Re: [Assp-test] AFC plugin again

Mon, 17 Apr 2017 04:43:10 -0700 

>ASSP headers:

these are the assp headers from the copied mail - the headers in the .eml 
file are right

because

X-Assp-Spam:
and
X-Assp-Spam-Level:

are never shown in the .eml file.

The reason is simple, but hard to find. The 'forward spam' decision is 
made here:

16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com spam found and passing [çatı 2] -> 
c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: read and processed 8244 byte 
of DATA
16.04.2017 21:18:37 [Worker_1] to: u...@domain.com info: wrote 30 byte to 
server  <---- the first action of the forward spam task

at this point in time the actual assp headers are copied to the forward 
store - but they are changed by the Plugin check at a later state - here:

16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [Plugin] calling plugin ASSP_AFC
.....
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [spam found] (BadAttachment) [çatı 
2] -> c:/assp/discarded/3431--1219548.eml;

The forward store doesn't know anything about the updated and uses the old 
assp headers in the forwarded mail.

I'll fix this in the next release.


Thomas




Von:    katip <ka...@katip.com>
An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  16.04.2017 21:07
Betreff:        Re: [Assp-test] AFC plugin again



Thomas,

i sent from my webmail (external, non-white, non-red) a pdf with same 
(supposed) filename (çatı t-1.pdf). below full diagnostic sessionLog + 
verbose attachment logging. it looks fine with filename with extended 
chars, that's ok.

but now i'm confused. according to my setup (and what i used to see 
without AFC since years) it should be
1. blocked with BadAttachment tag,
2. moved to discarded folder and
3. sent to ccSpam.

however it arrives with lowlimit tag (because of Bayes) to ccSpam only. 
Not to the user (although lowlimit!!). but on the other hand, it was 
copied to discarded folder too as i see it in file system. no trace about 
an attachment in headers despite "SPAM FOUND bad attachment 'çatı 
t-1.pdf'" log entry!!


ASSP headers:
X-Assp-Version: 2.5.6(17104) on blah...
X-Assp-ID: blah... id-66712-03431
X-Assp-Session: 5B1E9278 (mail 1)
X-Assp-Envelope-From: ka...@fastmail.ca
X-Assp-Original-Subject: çatı 2
X-Original-Authentication-Results: blah...; dkim=pass spf=pass
X-Assp-Detected-URI: fastmail.ca(3), messagingengine.com(2)
X-Assp-Message-Score: 45 (Bayesian Probability: 0.99994)
X-Assp-IP-Score: 45 (Bayesian Probability: 0.99994)
X-Assp-Spam-Prob: 0.99994
X-Assp-HMM-Spam-Prob: 0.99870
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES (Probably)
X-Spam-Status: YES
X-Assp-Spam-Reason: MessageScore passed low limit
X-Assp-Message-Totalscore: 45
X-Assp-Spam-Level: **********
X-Assp-Intended-For: u...@domain.com
X-Assp-Copy-Spam: Yes


loglines:
16.04.2017 21:18:31 [Worker_1] 66.111.4.25 [SMTP Reply] 220 
mail.domain.com
16.04.2017 21:18:32 [Worker_1] info: wrote 36 byte to server
16.04.2017 21:18:32 [Worker_1] 66.111.4.25 [SMTP Reply] 250 HELP
16.04.2017 21:18:32 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> info: found message size announcement: 423.02 kByte
16.04.2017 21:18:32 [Worker_1] info: wrote 43 byte to server
16.04.2017 21:18:32 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> [SMTP Reply] 250 OK
16.04.2017 21:18:32 [Worker_1] u...@domain.com matches u...@domain.com in 
LocalAddresses_Flat
16.04.2017 21:18:33 [Worker_1] info: wrote 31 byte to server
16.04.2017 21:18:33 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 250 OK
16.04.2017 21:18:33 [Worker_1] Info: incoming mail detected
16.04.2017 21:18:33 [Worker_1] info: wrote 6 byte to server
16.04.2017 21:18:33 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 354 OK, send.
16.04.2017 21:18:34 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com DKIM-Signature found
16.04.2017 21:18:34 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [scoring] DKIM signature 
verified-OK - header-passed - sender policy is: neutral - author policy 
is: neutral
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com HMM-Check has given less than 6 
results - using monitoring mode only
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com HMM Check [monitoring] - Prob: 
0.99870 => spam - answer/query relation: 9% of 11
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com Bayesian Check [scoring] - Prob: 
0.99994 => spam - answer/query relation: 50% of 14
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com Message-Score: added 45 for 
Bayesian Probability: 0.99994, total score for this message is now 45
16.04.2017 21:18:37 id-66712-03431 [Worker_1] [MessageLimit][lowlimit] 
66.111.4.25 <ka...@fastmail.ca> to: u...@domain.com info: Maillog - 
created file c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] [MessageLimit][lowlimit] 
66.111.4.25 <ka...@fastmail.ca> to: u...@domain.com [spam found] and 
possibly passing because messagescore(45) low [çatı 2] -> 
c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com spam found and passing [çatı 2] -> 
c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: read and processed 8244 byte 
of DATA
16.04.2017 21:18:37 [Worker_1] to: u...@domain.com info: wrote 30 byte to 
server
16.04.2017 21:18:37 [Worker_1] to: u...@domain.com info: wrote 30 byte to 
server
(etc...)

