Hi Thomas, Back in July 2018, I started a thread where ClamAV was catching spam, but only AFTER delivery. You suggested that the ASSP_AFC plugin wasn't scanning the MIME headers and then fixed that in AFC 4.83.
I just received a report of spam that still came through, despite ClamAV catching it. In reviewing the log, I see a low scoring message being delivered and then 1 second later ClamAV via AFC showing a hit. It's a normal sounding email, so I understand why bayesian / HMM wouldn't catch it. I'm glad that clamav did, but it's pointless if the scan is after the delivery right? The last time I brought this up, you initially said that I have a setting that prevents ClamAV from running until after delivery. Can you tell me what that setting is? Thanks log: Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [scoring] DKIM domain-check skipped - spam.xx does not support DKIM Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [scoring] SPF: softfail ip=37.xx.xx.xx.xx mailfrom=thespam...@spam.xx helo=randomhost.com Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Message-Score: added 5 (spfsValencePB) for SPF softfail, total score for this message is now 5 Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org checking MX/A for spam.xx , otherspam.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org spam.xx - MX 'mx1.compromised.net' - got IP (18.xx.xx.xx) Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org otherspam.xx - MX 'mx2.mail.otherspam.xx' - got IP (14.xx.xx.xx) Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org MX found: spam.xx (Mail From: , From) -> mx1.compromised.net Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org A record found for MX: spam.xx (Mail From: , From) -> 18.xx.xx.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org MX found: otherspam.xx (Reply-To) -> mx2.mail.otherspam.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org A record found for MX: otherspam.xx (Reply-To) -> 14.xx.xx.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [scoring] found valid PTR hosted-by-xx.com Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org HMM-Check has given less than 6 results - using monitoring mode only Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org HMM Check [monitoring] - Prob: 1.00000 - Confidence: 0.00028 => doubtful.spam - answer/query relation: 0% of 137 Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Bayesian Check [scoring] - Prob: 1.00000 - Confidence: 0.00000 => doubtful.spam - answer/query relation: 100% of 138 Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Message-Score: added 25 for Bayesian Probability: 1.00000, total score for this message is now 30 *WE'RE AT 30* Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [Plugin] calling plugin ASSP_AFC *AFC CALLED* Jan-08-19 03:02:55 17771-28711 [MessageOK] 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org message ok [ Subject] -> messages/okmail/Spam_Subject--3092281.txt Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org info: PB-IP-Score for '37.xx.xx.xx.xx' is 5, added 5 in this session Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org finished message - received DATA size: 1.87 kByte - sent DATA size: 2.97 kByte Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org disconnected: session:11EAAF22 37.xx.xx.xx.xx - processing time 5 seconds *DELIVERED* Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org ClamAV: scanned 2805 bytes in file messages/okmail/Spam_Subject--3092281.txt - FOUND winnow.spam.ts.xmailer.2.UNOFFICIAL *Spam (Virus) found 1 second after AFC called* Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org deleting spamming safelisted tuplet: (37.48.120.0,spam.xx) age: 3s Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Message-Score: added 50 (vdValencePB) for virus detected: 'winnow.spam.ts.xmailer.2.UNOFFICIAL', total score for this message is now 80 *ADDED 50, but only after delivery*
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
