[Assp-user] Antwort: Spam lover mail is stored even it contains virus

[Thomas E. <Tho...@th...>]

>Shouldn't ASSP do the virus check before the spam check

May-18-12 07:52:28
May-18-12 07:52:38

It has taken 10 seconds to do the virus check, It is not possible to do 
this check (before spam checks) on every mail on high load systems.

May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... [scoring] SPF: fail 
ip=37.45.95.183 mai...@bm... helo=[37.45.95.183]
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... Message-Score: added 10 
(spfValencePB) for SPF fail, total score for this message is now 15

There is no good reason to do any further check if SPF failes! Increase 
the score or set SPF to block.

>I found one message which is stored in ./spam.
ASSP was unable to remove the file in ./spam for any reason.
Normaly assp will remove the stored file and will recreate a new one - in 
you case the new one would be NULL.


Thomas



Von:    Marcus Bergmann <ber...@te...>
An:     "ass...@li..." 
<ass...@li...>, 
Datum:  19.05.2012 18:07
Betreff:        [Assp-user] Spam lover mail is stored even it contains 
virus



Hi All,

I'm using ASSP 2.1.1(12090). I have configured SpamVirusLog:=0. Inside the 
maillog.txt I found one message which is stored in ./spam. Here is the 
log:

May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> Message-Score: added 5 (fiphValencePB) for 
Suspicious HELO - contains IP: '[37.45.95.183]', total score for this 
message is now 5
May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> [scoring] (Suspicious HELO - contains IP: 
'[37.45.95.183]')
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... [scoring] SPF: fail 
ip=37.45.95.183 mai...@bm... helo=[37.45.95.183]
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... Message-Score: added 10 
(spfValencePB) for SPF fail, total score for this message is now 15
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [DNSBL] 37.45.95.183 
<fli...@bm...> to: us...@do... [scoring] DNSBL: neutral, 
37.45.95.183 listed in zen.spamhaus.org
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... Message-Score: added 25 for 
DNSBL: neutral, 37.45.95.183 listed in zen.spamhaus.org, total score for 
this message is now 40
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [PTRmissing] 37.45.95.183 
<fli...@bm...> to: us...@do... [scoring] (PTR missing)
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... Message-Score: added 10 
(ptmValencePB) for PTR missing, total score for this message is now 50
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [MessageLimit][sl] 
37.45.95.183 <fli...@bm...> to: us...@do... [spam found] and 
possibly passing because spamlover for this check, otherwise blocked 
(MessageScore 50, limit 50) [FW Check the attachment you have to react 
somehow to this picture] -> 
/opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... ClamAV: scanned 60690 bytes in 
message - FOUND Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... Message-Score: added 50 
(vdValencePB) for virus detected: 
'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)', total score 
for this message is now 100
May-18-12 07:52:38 m1-20347-11296 [Worker_2] [VIRUS] 37.45.95.183 
<fli...@bm...> to: us...@do... [spam found] (virus detected: 
'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)') [FW Check the 
attachment you have to react somehow to this picture] -> 
/opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml;
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... [SMTP Error] 554 5.7.1 Mail 
appears infected with 
\[Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)\].
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 
<fli...@bm...> to: us...@do... [SMTP Status] 451 4.7.1 
Greylisted - Please try again later

After the message gets some penalty points because of HELO, SPF, DNSBL and 
PTR the MessageScore limit of 50 is reached and the message is stored in 
./spam folder. Then ASSP detects via ClamAV that the message contains a 
virus and rejects it. Shouldn't ASSP do the virus check before the spam 
check, reject and don't store the message? We want to use the following 
policy: faked local sender or unknown local receiver or message contains 
virus -> reject them all, don't store; all other spam -> reject (e.g. 
DNSBL) or tag (e.g. Baysian), store in ./spam for resed via reports.

Thank you,
Marcus
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-user mailing list
Ass...@li...
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************