Peter,
possibly I've found the reason. Notice, that the attachment and executable
detection is done before ClamAV and FileScan.
If
- FileScan is not used or another scanner than the OS implemented is used
- and
- the executable attachment detection is configured - and
- a zipped virus file is attached - and
- and a local filesystem online scanner is used and detects+removes the
virus from the filesystem
the executable attachment detection will be unable to open the temporary
uncompressed attachment and currently returns OK
If FileScan were used, the scanner would detect the virus now. If ClamAV
knows the virus, it would be removed. If both are not used or currently
don't detect the virus, the mail will be delivered.
Now the question. What should be done by assp, if the uncompressed
attachment could not be read? The reason could be an included virus, it
could be an invalid filename, an OS mistake, a hardware timeout ..... !
ASSP/Perl is only able to detect 'I CAN NOT READ THE FILE' - no return of
a reason will be available except 'file does not exists' or 'bad file
handle'.
I consider to block the mail (remove the attachment) in this case for
security reason.
Thomas
Von: Peter Hinman <peter.hin...@myib.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 22.05.2014 17:16
Betreff: Re: [Assp-test] Attachments getting through
Hi Thomas -
I've sent the attachment to your personal email. It seems like ClamAV
catches up after a day or two and starts identifying them (correctly) as
a virus. If that's the case, please let me know and I can send you a
fresh one.
Peter Hinman
International Bridge / ParcelPool.com
On 5/21/2014 11:45 PM, Thomas Eckardt wrote:
> Peter - please send me such a delivered bad attachment (zip it !!!!).
>
> Thomas
>
>
>
>
>
> Von: Peter Hinman <peter.hin...@myib.com>
> An: "<assp-test@lists.sourceforge.net>"
> <assp-test@lists.sourceforge.net>
> Datum: 22.05.2014 04:23
> Betreff: [Assp-test] Attachments getting through
>
>
>
> Hi Thomas -
>
> I've noticed recently that ASSP_AFC seems to be letting some attachments
> through, but only some of the time.
>
> Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux
> servers) with MySQL database and ClamAV.
>
> Below are logs from two instances of an email with the same attachment.
> The first time, AFC lets the email and the attachment through. When I
> try to reproduce it, AFC correctly stops it the 2nd time.
>
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring]
> spf_result:none
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
> identity:www-d...@rocksolidinternet.com
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com scope:mfrom
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spf_record:
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
> local_exp:rocksolidinternet.com: No applicable sender policy available
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
> received_spf:Received-SPF: none (rocksolidinternet.com: No applicable
> sender policy available) receiver=ASSP2.myib.com; identity=mailfrom;
> envelope-from="www-d...@rocksolidinternet.com";
> helo=rems.rocksolidinternet.com.rocksolidinternet.com;
> client-ip=209.90.66.162
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] SPF:
> none ip=209.90.66.162 mailfrom=www-d...@rocksolidinternet.com
> helo=rems.rocksolidinternet.com.rocksolidinternet.com
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info:
> SenderBase - query using SenderBase
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX
> englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP -
> this MX has failed
> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX
> englandlogistics.com.inbound10.mxlogic.net has no or a private IP - this
> MX has failed
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com HMM Check
> [scoring] - Prob: 0.00000 => ham
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Bayesian Check
> [scoring] - Prob: 0.95349 => spam
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Message-Score:
> added 50 for Bayesian Probability: 0.95349, total score for this message
> is now 50
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com PB-IP-Score
> for '209.90.66.162' is 50, added 50 for Bayesian
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out]
> [MessageLimit][lowlimit] 209.90.66.162 <www-d...@rocksolidinternet.com>
> to: us...@parcelpool.com [spam found] and possibly passing because
> messagescore(50) low [England Logistics electronic invoice for
> 2014-05-20] ->
> discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spam found and
> passing () [England Logistics electronic invoice for 2014-05-20]
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [Plugin]
> calling plugin ASSP_AFC
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV:
> scanned 626 bytes in message - OK
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: using
> user based compressed attachment check
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV:
> scanned 34147 bytes in message - OK
> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 1
> attachment found for Level-1
>
>
> 2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> Message-Score: added -0
> (tlsValencePB) for SSL-TLS-connection-OK, total score for this message
> is now 0
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> DKIM-Signature found
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> Message-Score: added -25 for 98.139.213 in griplist (0.11), total score
> for this message is now -25
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> [scoring] DKIM signature verified-OK - header-passed - sender policy is:
> neutral - author policy is: neutral
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score for
> this message is now -30
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info:
> domain yahoo.com has published a DMARC record
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> [scoring] spf_result:pass
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> identity:testacco...@yahoo.com
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> scope:mfrom
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> spf_record:v=spf1 redirect=_spf.mail.yahoo.com
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is
> authorized to use 'testacco...@yahoo.com' in 'mfrom' identity (mechanism
> 'ptr:yahoo.com' matched)
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com:
> 98.139.213.147 is authorized to use 'testacco...@yahoo.com' in 'mfrom'
> identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com;
> identity=mailfrom; envelope-from="testacco...@yahoo.com";
> helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> Message-Score: added -2 (spfpValencePB) for SPF pass, total score for
> this message is now -32
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> HMM-Check has given less than 6 results - using monitoring mode only
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com HMM
> Check [monitoring] - Prob: 0.00000 => ham
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com Bayesian
> Check [scoring] - Prob: 0.00000 => ham
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [Plugin]
> calling plugin ASSP_AFC
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com ClamAV:
> scanned 6 bytes in message - OK
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info:
> using user based compressed attachment check
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
> us...@parcelpool.com SPAM FOUND bad attachment 'W5281021.zip' is a
> 'compressed file 'W5281021.zip' - contains forbidden executable file
> W21052014.exe - type: Win32 EXE'
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
> us...@parcelpool.com mail blocked by Plugin ASSP_AFC - reason
> BadAttachment
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
> us...@parcelpool.com [spam found] (BadAttachment) [test];
> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [SMTP
> Error] 550 5.7.1 These attachments are not allowed.
>
> My UserAttach setting is:
>
zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]
>
> If you can see what I'm missing, or if you need me to enable additional
> logging, please let me know. I'd like to stop this from coming
> through. There are several users that have a bad habit of opening
> things they shouldn't.
>
> Thanks,
>
>
>
>
------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform
available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
