Thomas,
I noticed it was missing from X-Assp-Detected-URI. I just pulled the log
entries, which match. Not detected in log either.
I can send you the raw email as a zip file.
X-Assp-Detected-URI: emailonline.chase.com(1), chase.com(2),
emerytelcom.net(1)
Here are the log entries for mine:
Find all "71345-07122", Subfolders, Find Results 1, "F:\LogNo\mx03", "*.*"
F:\LogNo\mx03\13-07-19.maillog.txt(687902):13-Jul-19 18:02:25
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> IP
67.22.175.244 matches noPBwhite - with 0.0.0.0/1
F:\LogNo\mx03\13-07-19.maillog.txt(687905):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> [SMTP
Reply] 250 OK
F:\LogNo\mx03\13-07-19.maillog.txt(687908):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]>
[email protected] validated by ldapcache
F:\LogNo\mx03\13-07-19.maillog.txt(687909):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] recipient accepted: [email protected]
F:\LogNo\mx03\13-07-19.maillog.txt(687910):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [SMTP Reply] 250 OK
F:\LogNo\mx03\13-07-19.maillog.txt(687911):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [SMTP Reply] 354 OK, send.
F:\LogNo\mx03\13-07-19.maillog.txt(687913):13-Jul-19 18:02:26
71345-07122 [Worker_1] [MsgID] 67.22.175.244
<[email protected]> to: [email protected] [scoring] (Message-ID
missing)
F:\LogNo\mx03\13-07-19.maillog.txt(687914):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] Message-Score: added 10 (midmValencePB) for Message-ID
missing, total score for this message is now 10
F:\LogNo\mx03\13-07-19.maillog.txt(687915):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] PB-IP-Score for '67.22.175.244' is 10, added 10 for
Msg-IDmissing
F:\LogNo\mx03\13-07-19.maillog.txt(687916):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] DKIM domain-check skipped -
emailonline.chase.com does not support DKIM
F:\LogNo\mx03\13-07-19.maillog.txt(687925):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: domain emailonline.chase.com has published a
DMARC record
F:\LogNo\mx03\13-07-19.maillog.txt(687926):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] SPF: fail ip=67.22.175.244
[email protected] helo=magicmail.etv.net
F:\LogNo\mx03\13-07-19.maillog.txt(687927):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] Message-Score: added 10 (spfValencePB) for SPF fail,
total score for this message is now 20
F:\LogNo\mx03\13-07-19.maillog.txt(687928):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] PB-IP-Score for '67.22.175.244' is 20, added 10 for SPFfail
F:\LogNo\mx03\13-07-19.maillog.txt(687929):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] DMARC: this mail breakes the DKIM policies defined in
the DMARC record for domain emailonline.chase.com - there is no
DKIM-signature found in this mail for domain emailonline.chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687930):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] SenderBase -- country:US orgname:EMERY TELCOM
domain:etv.net
F:\LogNo\mx03\13-07-19.maillog.txt(687932):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] no Bomb found in header
F:\LogNo\mx03\13-07-19.maillog.txt(687934):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] MX found: emailonline.chase.com ->
cluster14.us.messagelabs.com
F:\LogNo\mx03\13-07-19.maillog.txt(687935):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] A record found: emailonline.chase.com -> 216.82.254.196
F:\LogNo\mx03\13-07-19.maillog.txt(687936):13-Jul-19 18:02:28
71345-07122 [Worker_1] [PTRinvalid] 67.22.175.244
<[email protected]> to: [email protected] found valid PTR
mail.etv.net
F:\LogNo\mx03\13-07-19.maillog.txt(687937):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: attachment Chase Online Profile Verification
Form.htm found for Level-1
F:\LogNo\mx03\13-07-19.maillog.txt(687938):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: 1 attachment found for Level-1
F:\LogNo\mx03\13-07-19.maillog.txt(687939):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] no Bomb found for 'bombSuspiciousRe'
F:\LogNo\mx03\13-07-19.maillog.txt(687940):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] no Bomb found for 'bombDataRe'
F:\LogNo\mx03\13-07-19.maillog.txt(687941):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] no Bomb found for 'bombRe'
F:\LogNo\mx03\13-07-19.maillog.txt(687942):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [scoring] no Bomb found for 'bombCharSets'
F:\LogNo\mx03\13-07-19.maillog.txt(687943):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] no Bomb found for 'bombBlack'
F:\LogNo\mx03\13-07-19.maillog.txt(687944):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] ClamAV: scanned 29512 bytes in message - OK
F:\LogNo\mx03\13-07-19.maillog.txt(687946):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: found URI chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687948):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: found URI emailonline.chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687949):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: registered URI chase.com for check
F:\LogNo\mx03\13-07-19.maillog.txt(687950):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: registered URI emailonline.chase.com for check
F:\LogNo\mx03\13-07-19.maillog.txt(687951):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: found raw URI/URL @emailonline.chase.com>
