Hi There! What would possibly disable/bypass BombRe and BombDataRe(and sometimes RBL) in ASSP when processing a "normal" mails that is not whitelisted in any way (at least not that I know of).
Is there any cache that ASSP uses that makes BombRe and BombDataRe obsolete? The mails becomes "discarded" and if I run analyze on it I get: Feature Matching: . DKIM-check returned OK body altered - header passed - suspicious-OK . SPF-check returned OK for 78.46.206.67 -> i...@puppytreasure.com, mail.puppytreasure.com . SPF: pass (cache) ip=78.46.206.67 mailfrom=i...@puppytreasure.com helo=mail.puppytreasure.com . DMARC-check returned OK . URIBL check: 'OK' . Valid Format of HELO: 'mail.puppytreasure.com' . IP in Helo check: 'OK' . AUTH would be disabled . RBLCacheCheck returned OK for 78.46.206.67: inserted as not ok at 2017-03-07 13:08:01 , listed by zen.spamhaus.org{127.0.0.3} - message score: 35 . RBLScore: zen.spamhaus.org -> 127.0.0.3 -> 35 . domain puppytreasure.com (in Mail From: , From , Reply-To) has a valid MX record: mail.puppytreasure.com . domainMX mail.puppytreasure.com has a valid A record: 78.46.206.67 . 78.46.206.67 is in PTRCache: status=PTR OK - mail.puppytreasure.com . 78.46.206.67 is in RWLCache: status=not listed . 78.46.206.67 SenderBase: status=not classified, data=[CN=DE, ORG=HETZNER ONLINE GMBH, DOM=your-server.de, BLS=, HNM=Y, CIDR=28, HN=mail.puppytreasure.com] This is a well made spam mail and if BombRe and BombDataRe whould have been processed on the mail it would be in the dump. RBLScore is 35 and Baysian is set to spam so there should be added some more points, but if I check the headers of the passed mail it only reports Bayesian and not like above RBL. That also should have put a nail in the koffin for this mail. Here is the ASSP log: Mar-07-17 13:04:34 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er diagnostic: FileScan will run command - /usr/local/assp/virusscan/avg.sh /run/avg/a.3.74087.eml 2>&1 Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er diagnostic: FileScan returned OK Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er FileScan: scanned 10754 bytes in message - OK Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er Bayesian Check [scoring] - Prob: 1.00000 => spam - answer/query relation: 100% of 112 Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er Message-Score: added 41 for Bayesian Probability: 1.00000, total score for this message is now 41 Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er info: Maillog - created file discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er [spam found] and possibly passing because messagescore(41) low [F mer luft i konomien med 44 762 kroner p kontoen] -> discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er info: Maillog - removed old file discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er info: Maillog - created file discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er spam found and passing [F mer luft i konomien med 44 762 kroner p kontoen] -> discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <bou...@puppytreasure.com> to: spi...@spamst.er info: received and processed all DATA I'm confused when or when not tests are made? Analyze utilizes some and real scan some others? What am I missing, why is ASSP not doing some checks of this mail and adding it together? Especially when it's passing the real scan. Regards, Pontus ASSP version 2.5.6(17060) on Ubuntu. --- Detta e-postmeddelande har sökts igenom efter virus med antivirusprogram från Avast. https://www.avast.com/antivirus ------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test