I'm missing the attachment Michael. Thomas
Von: Michael Thomas <[email protected]> An: ASSP development mailing list <[email protected]>, Datum: 20.07.2013 17:08 Betreff: Re: [Assp-test] Antwort: Re: Antwort: Javascript SRC URI Michael Thomas Mathbox 978-687-3300 Toll Free: 1-877-MATHBOX (1-877-628-4269) On 7/20/2013 5:59 AM, Thomas Eckardt wrote: >> I can send you the raw email as a zip file. > > Yes , please ! > > Thomas > > > > > Von: Michael Thomas <[email protected]> > An: ASSP development mailing list <[email protected]>, > Datum: 20.07.2013 11:54 > Betreff: Re: [Assp-test] Antwort: Javascript SRC URI > > > > Thomas, > > I noticed it was missing from X-Assp-Detected-URI. I just pulled the log > entries, which match. Not detected in log either. > > I can send you the raw email as a zip file. > > X-Assp-Detected-URI: emailonline.chase.com(1), chase.com(2), > emerytelcom.net(1) > > Here are the log entries for mine: > > Find all "71345-07122", Subfolders, Find Results 1, "F:\LogNo\mx03", "*.*" > F:\LogNo\mx03\13-07-19.maillog.txt(687902):13-Jul-19 18:02:25 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> IP > 67.22.175.244 matches noPBwhite - with 0.0.0.0/1 > F:\LogNo\mx03\13-07-19.maillog.txt(687905):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> [SMTP > Reply] 250 OK > F:\LogNo\mx03\13-07-19.maillog.txt(687908):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> > [email protected] validated by ldapcache > F:\LogNo\mx03\13-07-19.maillog.txt(687909):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] recipient accepted: [email protected] > F:\LogNo\mx03\13-07-19.maillog.txt(687910):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [SMTP Reply] 250 OK > F:\LogNo\mx03\13-07-19.maillog.txt(687911):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [SMTP Reply] 354 OK, send. > F:\LogNo\mx03\13-07-19.maillog.txt(687913):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] [MsgID] 67.22.175.244 > <[email protected]> to: [email protected] [scoring] (Message-ID > missing) > F:\LogNo\mx03\13-07-19.maillog.txt(687914):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] Message-Score: added 10 (midmValencePB) for Message-ID > missing, total score for this message is now 10 > F:\LogNo\mx03\13-07-19.maillog.txt(687915):13-Jul-19 18:02:26 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] PB-IP-Score for '67.22.175.244' is 10, added 10 for > Msg-IDmissing > F:\LogNo\mx03\13-07-19.maillog.txt(687916):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] DKIM domain-check skipped - > emailonline.chase.com does not support DKIM > F:\LogNo\mx03\13-07-19.maillog.txt(687925):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: domain emailonline.chase.com has published a > DMARC record > F:\LogNo\mx03\13-07-19.maillog.txt(687926):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] SPF: fail ip=67.22.175.244 > [email protected] helo=magicmail.etv.net > F:\LogNo\mx03\13-07-19.maillog.txt(687927):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] Message-Score: added 10 (spfValencePB) for SPF fail, > total score for this message is now 20 > F:\LogNo\mx03\13-07-19.maillog.txt(687928):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] PB-IP-Score for '67.22.175.244' is 20, added 10 for > SPFfail > F:\LogNo\mx03\13-07-19.maillog.txt(687929):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] DMARC: this mail breakes the DKIM policies defined in > the DMARC record for domain emailonline.chase.com - there is no > DKIM-signature found in this mail for domain emailonline.chase.com > F:\LogNo\mx03\13-07-19.maillog.txt(687930):13-Jul-19 18:02:27 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] SenderBase -- country:US orgname:EMERY TELCOM > domain:etv.net > F:\LogNo\mx03\13-07-19.maillog.txt(687932):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] no Bomb found in header > F:\LogNo\mx03\13-07-19.maillog.txt(687934):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] MX found: emailonline.chase.com -> > cluster14.us.messagelabs.com > F:\LogNo\mx03\13-07-19.maillog.txt(687935):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] A record found: emailonline.chase.com -> 216.82.254.196 > F:\LogNo\mx03\13-07-19.maillog.txt(687936):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] [PTRinvalid] 67.22.175.244 > <[email protected]> to: [email protected] found valid PTR > mail.etv.net > F:\LogNo\mx03\13-07-19.maillog.txt(687937):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: attachment Chase Online Profile Verification > Form.htm found for Level-1 > F:\LogNo\mx03\13-07-19.maillog.txt(687938):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: 1 attachment found for Level-1 > F:\LogNo\mx03\13-07-19.maillog.txt(687939):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] no Bomb found for 'bombSuspiciousRe' > F:\LogNo\mx03\13-07-19.maillog.txt(687940):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] no Bomb found for 'bombDataRe' > F:\LogNo\mx03\13-07-19.maillog.txt(687941):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] no Bomb found for 'bombRe' > F:\LogNo\mx03\13-07-19.maillog.txt(687942):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [scoring] no Bomb found for 'bombCharSets' > F:\LogNo\mx03\13-07-19.maillog.txt(687943):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] no Bomb found for 'bombBlack' > F:\LogNo\mx03\13-07-19.maillog.txt(687944):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] ClamAV: scanned 29512 bytes in message - OK > F:\LogNo\mx03\13-07-19.maillog.txt(687946):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: found URI chase.com > F:\LogNo\mx03\13-07-19.maillog.txt(687948):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: found URI emailonline.chase.com > F:\LogNo\mx03\13-07-19.maillog.txt(687949):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: registered URI chase.com for check > F:\LogNo\mx03\13-07-19.maillog.txt(687950):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: