Re: [Assp-test] Attachments getting through

Fri, 30 May 2014 10:56:15 -0700 

I think sending per mail is useless. Is it possible to provide this file 
via download (http(s) or ftp or scp) for me?

Thomas





Von:    Peter Hinman <peter.hin...@myib.com>
An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  30.05.2014 19:29
Betreff:        Re: [Assp-test] Attachments getting through



For the most part, this has stopped.  I found one that got through this 
morning, the file name header is malformed so that the ".zip" extension 
isn't picked up correctly. The Content-Type is still set for 
application/zip so it can be opened from a mail client, but it can't be 
opened once it gets saved.  Very strange.

I can forward that one to you if you'd like.

Peter Hinman
International Bridge / ParcelPool.com

On 5/30/2014 11:19 AM, Thomas Eckardt wrote:
> Peter,
>
> any news about this ?
>
> Thomas
>
>
>
>
>
> Von:    Peter Hinman <peter.hin...@myib.com>
> An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  23.05.2014 18:31
> Betreff:        Re: [Assp-test] Attachments getting through
>
>
>
> Thanks Thomas!
>
> I'll update both servers and watch it through the weekend.
>
> Peter Hinman
> International Bridge / ParcelPool.com
>
> On 5/23/2014 3:08 AM, Thomas Eckardt wrote:
>> Peter,
>>
>> I've released ASSP_AFC.pm 3.07 on SF and SF-CVS.
>> It should deal with those files and detect them as bad attachment.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von:    Peter Hinman <peter.hin...@myib.com>
>> An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  22.05.2014 17:16
>> Betreff:        Re: [Assp-test] Attachments getting through
>>
>>
>>
>> Hi Thomas -
>>
>> I've sent the attachment to your personal email.  It seems like ClamAV
>> catches up after a day or two and starts identifying them (correctly) 
as
>> a virus.  If that's the case, please let me know and I can send you a
>> fresh one.
>>
>> Peter Hinman
>> International Bridge / ParcelPool.com
>>
>> On 5/21/2014 11:45 PM, Thomas Eckardt wrote:
>>> Peter - please send me such a delivered bad attachment (zip it !!!!).
>>>
>>> Thomas
>>>
>>>
>>>
>>>
>>>
>>> Von:    Peter Hinman <peter.hin...@myib.com>
>>> An:     "<assp-test@lists.sourceforge.net>"
>>> <assp-test@lists.sourceforge.net>
>>> Datum:  22.05.2014 04:23
>>> Betreff:        [Assp-test] Attachments getting through
>>>
>>>
>>>
>>> Hi Thomas -
>>>
>>> I've noticed recently that ASSP_AFC seems to be letting some
> attachments
>>> through, but only some of the time.
>>>
>>> Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux
>>> servers) with MySQL database and ClamAV.
>>>
>>> Below are logs from two instances of an email with the same 
attachment.
>>> The first time, AFC lets the email and the attachment through.  When I
>>> try to reproduce it, AFC correctly stops it the 2nd time.
>>>
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring]
>>> spf_result:none
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
>>> identity:www-d...@rocksolidinternet.com
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com scope:mfrom
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spf_record:
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
>>> local_exp:rocksolidinternet.com: No applicable sender policy available
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
>>> received_spf:Received-SPF: none (rocksolidinternet.com: No applicable
>>> sender policy available) receiver=ASSP2.myib.com; identity=mailfrom;
>>> envelope-from="www-d...@rocksolidinternet.com";
>>> helo=rems.rocksolidinternet.com.rocksolidinternet.com;
>>> client-ip=209.90.66.162
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring]
> SPF:
>>> none ip=209.90.66.162 mailfrom=www-d...@rocksolidinternet.com
>>> helo=rems.rocksolidinternet.com.rocksolidinternet.com
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info:
>>> SenderBase - query using SenderBase
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX
>>> englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP -
>>> this MX has failed
>>> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX
>>> englandlogistics.com.inbound10.mxlogic.net has no or a private IP -
> this
>>> MX has failed
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com HMM Check
>>> [scoring] - Prob: 0.00000 => ham
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Bayesian
> Check
>>> [scoring] - Prob: 0.95349 => spam
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com
> Message-Score:
>>> added 50 for Bayesian Probability: 0.95349, total score for this
> message
>>> is now 50
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com PB-IP-Score
>>> for '209.90.66.162' is 50, added 50 for Bayesian
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out]
>>> [MessageLimit][lowlimit] 209.90.66.162 
<www-d...@rocksolidinternet.com>
>>> to: us...@parcelpool.com [spam found] and possibly passing because
>>> messagescore(50) low [England Logistics electronic invoice for
>>> 2014-05-20] ->
>>>
> discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spam found
> and
>>> passing () [England Logistics electronic invoice for 2014-05-20]
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [Plugin]
>>> calling plugin ASSP_AFC
