Re: [Assp-test] Attachments getting through

Fri, 30 May 2014 10:20:52 -0700 

Peter,

any news about this ?

Thomas





Von:    Peter Hinman <peter.hin...@myib.com>
An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  23.05.2014 18:31
Betreff:        Re: [Assp-test] Attachments getting through



Thanks Thomas!

I'll update both servers and watch it through the weekend.

Peter Hinman
International Bridge / ParcelPool.com

On 5/23/2014 3:08 AM, Thomas Eckardt wrote:
> Peter,
>
> I've released ASSP_AFC.pm 3.07 on SF and SF-CVS.
> It should deal with those files and detect them as bad attachment.
>
> Thomas
>
>
>
>
>
> Von:    Peter Hinman <peter.hin...@myib.com>
> An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  22.05.2014 17:16
> Betreff:        Re: [Assp-test] Attachments getting through
>
>
>
> Hi Thomas -
>
> I've sent the attachment to your personal email.  It seems like ClamAV
> catches up after a day or two and starts identifying them (correctly) as
> a virus.  If that's the case, please let me know and I can send you a
> fresh one.
>
> Peter Hinman
> International Bridge / ParcelPool.com
>
> On 5/21/2014 11:45 PM, Thomas Eckardt wrote:
>> Peter - please send me such a delivered bad attachment (zip it !!!!).
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von:    Peter Hinman <peter.hin...@myib.com>
>> An:     "<assp-test@lists.sourceforge.net>"
>> <assp-test@lists.sourceforge.net>
>> Datum:  22.05.2014 04:23
>> Betreff:        [Assp-test] Attachments getting through
>>
>>
>>
>> Hi Thomas -
>>
>> I've noticed recently that ASSP_AFC seems to be letting some 
attachments
>> through, but only some of the time.
>>
>> Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux
>> servers) with MySQL database and ClamAV.
>>
>> Below are logs from two instances of an email with the same attachment.
>> The first time, AFC lets the email and the attachment through.  When I
>> try to reproduce it, AFC correctly stops it the 2nd time.
>>
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring]
>> spf_result:none
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
>> identity:www-d...@rocksolidinternet.com
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com scope:mfrom
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spf_record:
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
>> local_exp:rocksolidinternet.com: No applicable sender policy available
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
>> received_spf:Received-SPF: none (rocksolidinternet.com: No applicable
>> sender policy available) receiver=ASSP2.myib.com; identity=mailfrom;
>> envelope-from="www-d...@rocksolidinternet.com";
>> helo=rems.rocksolidinternet.com.rocksolidinternet.com;
>> client-ip=209.90.66.162
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] 
SPF:
>> none ip=209.90.66.162 mailfrom=www-d...@rocksolidinternet.com
>> helo=rems.rocksolidinternet.com.rocksolidinternet.com
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info:
>> SenderBase - query using SenderBase
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX
>> englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP -
>> this MX has failed
>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX
>> englandlogistics.com.inbound10.mxlogic.net has no or a private IP - 
this
>> MX has failed
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com HMM Check
>> [scoring] - Prob: 0.00000 => ham
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Bayesian 
Check
>> [scoring] - Prob: 0.95349 => spam
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com 
Message-Score:
>> added 50 for Bayesian Probability: 0.95349, total score for this 
message
>> is now 50
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com PB-IP-Score
>> for '209.90.66.162' is 50, added 50 for Bayesian
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out]
>> [MessageLimit][lowlimit] 209.90.66.162 <www-d...@rocksolidinternet.com>
>> to: us...@parcelpool.com [spam found] and possibly passing because
>> messagescore(50) low [England Logistics electronic invoice for
>> 2014-05-20] ->
>> 
discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spam found 
and
>> passing () [England Logistics electronic invoice for 2014-05-20]
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [Plugin]
>> calling plugin ASSP_AFC
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV:
>> scanned 626 bytes in message - OK
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: using
>> user based compressed attachment check
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV:
>> scanned 34147 bytes in message - OK
>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 1
>> attachment found for Level-1
>>
>>
>> 2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> Message-Score: added -0
>> (tlsValencePB) for SSL-TLS-connection-OK, total score for this message
>> is now 0
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> DKIM-Signature found
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> Message-Score: added -25 for 98.139.213 in griplist (0.11), total score
>> for this message is now -25
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> [scoring] DKIM signature verified-OK - header-passed - sender policy 
is:
>> neutral - author policy is: neutral
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score 
for
>> this message is now -30
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info:
>> domain yahoo.com has published a DMARC record
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> [scoring] spf_result:pass
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> identity:testacco...@yahoo.com
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> scope:mfrom
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> spf_record:v=spf1 redirect=_spf.mail.yahoo.com
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is
>> authorized to use 'testacco...@yahoo.com' in 'mfrom' identity 
(mechanism
>> 'ptr:yahoo.com' matched)
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com:
>> 98.139.213.147 is authorized to use 'testacco...@yahoo.com' in 'mfrom'
>> identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com;
>> identity=mailfrom; envelope-from="testacco...@yahoo.com";
>> helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> Message-Score: added -2 (spfpValencePB) for SPF pass, total score for
>> this message is now -32
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>> HMM-Check has given less than 6 results - using monitoring mode only
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com HMM
>> Check [monitoring] - Prob: 0.00000 => ham
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
Bayesian
>> Check [scoring] - Prob: 0.00000 => ham
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
[Plugin]
>> calling plugin ASSP_AFC
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com ClamAV:
>> scanned 6 bytes in message - OK
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info:
>> using user based compressed attachment check
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
>> us...@parcelpool.com SPAM FOUND bad attachment 'W5281021.zip' is a
>> 'compressed file 'W5281021.zip' - contains forbidden executable file
>> W21052014.exe - type: Win32 EXE'
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
>> us...@parcelpool.com mail blocked by Plugin ASSP_AFC - reason
>> BadAttachment
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
>> us...@parcelpool.com [spam found] (BadAttachment) [test];
>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [SMTP
>> Error] 550 5.7.1 These attachments are not allowed.
>>
>> My UserAttach setting is:
>>
> 
zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]
>> If you can see what I'm missing, or if you need me to enable additional
>> logging, please let me know.  I'd like to stop this from coming
>> through.  There are several users that have a bad habit of opening
>> things they shouldn't.
>>
>> Thanks,
>>
>>
>>
>>
> 
------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.
>> Get unparalleled scalability from the best Selenium testing platform
> available
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>>
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
> 
------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, 
legally
> privileged and protected in law and are intended solely for the use of 
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
> 
------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform 
available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform 
available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to