registered URI emailonline.chase.com for check > F:\LogNo\mx03\13-07-19.maillog.txt(687951):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: found raw URI/URL @emailonline.chase.com> > F:\LogNo\mx03\13-07-19.maillog.txt(687954):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: found URI emailonline.chase.com > F:\LogNo\mx03\13-07-19.maillog.txt(687955):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: registered TLD URI chase.com for check > F:\LogNo\mx03\13-07-19.maillog.txt(687956):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: found raw URI/URL @emerytelcom.net > F:\LogNo\mx03\13-07-19.maillog.txt(687959):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: found URI emerytelcom.net > F:\LogNo\mx03\13-07-19.maillog.txt(687960):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: registered TLD URI emerytelcom.net for check > F:\LogNo\mx03\13-07-19.maillog.txt(687971):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] URIBL: lookup returned <1> for chase.com - res: '' > F:\LogNo\mx03\13-07-19.maillog.txt(687982):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] URIBL: lookup returned <1> for emailonline.chase.com - > res: '' > F:\LogNo\mx03\13-07-19.maillog.txt(687993):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] URIBL: lookup returned <1> for emerytelcom.net - res: '' > F:\LogNo\mx03\13-07-19.maillog.txt(687994):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] [MessageLimit][lowlimit] 67.22.175.244 > <[email protected]> to: [email protected] [spam found] and > possibly passing because messagescore(20) low [Urgent Verification of > Recent Activities Required] > F:\LogNo\mx03\13-07-19.maillog.txt(687995):13-Jul-19 18:02:28 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] spam found and passing () [Urgent Verification of > Recent Activities Required] > F:\LogNo\mx03\13-07-19.maillog.txt(687996):13-Jul-19 18:02:29 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] [SMTP Reply] 250 Queued (2.344 seconds) > F:\LogNo\mx03\13-07-19.maillog.txt(687997):13-Jul-19 18:02:29 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] info: no (more) data readable from 67.22.175.244 > (connection closed by peer) - last command was 'QUIT' > F:\LogNo\mx03\13-07-19.maillog.txt(687998):13-Jul-19 18:02:29 > 71345-07122 [Worker_1] 67.22.175.244 <[email protected]> to: > [email protected] finished message - received DATA size: 29.67 kByte - > sent DATA size: 29.67 kByte > Matching lines: 46 Matching files: 1 Total files searched: 3 > > > Michael Thomas > Mathbox > 978-687-3300 > Toll Free: 1-877-MATHBOX (1-877-628-4269) > > On 7/20/2013 5:11 AM, Thomas Eckardt wrote: >> I can't reproduce this - the URI is detected in a HTML header. But is > not >> detected by the URIBL providers. >> I've included the URI this way: >> >> <HTML><HEAD> >> <script type=3D"text/javascript" src=3D" >> http://kanaatbiber.com.tr/images/cr= >> editcard.js"></script> >> </HEAD> >> >> Jul-20-13 10:56:22 [Worker_1] Info: found raw URI/URL > kanaatbiber.com.tr/ >> Jul-20-13 10:56:22 [Worker_1] LDAP - @com.tr not found in LDAP-cache >> (ldaplistdb) >> Jul-20-13 10:56:22 [Worker_1] LDAP - @kanaatbiber.com.tr not found in >> LDAP-cache (ldaplistdb) >> Jul-20-13 10:56:22 [Worker_1] Info: found URI kanaatbiber.com.tr >> Jul-20-13 10:56:22 [Worker_1] Info: registered TLD(2/3) URI >> kanaatbiber.com.tr for check >> ..... >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] > on >> multi.surbl.org for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to > 194.25.2.129[:53] >> on multi.surbl.org for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on >> black.uribl.com for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53] >> on black.uribl.com for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53] > on >> multi.uribl.com for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53] > on >> multi.uribl.com for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] > on >> uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to > 194.25.2.129[:53] >> on uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on >> sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53] >> on sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53] > on >> uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53] > on >> uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] > on >> dob.sibl.support-intelligence.net for URIBL checks on kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to > 194.25.2.129[:53] >> on dob.sibl.support-intelligence.net for URIBL checks on >> kanaatbiber.com.tr >> Jul-20-13 10:56:23 [Worker_1] Commencing URIBL checks on >> 'kanaatbiber.com.tr' >> Jul-20-13 10:56:23 [Worker_1] Got 4 answers, 4 replies and 0 hits after > 0 >> seconds for URIBL checks on 'kanaatbiber.com.tr' >> Jul-20-13 10:56:23 [Worker_1] Got OK replies from (black.uribl.com >> multi.uribl.com uribl.swinog.ch) - NOTOK replies from () for URIBL on >> 'kanaatbiber.com.tr' >> Jul-20-13 10:56:23 [Worker_1] Completed URIBL checks on >> 'kanaatbiber.com.tr' >> Jul-20-13 10:56:23 [Worker_1] URIBL: lookup returned <1> for >> kanaatbiber.com.tr - res: '' >> >> Thomas >> >> >> >> >> Von: Michael Thomas <[email protected]> >> An: ASSP development mailing list <[email protected]>, >> Datum: 20.07.2013 06:03 >> Betreff: [Assp-test] Javascript SRC URI >> >> >> >> Thomas, >> >> ASSP version 2.3.4(13187) >> >> Failed to detect URI in head section of HTML section. This message was a >> bank scam. The only external URI in the body of the message were image >> src URI of actual bank image URI. The active scam URI were all >> javascript invocations. >> >> <script type=3D"text/javascript" src=3D" >> http://kanaatbiber.com.tr/images/cr= >> editcard.js"></script> >> >> >> >> > ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > >> >> >> >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test >> > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
