On 8/17/2012 9:32 AM, Thomas Eckardt wrote: > So it seems there is a change in 2.008 that prevents assp from accessing > the record - will have a look. > > Thomas >
Looks like SPF is starting to process again - I'll see when the next efax.com mail hits how it processes. In the meantime...here's a log excerpt for processing a spoof: Aug-17-12 12:46:20 [Worker_1] Connected: 207.201.200.66:2441 > 192.168.0.2:25 > 127.0.0.1:125 Aug-17-12 12:46:21 [Worker_1] 207.201.200.66 info: injected STARTTLS request to 127.0.0.1 Aug-17-12 12:46:21 32781-00851 [Worker_1] [TLS-out] 207.201.200.66 <mess...@inbound.efax.com> Regex:NoProcessingDomain 'efax.com' Aug-17-12 12:46:22 32781-00851 [Worker_1] [TLS-out] 207.201.200.66 <mess...@inbound.efax.com> info: recipient a.mil...@amfes.com replaced with faxrecei...@amfes.com Aug-17-12 12:46:22 32781-00851 [Worker_1] [TLS-out] 207.201.200.66 <mess...@inbound.efax.com> to: faxrecei...@amfes.com [scoring] SPF: neutral ip=207.201.200.66 mailfrom=mess...@inbound.efax.com helo=biohorizons.com Aug-17-12 12:46:22 32781-00851 [Worker_1] [TLS-out] 207.201.200.66 <mess...@inbound.efax.com> to: faxrecei...@amfes.com Message-Score: added 5 (spfnValencePB) for SPF neutral, total score for this message is now 5 Aug-17-12 12:46:22 32781-00851 [Worker_1] [TLS-out] 207.201.200.66 <mess...@inbound.efax.com> to: faxrecei...@amfes.com ClamAV: scanned 5786 bytes in noprocessing message - FOUND Sanesecurity.Malware.20030.WebHeur.1608.UNOFFICIAL(a483219dc3155604942aa91d289f92ec:5786) Aug-17-12 12:46:22 32781-00851 [Worker_1] [TLS-out] 207.201.200.66 <mess...@inbound.efax.com> to: faxrecei...@amfes.com Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.Malware.20030.WebHeur.1608.UNOFFICIAL(a483219dc3155604942aa91d289f92ec:5786)', total score for this message is now 55 Aug-17-12 12:46:22 32781-00851 [Worker_1] [TLS-out] [VIRUS] 207.201.200.66 <mess...@inbound.efax.com> to: faxrecei...@amfes.com [spam found] (virus detected: 'Sanesecurity.Malware.20030.WebHeur.1608.UNOFFICIAL(a483219dc3155604942aa91d289f92ec:5786)') [Corporate eFax message 4 pages]; Aug-17-12 12:46:22 32781-00851 [Worker_1] [SSL-out] 207.201.200.66 <mess...@inbound.efax.com> to: faxrecei...@amfes.com finished message - received DATA size: 5.65 kByte - sent DATA size: 0 Byte Aug-17-12 12:46:22 [Worker_1] Disconnected: 207.201.200.66 - processing time 2 seconds Now I'm torn on how to adjust for this. I don't want to filter proper efax.com messages - but if ClamAV+SaneSecurity can filter out junk faxes...I might want to move efax.com out of noprocessing but keep it in a whitelist. In this case, it's a junk sender - especially as it's a bogus recipient address - but the recipient re-write rule eliminates that test because it gets applied before the valid local recipient test is performed. -- Daniel ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