16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: received the end of the DATA
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [Plugin] calling plugin ASSP_AFC
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: block set to BlockExes (3) - 
attachlog set to extAttachLog (7) - default
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: attachment çatı t-1.pdf 
found for Level-3
16.04.2017 21:18:39 [Worker_1] Info: notification message queued to sent 
to ad...@domain.com
16.04.2017 21:18:39 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com SPAM FOUND bad attachment 'çatı 
t-1.pdf'
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com Message-Score: added 35 
(baValencePB) for bad attachment 'çatı t-1.pdf', total score for this 
message is now 80
16.04.2017 21:18:39 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: Plugin ASSP_AFC has set the 
collection parameter to '7' = discard folder & sendAllSpam
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com mail blocked by Plugin ASSP_AFC - 
reason BadAttachment - log is set to '7'
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: logfile 
c:/assp/discarded/3431--1219548.eml removed
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: Maillog - created file 
c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [spam found] (BadAttachment) [çatı 
2] -> c:/assp/discarded/3431--1219548.eml;
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 250 OK
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: received and processed all 
DATA
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 6 byte to 
server
16.04.2017 21:18:40 [Worker_1] 66.111.4.25 <ka...@fastmail.ca> to: 
u...@domain.com info: message forwarded to c...@domain.com
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 221 
<HilalTrans.KillingFloor> closing transmission
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com finished message - received DATA 
size: 423.17 kByte - sent DATA size: 0 Byte
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com disconnected: session:5B1E9278 
66.111.4.25 - processing time 9 seconds
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
(etc...)

thanks for any clarification.

Katip


-------- Original Message --------
Subject: Re: [Assp-test] AFC plugin again
From: Thomas Eckardt <thomas.ecka...@thockar.com>
To: ASSP development mailing list <assp-test@lists.sourceforge.net>
Date: Sun, 16 Apr 2017 08:58:00 +0200
Set 'SessionLog' to diagnostic and show the complete loglines for such a 
mail. 

15.04.2017 19:28:35 id-73707-03273 [Worker_1] [Attachment] 40.92.70.55 
<qwe...@hotmail.com> to: ke...@domain.com [spam found] (BadAttachment) 
[çatı t-1];

this shows, that there is no logging level set for this mail -> result is 
no collection 

Thomas





Von:        katip <ka...@katip.com> 
An:        ASSP development mailing list <assp-test@lists.sourceforge.net> 

Datum:        16.04.2017 04:15 
Betreff:        [Assp-test] AFC plugin again 




another AFC issue..

detection is ok. sender was external (not whitelisted) and pdf is set to 
block. however message is totally lost after receipt, despite all 
blocked attachment levels set to "discard folder & sendAllSpam"

15.04.2017 19:28:35 id-73707-03273 [Worker_1] [Attachment] 40.92.70.55 
<qwe...@hotmail.com> to: ke...@domain.com mail blocked by Plugin 
ASSP_AFC - reason BadAttachment
15.04.2017 19:28:35 id-73707-03273 [Worker_1] [Attachment] 40.92.70.55 
<qwe...@hotmail.com> to: ke...@domain.com [spam found] (BadAttachment) 
[çatı t-1];
15.04.2017 19:28:35 id-73707-03273 [Worker_1] 40.92.70.55 
<qwe...@hotmail.com> to: ke...@domain.com [SMTP Reply] 250 OK
15.04.2017 19:28:35 id-73707-03273 [Worker_1] 40.92.70.55 
<qwe...@hotmail.com> to: ke...@domain.com finished message - received 
DATA size: 289.58 kByte - sent DATA size: 0 Byte

without AFC, collections to discard folder and CCspam are fine. fyi..

Katip





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to