F:\LogNo\mx03\13-07-19.maillog.txt(687954):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: found URI emailonline.chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687955):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: registered TLD URI chase.com for check
F:\LogNo\mx03\13-07-19.maillog.txt(687956):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: found raw URI/URL @emerytelcom.net
F:\LogNo\mx03\13-07-19.maillog.txt(687959):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: found URI emerytelcom.net
F:\LogNo\mx03\13-07-19.maillog.txt(687960):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: registered TLD URI emerytelcom.net for check
F:\LogNo\mx03\13-07-19.maillog.txt(687971):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] URIBL: lookup returned <1> for chase.com - res: ''
F:\LogNo\mx03\13-07-19.maillog.txt(687982):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] URIBL: lookup returned <1> for emailonline.chase.com -
res: ''
F:\LogNo\mx03\13-07-19.maillog.txt(687993):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] URIBL: lookup returned <1> for emerytelcom.net - res: ''
F:\LogNo\mx03\13-07-19.maillog.txt(687994):13-Jul-19 18:02:28
71345-07122 [Worker_1] [MessageLimit][lowlimit] 67.22.175.244
<[email protected]> to: [email protected] [spam found] and
possibly passing because messagescore(20) low [Urgent Verification of
Recent Activities Required]
F:\LogNo\mx03\13-07-19.maillog.txt(687995):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] spam found and passing () [Urgent Verification of
Recent Activities Required]
F:\LogNo\mx03\13-07-19.maillog.txt(687996):13-Jul-19 18:02:29
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] [SMTP Reply] 250 Queued (2.344 seconds)
F:\LogNo\mx03\13-07-19.maillog.txt(687997):13-Jul-19 18:02:29
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] info: no (more) data readable from 67.22.175.244
(connection closed by peer) - last command was 'QUIT'
F:\LogNo\mx03\13-07-19.maillog.txt(687998):13-Jul-19 18:02:29
71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to:
[email protected] finished message - received DATA size: 29.67 kByte -
sent DATA size: 29.67 kByte
Matching lines: 46 Matching files: 1 Total files searched: 3
Michael Thomas
Mathbox
978-687-3300
Toll Free: 1-877-MATHBOX (1-877-628-4269)
On 7/20/2013 5:11 AM, Thomas Eckardt wrote:
> I can't reproduce this - the URI is detected in a HTML header. But is not
> detected by the URIBL providers.
> I've included the URI this way:
>
> <HTML><HEAD>
> <script type=3D"text/javascript" src=3D"
> http://kanaatbiber.com.tr/images/cr=
> editcard.js"></script>
> </HEAD>
>
> Jul-20-13 10:56:22 [Worker_1] Info: found raw URI/URL kanaatbiber.com.tr/
> Jul-20-13 10:56:22 [Worker_1] LDAP - @com.tr not found in LDAP-cache
> (ldaplistdb)
> Jul-20-13 10:56:22 [Worker_1] LDAP - @kanaatbiber.com.tr not found in
> LDAP-cache (ldaplistdb)
> Jul-20-13 10:56:22 [Worker_1] Info: found URI kanaatbiber.com.tr
> Jul-20-13 10:56:22 [Worker_1] Info: registered TLD(2/3) URI
> kanaatbiber.com.tr for check
> .....
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] on
> multi.surbl.org for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 194.25.2.129[:53]
> on multi.surbl.org for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on
> black.uribl.com for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53]
> on black.uribl.com for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53] on
> multi.uribl.com for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53] on
> multi.uribl.com for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] on
> uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 194.25.2.129[:53]
> on uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on
> sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53]
> on sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53] on
> uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53] on
> uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] on
> dob.sibl.support-intelligence.net for URIBL checks on kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 194.25.2.129[:53]
> on dob.sibl.support-intelligence.net for URIBL checks on
> kanaatbiber.com.tr
> Jul-20-13 10:56:23 [Worker_1] Commencing URIBL checks on
> 'kanaatbiber.com.tr'
> Jul-20-13 10:56:23 [Worker_1] Got 4 answers, 4 replies and 0 hits after 0
> seconds for URIBL checks on 'kanaatbiber.com.tr'
> Jul-20-13 10:56:23 [Worker_1] Got OK replies from (black.uribl.com
> multi.uribl.com uribl.swinog.ch) - NOTOK replies from () for URIBL on
> 'kanaatbiber.com.tr'
> Jul-20-13 10:56:23 [Worker_1] Completed URIBL checks on
> 'kanaatbiber.com.tr'
> Jul-20-13 10:56:23 [Worker_1] URIBL: lookup returned <1> for
> kanaatbiber.com.tr - res: ''
>
> Thomas
>
>
>
>
> Von: Michael Thomas <[email protected]>
> An: ASSP development mailing list <[email protected]>,
> Datum: 20.07.2013 06:03
> Betreff: [Assp-test] Javascript SRC URI
>
>
>
> Thomas,
>
> ASSP version 2.3.4(13187)
>
> Failed to detect URI in head section of HTML section. This message was a
> bank scam. The only external URI in the body of the message were image
> src URI of actual bank image URI. The active scam URI were all
> javascript invocations.
>
> <script type=3D"text/javascript" src=3D"
> http://kanaatbiber.com.tr/images/cr=
> editcard.js"></script>
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Assp-test mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
