any of your settings or a bug prevents ASSP_AFC from scanning the mail

>ClamAV: scanned 2805 bytes in file 
messages/okmail/Spam_Subject--3092281.txt 

This is a security (post)scan forced by 'ClamAVLogScan'. Stored files are 
scanned, if not already done while processing the mail.

notice: a security BUG was fixed in ASSP_AFC 4.88 and 4.89 ---- some MIME 
types were not correctly detected while processing the mail, but if files 
were scanned - seems you use an outdated ASSP_AFC

Thomas





Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  09.01.2019 16:45
Betreff:        [Assp-test] ClamAV catching spam, but still delivered



Hi Thomas,
Back in July 2018, I started a thread where ClamAV was catching spam, but 
only AFTER delivery.  You suggested that the ASSP_AFC plugin wasn't 
scanning the MIME headers and then fixed that in AFC 4.83.

I just received a report of spam that still came through, despite ClamAV 
catching it.  In reviewing the log, I see a low scoring message being 
delivered and then 1 second later ClamAV via AFC showing a hit.

It's a normal sounding email, so I understand why bayesian / HMM wouldn't 
catch it.  I'm glad that clamav did, but it's pointless if the scan is 
after the delivery right?

The last time I brought this up, you initially said that I have a setting 
that prevents ClamAV from running until after delivery.  Can you tell me 
what that setting is?
Thanks

log:

Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org [scoring] DKIM domain-check skipped - spam.xx does 
not support DKIM
Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org [scoring] SPF: softfail ip=37.xx.xx.xx.xx 
mailfrom=thespam...@spam.xx helo=randomhost.com
Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org Message-Score: added 5 (spfsValencePB) for SPF 
softfail, total score for this message is now 5
Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org checking MX/A for spam.xx , otherspam.xx
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org spam.xx - MX 'mx1.compromised.net' - got IP 
(18.xx.xx.xx)
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org otherspam.xx - MX 'mx2.mail.otherspam.xx' - got IP 
(14.xx.xx.xx)
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org MX found: spam.xx (Mail From: , From) -> 
mx1.compromised.net
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org A record found for MX: spam.xx (Mail From: , From) 
-> 18.xx.xx.xx
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org MX found: otherspam.xx (Reply-To) -> 
mx2.mail.otherspam.xx
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org A record found for MX: otherspam.xx (Reply-To) -> 
14.xx.xx.xx
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org [scoring] found valid PTR hosted-by-xx.com
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org HMM-Check has given less than 6 results - using 
monitoring mode only
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org HMM Check [monitoring] - Prob: 1.00000 - 
Confidence: 0.00028 => doubtful.spam - answer/query relation: 0% of 137
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org Bayesian Check [scoring] - Prob: 1.00000 - 
Confidence: 0.00000 => doubtful.spam - answer/query relation: 100% of 138
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org Message-Score: added 25 for Bayesian Probability: 
1.00000, total score for this message is now 30   WE'RE AT 30
Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org [Plugin] calling plugin ASSP_AFC   AFC CALLED
Jan-08-19 03:02:55 17771-28711 [MessageOK] 37.xx.xx.xx.xx 
<thespam...@spam.xx> to: our.u...@ourcharity.org message ok [ Subject] -> 
messages/okmail/Spam_Subject--3092281.txt
Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org info: PB-IP-Score for '37.xx.xx.xx.xx' is 5, added 
5 in this session
Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org finished message - received DATA size: 1.87 kByte 
- sent DATA size: 2.97 kByte
Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org disconnected: session:11EAAF22 37.xx.xx.xx.xx - 
processing time 5 seconds DELIVERED
Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org ClamAV: scanned 2805 bytes in file 
messages/okmail/Spam_Subject--3092281.txt - FOUND 
winnow.spam.ts.xmailer.2.UNOFFICIAL   Spam (Virus) found 1 second after 
AFC called
Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org deleting spamming safelisted tuplet: 
(37.48.120.0,spam.xx) age: 3s
Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: 
our.u...@ourcharity.org Message-Score: added 50 (vdValencePB) for virus 
detected: 'winnow.spam.ts.xmailer.2.UNOFFICIAL', total score for this 
message is now 80  ADDED 50, but only after delivery

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to