Re: [Assp-test] Attachments getting through

Thomas Eckardt Wed, 21 May 2014 22:47:28 -0700

Peter - please send me such a delivered bad attachment (zip it !!!!).

Thomas






Von:    Peter Hinman <peter.hin...@myib.com>
An:     "<assp-test@lists.sourceforge.net>" 
<assp-test@lists.sourceforge.net>
Datum:  22.05.2014 04:23
Betreff:        [Assp-test] Attachments getting through



Hi Thomas -

I've noticed recently that ASSP_AFC seems to be letting some attachments 
through, but only some of the time.

Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux 
servers) with MySQL database and ClamAV.

Below are logs from two instances of an email with the same attachment. 
The first time, AFC lets the email and the attachment through.  When I 
try to reproduce it, AFC correctly stops it the 2nd time.

2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] 
spf_result:none
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com 
identity:www-d...@rocksolidinternet.com
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com scope:mfrom
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com spf_record:
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com 
local_exp:rocksolidinternet.com: No applicable sender policy available
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com 
received_spf:Received-SPF: none (rocksolidinternet.com: No applicable 
sender policy available) receiver=ASSP2.myib.com; identity=mailfrom; 
envelope-from="www-d...@rocksolidinternet.com"; 
helo=rems.rocksolidinternet.com.rocksolidinternet.com; 
client-ip=209.90.66.162
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] SPF: 
none ip=209.90.66.162 mailfrom=www-d...@rocksolidinternet.com 
helo=rems.rocksolidinternet.com.rocksolidinternet.com
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 
SenderBase - query using SenderBase
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX 
englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP - 
this MX has failed
2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX 
englandlogistics.com.inbound10.mxlogic.net has no or a private IP - this 
MX has failed
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com HMM Check 
[scoring] - Prob: 0.00000 => ham
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com Bayesian Check 
[scoring] - Prob: 0.95349 => spam
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com Message-Score: 
added 50 for Bayesian Probability: 0.95349, total score for this message 
is now 50
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com PB-IP-Score 
for '209.90.66.162' is 50, added 50 for Bayesian
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 
[MessageLimit][lowlimit] 209.90.66.162 <www-d...@rocksolidinternet.com> 
to: us...@parcelpool.com [spam found] and possibly passing because 
messagescore(50) low [England Logistics electronic invoice for 
2014-05-20] -> 
discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com spam found and 
passing () [England Logistics electronic invoice for 2014-05-20]
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com [Plugin] 
calling plugin ASSP_AFC
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV: 
scanned 626 bytes in message - OK
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: using 
user based compressed attachment check
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV: 
scanned 34147 bytes in message - OK
2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 
<www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 1 
attachment found for Level-1


2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> Message-Score: added -0 
(tlsValencePB) for SSL-TLS-connection-OK, total score for this message 
is now 0
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
DKIM-Signature found
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
Message-Score: added -25 for 98.139.213 in griplist (0.11), total score 
for this message is now -25
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
[scoring] DKIM signature verified-OK - header-passed - sender policy is: 
neutral - author policy is: neutral
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score for 
this message is now -30
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info: 
domain yahoo.com has published a DMARC record
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
[scoring] spf_result:pass
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
identity:testacco...@yahoo.com
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
scope:mfrom
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
spf_record:v=spf1 redirect=_spf.mail.yahoo.com
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is 
authorized to use 'testacco...@yahoo.com' in 'mfrom' identity (mechanism 
'ptr:yahoo.com' matched)
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com: 
98.139.213.147 is authorized to use 'testacco...@yahoo.com' in 'mfrom' 
identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com; 
identity=mailfrom; envelope-from="testacco...@yahoo.com"; 
helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
Message-Score: added -2 (spfpValencePB) for SPF pass, total score for 
this message is now -32
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
HMM-Check has given less than 6 results - using monitoring mode only
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com HMM 
Check [monitoring] - Prob: 0.00000 => ham
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com Bayesian 
Check [scoring] - Prob: 0.00000 => ham
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [Plugin] 
calling plugin ASSP_AFC
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com ClamAV: 
scanned 6 bytes in message - OK
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info: 
using user based compressed attachment check
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
[Attachment] 98.139.213.147 <testacco...@yahoo.com> to: 
us...@parcelpool.com SPAM FOUND bad attachment 'W5281021.zip' is a 
'compressed file 'W5281021.zip' - contains forbidden executable file 
W21052014.exe - type: Win32 EXE'
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
[Attachment] 98.139.213.147 <testacco...@yahoo.com> to: 
us...@parcelpool.com mail blocked by Plugin ASSP_AFC - reason 
BadAttachment
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
[Attachment] 98.139.213.147 <testacco...@yahoo.com> to: 
us...@parcelpool.com [spam found] (BadAttachment) [test];
2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] 
98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [SMTP 
Error] 550 5.7.1 These attachments are not allowed.

My UserAttach setting is:
zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]

If you can see what I'm missing, or if you need me to enable additional 
logging, please let me know.  I'd like to stop this from coming 
through.  There are several users that have a bad habit of opening 
things they shouldn't.

Thanks,

-- 
Peter Hinman
International Bridge / ParcelPool.com


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform 
available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Attachments getting through

Reply via email to