are some headers from the spam_text field. 

X-Envelope-To: <xxxxxx@yyyyyyyyyy.zzz
X-Envelope-To-Blocked: <xxxxxx@yyyyyyyyyy.zzz
X-Quarantine-ID: <01MmWEBktepN
X-Amavis-Alert: BAD HEADER SECTION MIME error: error: part did not end with
expected boundary
X-Spam-Flag: YES
X-Spam-Score: 7.219
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.219 tag=0 tag2=5 kill=6.31    <===================
tests=[DNS_FROM_AHBL_RHSBL=2.438, HTML_MESSAGE=0.001,
RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01, URIBL_DBL_SPAM=1.7, URIBL_WS_SURBL=0.1533]
autolearn=no
Received: from mail.yyyyyyyyy.zzz ([127.0.0.1])
by localhost (mail.mail.yyyyyyyyy.zzz [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 01MmWEBktepN for <xxxxxx@mail.yyyyyyyyy.zzz>;    <==============
Wed, 12 Aug 2015 11:17:25 -0700 (PDT)
Received: from unwanted.sender.com (unknown [1.2.3.4])
by mail.mail.yyyyyyyyy.zzz (Postfix) with ESMTP id 4AAFB145F5  <==============
for <xxxxx@mail.yyyyyyyyy.zzz>; Wed, 12 Aug 2015 11:17:24 -0700 (PDT)
Mime-Version: 1.0
Date: Wed, 12 Aug 2015 13:09:43 -0600
Subject: We Could Save You Thousands
Message-ID: <MDIxNTcxNDMxNDc1ODUyOTY3Mzk4YmYyYjZkMjc2YjQ_@mx8.mibswain.com>
To: <xxxxx@mail.yyyyyyyyy.zzz>
<b>From: “Refinancing” <unwanted@spam.com></b>
Content-type: multipart/alternative; boundary=”=MDIxNTcxNDMxNDc1ODUyOTY3Mzk4YmYyYjZkMjc2YjQ_”

–=MDIxNTcxNDMxNDc1ODUyOTY3Mzk4YmYyYjZkMjc2YjQ_
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline

The marked lines above are of particular interest to us. You can see the spam score (score=7.219) and the Quarantine-ID. If you know the sender of the message, then you can query the database for all message with this address in the spam_text field.

Query the database for the sender

mysql> select mail_text from quarantine where mail_text like '%spam.com%';

...

2 rows in set (0.00 sec)

Now that I have the message content, I can look for the quarantine-id (01MmWEBktepN in this case).

Actually releasing the message

Armed with the quarantine-id, we can release the message using the amavisd-release command. 

$ sudo amavisd-release 01MmWEBktepN
[sudo] password for user: 
250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BBD26146A8

You should now be able to find the message in your inbox or junk folder.