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV:
>>> scanned 626 bytes in message - OK
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: using
>>> user based compressed attachment check
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV:
>>> scanned 34147 bytes in message - OK
>>> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162
>>> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 1
>>> attachment found for Level-1
>>>
>>>
>>> 2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> Message-Score: added -0
>>> (tlsValencePB) for SSL-TLS-connection-OK, total score for this message
>>> is now 0
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> DKIM-Signature found
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> Message-Score: added -25 for 98.139.213 in griplist (0.11), total 
score
>>> for this message is now -25
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> [scoring] DKIM signature verified-OK - header-passed - sender policy
> is:
>>> neutral - author policy is: neutral
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score
> for
>>> this message is now -30
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info:
>>> domain yahoo.com has published a DMARC record
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> [scoring] spf_result:pass
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> identity:testacco...@yahoo.com
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> scope:mfrom
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> spf_record:v=spf1 redirect=_spf.mail.yahoo.com
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is
>>> authorized to use 'testacco...@yahoo.com' in 'mfrom' identity
> (mechanism
>>> 'ptr:yahoo.com' matched)
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com:
>>> 98.139.213.147 is authorized to use 'testacco...@yahoo.com' in 'mfrom'
>>> identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com;
>>> identity=mailfrom; envelope-from="testacco...@yahoo.com";
>>> helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> Message-Score: added -2 (spfpValencePB) for SPF pass, total score for
>>> this message is now -32
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
>>> HMM-Check has given less than 6 results - using monitoring mode only
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com HMM
>>> Check [monitoring] - Prob: 0.00000 => ham
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> Bayesian
>>> Check [scoring] - Prob: 0.00000 => ham
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com
> [Plugin]
>>> calling plugin ASSP_AFC
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com 
ClamAV:
>>> scanned 6 bytes in message - OK
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info:
>>> using user based compressed attachment check
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
>>> us...@parcelpool.com SPAM FOUND bad attachment 'W5281021.zip' is a
>>> 'compressed file 'W5281021.zip' - contains forbidden executable file
>>> W21052014.exe - type: Win32 EXE'
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
>>> us...@parcelpool.com mail blocked by Plugin ASSP_AFC - reason
>>> BadAttachment
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to:
>>> us...@parcelpool.com [spam found] (BadAttachment) [test];
>>> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out]
>>> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [SMTP
>>> Error] 550 5.7.1 These attachments are not allowed.
>>>
>>> My UserAttach setting is:
>>>
> 
zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]
>>> If you can see what I'm missing, or if you need me to enable 
additional
>>> logging, please let me know.  I'd like to stop this from coming
>>> through.  There are several users that have a bad habit of opening
>>> things they shouldn't.
>>>
>>> Thanks,
>>>
>>>
>>>
>>>
> 
------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos.
>>> Get unparalleled scalability from the best Selenium testing platform
>> available
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs
>>>
>>>
>>> _______________________________________________
>>> Assp-test mailing list
>>> Assp-test@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-test
> 
------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.
>> Get unparalleled scalability from the best Selenium testing platform
>> available
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential,
> legally
>> privileged and protected in law and are intended solely for the use of
> the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>>
>>
> 
------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.
>> Get unparalleled scalability from the best Selenium testing platform
> available
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>>
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
> 
------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, 
legally
> privileged and protected in law and are intended solely for the use of 
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
> 
------------------------------------------------------------------------------
> Time is money. Stop wasting it! Get your web API in 5 minutes.
> www.restlet.com/download
> http://p.sf.net/sfu/restlet
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to