Hi There!

What would possibly disable/bypass BombRe and BombDataRe(and sometimes RBL)
in ASSP when processing a "normal" mails that is not whitelisted in any way
(at least not that I know of).

Is there any cache that ASSP uses that makes BombRe and BombDataRe obsolete?

The mails becomes "discarded" and if I run analyze on it I get:

Feature Matching:

. DKIM-check returned OK body altered - header passed - suspicious-OK
. SPF-check returned OK for 78.46.206.67 -> i...@puppytreasure.com,
mail.puppytreasure.com
 . SPF: pass (cache) ip=78.46.206.67 mailfrom=i...@puppytreasure.com
helo=mail.puppytreasure.com
. DMARC-check returned OK
. URIBL check: 'OK'
. Valid Format of HELO: 'mail.puppytreasure.com'
. IP in Helo check: 'OK'
. AUTH would be disabled
. RBLCacheCheck returned OK for 78.46.206.67: inserted as not ok at
2017-03-07 13:08:01 , listed by zen.spamhaus.org{127.0.0.3} - message score:
35
 . RBLScore: zen.spamhaus.org -> 127.0.0.3 -> 35
. domain puppytreasure.com (in Mail From: , From , Reply-To) has a valid MX
record: mail.puppytreasure.com
. domainMX mail.puppytreasure.com has a valid A record: 78.46.206.67
. 78.46.206.67 is in PTRCache: status=PTR OK - mail.puppytreasure.com
. 78.46.206.67 is in RWLCache: status=not listed
. 78.46.206.67 SenderBase: status=not classified, data=[CN=DE, ORG=HETZNER
ONLINE GMBH, DOM=your-server.de, BLS=, HNM=Y, CIDR=28,
HN=mail.puppytreasure.com]

This is a well made spam mail and if BombRe and BombDataRe whould have been
processed on the mail it would be in the dump. 

RBLScore is 35 and Baysian is set to spam so there should be added some more
points, but if I check the headers of the passed mail it only reports
Bayesian and not like above RBL. That also should have put a nail in the
koffin for this mail.

Here is the ASSP log:
Mar-07-17 13:04:34 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er diagnostic: FileScan will
run command - /usr/local/assp/virusscan/avg.sh /run/avg/a.3.74087.eml 2>&1
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er diagnostic: FileScan
returned OK
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er FileScan: scanned 10754
bytes in message - OK
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er Bayesian Check [scoring] -
Prob: 1.00000 => spam - answer/query relation: 100% of 112
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er Message-Score: added 41 for
Bayesian Probability: 1.00000, total score for this message is now 41
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit]
78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er info: Maillog -
created file discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit]
78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er [spam found]
and possibly passing because messagescore(41) low [F mer luft i konomien med
44 762 kroner p kontoen] -> discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er info: Maillog - removed old
file discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er info: Maillog - created file
discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er spam found and passing [F
mer luft i konomien med 44 762 kroner p kontoen] ->
discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<bou...@puppytreasure.com> to: spi...@spamst.er info: received and processed
all DATA


I'm confused when or when not tests are made?
Analyze utilizes some and real scan some others?

What am I missing, why is ASSP not doing some checks of this mail and adding
it together?
Especially when it's passing the real scan.

Regards,
Pontus
ASSP version 2.5.6(17060) on Ubuntu.




---
Detta e-postmeddelande har sökts igenom efter virus med antivirusprogram från 
Avast.
https://www.avast.com/antivirus



------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to