Menu
▾
▴
Re: [Assp-test] Attachments getting through
|
From: Thomas E. <Tho...@th...> - 2014-05-30 17:19:30
|
Peter, any news about this ? Thomas Von: Peter Hinman <Peter.Hinman@MyIB.com> An: ASSP development mailing list <ass...@li...> Datum: 23.05.2014 18:31 Betreff: Re: [Assp-test] Attachments getting through Thanks Thomas! I'll update both servers and watch it through the weekend. Peter Hinman International Bridge / ParcelPool.com On 5/23/2014 3:08 AM, Thomas Eckardt wrote: > Peter, > > I've released ASSP_AFC.pm 3.07 on SF and SF-CVS. > It should deal with those files and detect them as bad attachment. > > Thomas > > > > > > Von: Peter Hinman <Peter.Hinman@MyIB.com> > An: ASSP development mailing list <ass...@li...> > Datum: 22.05.2014 17:16 > Betreff: Re: [Assp-test] Attachments getting through > > > > Hi Thomas - > > I've sent the attachment to your personal email. It seems like ClamAV > catches up after a day or two and starts identifying them (correctly) as > a virus. If that's the case, please let me know and I can send you a > fresh one. > > Peter Hinman > International Bridge / ParcelPool.com > > On 5/21/2014 11:45 PM, Thomas Eckardt wrote: >> Peter - please send me such a delivered bad attachment (zip it !!!!). >> >> Thomas >> >> >> >> >> >> Von: Peter Hinman <Peter.Hinman@MyIB.com> >> An: "<ass...@li...>" >> <ass...@li...> >> Datum: 22.05.2014 04:23 >> Betreff: [Assp-test] Attachments getting through >> >> >> >> Hi Thomas - >> >> I've noticed recently that ASSP_AFC seems to be letting some attachments >> through, but only some of the time. >> >> Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux >> servers) with MySQL database and ClamAV. >> >> Below are logs from two instances of an email with the same attachment. >> The first time, AFC lets the email and the attachment through. When I >> try to reproduce it, AFC correctly stops it the 2nd time. >> >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... [scoring] >> spf_result:none >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... >> identity:www...@ro... >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... scope:mfrom >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... spf_record: >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... >> local_exp:rocksolidinternet.com: No applicable sender policy available >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... >> received_spf:Received-SPF: none (rocksolidinternet.com: No applicable >> sender policy available) receiver=ASSP2.myib.com; identity=mailfrom; >> envelope-from="www...@ro..."; >> helo=rems.rocksolidinternet.com.rocksolidinternet.com; >> client-ip=209.90.66.162 >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... [scoring] SPF: >> none ip=209.90.66.162 mailfrom=www...@ro... >> helo=rems.rocksolidinternet.com.rocksolidinternet.com >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... info: >> SenderBase - query using SenderBase >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... MX >> englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP - >> this MX has failed >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... MX >> englandlogistics.com.inbound10.mxlogic.net has no or a private IP - this >> MX has failed >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... HMM Check >> [scoring] - Prob: 0.00000 => ham >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... Bayesian Check >> [scoring] - Prob: 0.95349 => spam >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... Message-Score: >> added 50 for Bayesian Probability: 0.95349, total score for this message >> is now 50 >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... PB-IP-Score >> for '209.90.66.162' is 50, added 50 for Bayesian >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] >> [MessageLimit][lowlimit] 209.90.66.162 <www...@ro...> >> to: us...@pa... [spam found] and possibly passing because >> messagescore(50) low [England Logistics electronic invoice for >> 2014-05-20] -> >> discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... spam found and >> passing () [England Logistics electronic invoice for 2014-05-20] >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... [Plugin] >> calling plugin ASSP_AFC >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... ClamAV: >> scanned 626 bytes in message - OK >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... info: using >> user based compressed attachment check >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... ClamAV: >> scanned 34147 bytes in message - OK >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www...@ro...> to: us...@pa... info: 1 >> attachment found for Level-1 >> >> >> 2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> Message-Score: added -0 >> (tlsValencePB) for SSL-TLS-connection-OK, total score for this message >> is now 0 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> DKIM-Signature found >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> Message-Score: added -25 for 98.139.213 in griplist (0.11), total score >> for this message is now -25 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> [scoring] DKIM signature verified-OK - header-passed - sender policy is: >> neutral - author policy is: neutral >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score for >> this message is now -30 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... info: >> domain yahoo.com has published a DMARC record >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> [scoring] spf_result:pass >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> identity:tes...@ya... >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> scope:mfrom >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> spf_record:v=spf1 redirect=_spf.mail.yahoo.com >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is >> authorized to use 'tes...@ya...' in 'mfrom' identity (mechanism >> 'ptr:yahoo.com' matched) >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com: >> 98.139.213.147 is authorized to use 'tes...@ya...' in 'mfrom' >> identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com; >> identity=mailfrom; envelope-from="tes...@ya..."; >> helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> Message-Score: added -2 (spfpValencePB) for SPF pass, total score for >> this message is now -32 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... >> HMM-Check has given less than 6 results - using monitoring mode only >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... HMM >> Check [monitoring] - Prob: 0.00000 => ham >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... Bayesian >> Check [scoring] - Prob: 0.00000 => ham >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... [Plugin] >> calling plugin ASSP_AFC >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... ClamAV: >> scanned 6 bytes in message - OK >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... info: >> using user based compressed attachment check >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> [Attachment] 98.139.213.147 <tes...@ya...> to: >> us...@pa... SPAM FOUND bad attachment 'W5281021.zip' is a >> 'compressed file 'W5281021.zip' - contains forbidden executable file >> W21052014.exe - type: Win32 EXE' >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> [Attachment] 98.139.213.147 <tes...@ya...> to: >> us...@pa... mail blocked by Plugin ASSP_AFC - reason >> BadAttachment >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> [Attachment] 98.139.213.147 <tes...@ya...> to: >> us...@pa... [spam found] (BadAttachment) [test]; >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <tes...@ya...> to: us...@pa... [SMTP >> Error] 550 5.7.1 These attachments are not allowed. >> >> My UserAttach setting is: >> > zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh] >> If you can see what I'm missing, or if you need me to enable additional >> logging, please let me know. I'd like to stop this from coming >> through. There are several users that have a bad habit of opening >> things they shouldn't. >> >> Thanks, >> >> >> >> > ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. >> Get unparalleled scalability from the best Selenium testing platform > available >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> >> >> _______________________________________________ >> Assp-test mailing list >> Ass...@li... >> https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Assp-test mailing list > Ass...@li... > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > > > _______________________________________________ > Assp-test mailing list > Ass...@li... > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Assp-test mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |