I'll keep looking for one. Since removing the securiteinfo marketing list, which was constantly causing false positives, I haven't seen any.
On Fri, Jan 11, 2019 at 1:07 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > This is not what I'm looking for. > > I need a log from a mail that is processed by ASSP_AFC with no hit - but a > virus is detected by the postcheck. > > This examle is one for which the postprocessing is made for. The mail was > blocked by any feature (except/before attchment + virus check). The stored > file is post scanned and a virus is detected. The file is moved to > quantaine to prevent bockreport resends. The related internal flags are set > to tell this the post plugins like ASSP_ARC and ASSP_RSS. > > Thomas > > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 11.01.2019 05:32 > Betreff: Re: [Assp-test] ClamAV catching spam, but still delivered > ------------------------------ > > > > I found one, sort of. > The message was still blocked because they spoofed our domain and was > otherwise pretty bad, but ClamAV didn't scan until after. Does this log > help figure out why? In this case, i don't even see AFC launching (vs the > previous example where it did). > > Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> > Message-Score: added 15 (fiphValencePB) for Suspicious HELO - contains IP: > '[92.1xx.xx.xx]', total score for this message is now 15 > Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> > [scoring] (Suspicious HELO - contains IP: '[92.1xx.xx.xx]') > Jan-10-19 12:14:17 98437-10602 [SpoofedSender] 92.1xx.xx.xx > <ouru...@ourcharityh.org> [scoring] (No Spoofing Allowed > 'ouru...@ourcharityh.org' in 'mailfrom') > Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> > Message-Score: added 5 (slValencePB) for No Spoofing Allowed > 'ouru...@ourcharityh.org' in 'mailfrom', total score for this message is > now 20 > Jan-10-19 12:14:21 98437-10602 [SpoofedSender] 92.1xx.xx.xx > <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] (No > Spoofing Allowed 'ouru...@ourcharityh.org' in 'from') > Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org [scoring] DKIM domain-check skipped - > OurCharityh.org does not support DKIM > Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org [scoring] SPF: softfail ip=92.1xx.xx.xx > mailfrom=ouru...@ourcharityh.org helo=[92.1xx.xx.xx] > Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org Message-Score: added 5 (spfsValencePB) for SPF > softfail, total score for this message is now 25 > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org Message-Score: added 110 for DNSBL: failed, > 92.1xx.xx.xx listed in *bb.barracudacentral.org* > <http://bb.barracudacentral.org/> *bl.spamcop.net* > <http://bl.spamcop.net/> *cbl.abuseat.org* <http://cbl.abuseat.org/>, > total score for this message is now 135 > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org [scoring] DNSBL: failed, 92.1xx.xx.xx listed in ( > *bb.barracudacentral.org* <http://bb.barracudacentral.org/><-127.0.0.2; > *bl.spamcop.net* <http://bl.spamcop.net/><-127.0.0.2; *cbl.abuseat.org* > <http://cbl.abuseat.org/><-127.0.0.2) > Jan-10-19 12:14:22 98437-10602 [ValidHELO] 92.1xx.xx.xx > <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] (not > valid HELO: '[92.1xx.xx.xx]') > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org Message-Score: added 10 (ihValencePB) for not > valid HELO: '[92.1xx.xx.xx]', total score for this message is now 145 > Jan-10-19 12:14:22 98437-10602 [PTRmissing] 92.1xx.xx.xx > <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] (PTR > missing) > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org Message-Score: added 10 (ptmValencePB) for PTR > missing, total score for this message is now 155 > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org HMM Check [scoring] - Prob: 1.00000 - Confidence: > 1.00000 => confident.spam - answer/query relation: 100% of 201 > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org Message-Score: added 50 for HMM Probability: > 1.00000, total score for this message is now 205 > Jan-10-19 12:14:22 98437-10602 [PenaltyBox] 92.1xx.xx.xx > <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [monitoring] > totalscore for 92.1xx.xx.xx is 265, last bad penalty was 'HMM' > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org deleting spamming safelisted tuplet: > (92.181.45.0,OurCharityh.org) age: 4s > Jan-10-19 12:14:22 98437-10602 [MessageLimit] 92.1xx.xx.xx > <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org MaxAllowedDups (3) > reached for this subject - moved oldest file > messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3093512.txt > to > c:/assp/messages/discarded/The_decision_to_suspend_your_account_Waiting_for_payment--3093512.txt > Jan-10-19 12:14:22 98437-10602 [MessageLimit] 92.1xx.xx.xx > <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [spam found] > (MessageScore 205, limit 50) [The decision to suspend your account Waiting > for payment] -> > messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3096260.txt; > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org [SMTP Error] 554 5.7.1 Not Delivered [98437-10602 > AAD59CE8] > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org info: PB-IP-Score for '92.1xx.xx.xx' is 265, > added 205 in this session > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org finished message - received DATA size: 2.43 kByte > - sent DATA size: 0 Byte > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org disconnected: session:AAD59CE8 92.1xx.xx.xx - > processing time 7 seconds > Jan-10-19 12:14:22 Info: connected to ClamAV daemon at *127.0.0.1:3310* > <http://127.0.0.1:3310/> > Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org ClamAV: scanned 4586 bytes in file > messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3096260.txt > - FOUND Sanesecurity.Phishing.Fake.Coin.27601.UNOFFICIAL > Jan-10-19 12:14:23 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: > ouru...@ourcharityh.org Message-Score: added 50 (vdValencePB) for virus > detected: 'Sanesecurity.Phishing.Fake.Coin.27601.UNOFFICIAL', total score > for this message is now 255 > > On Thu, Jan 10, 2019 at 10:24 AM K Post <*nntp.p...@gmail.com* > <nntp.p...@gmail.com>> wrote: > I made the change. Will report back as soon as I can catch something. > FYI, I removed securiteite's marketing list from ClamAV. The majority of > the post detections were hitting those signatures, and they were usually > false positives. > > On Wed, Jan 9, 2019 at 12:39 PM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > set AttachmentLog and ScanLog to the highest level > > post the complete log for a passed mail (post detected) > > Thomas > > > > > > Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> > An: "ASSP development mailing list" < > *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> > Datum: 09.01.2019 18:33 > Betreff: Re: [Assp-test] ClamAV catching spam, but still delivered > ------------------------------ > > > > I've been running AFC 4.88 for a while now. I will update to 4.89, but it > doesn't sound like that's it. > > I just did a search on "ClamAV: scanned" and see a ton of these lines in > today's log appearing after delivery. I believe I'm only seeing the logs > when clamav actually catches something after the fact. Could it NEVER be > scanning the stream itself? Is there a setting that I have wrong? What > should I check? > > Any other ideas as to why the clam scan seems to fairly regularly be > either skipped or fails during the delivery process? Could ASSP somehow > detect this problem *before* delivery, scan the file instead of the > stream, and then decide to deliver or not? > > Spam's annoying, but if some slips through because of this, I don't really > care. It's the fear of a detectable true virus being sent through because > ClamAV sometimes isn't working on the stream that's scaring me. > > thanks > Ken > > > On Wed, Jan 9, 2019 at 11:06 AM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > any of your settings or a bug prevents ASSP_AFC from scanning the mail > > >ClamAV: scanned 2805 bytes in file > messages/okmail/Spam_Subject--3092281.txt > > This is a security (post)scan forced by 'ClamAVLogScan'. Stored files are > scanned, if not already done while processing the mail. > > notice: a security BUG was fixed in ASSP_AFC 4.88 and 4.89 ---- some MIME > types were not correctly detected while processing the mail, but if files > were scanned - seems you use an outdated ASSP_AFC > > Thomas > > > > > > Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> > An: "ASSP development mailing list" < > *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> > Datum: 09.01.2019 16:45 > Betreff: [Assp-test] ClamAV catching spam, but still delivered > ------------------------------ > > > > Hi Thomas, > Back in July 2018, I started a thread where ClamAV was catching spam, but > only AFTER delivery. You suggested that the ASSP_AFC plugin wasn't > scanning the MIME headers and then fixed that in AFC 4.83. > > I just received a report of spam that still came through, despite ClamAV > catching it. In reviewing the log, I see a low scoring message being > delivered and then 1 second later ClamAV via AFC showing a hit. > > It's a normal sounding email, so I understand why bayesian / HMM wouldn't > catch it. I'm glad that clamav did, but it's pointless if the scan is > after the delivery right? > > The last time I brought this up, you initially said that I have a setting > that prevents ClamAV from running until after delivery. Can you tell me > what that setting is? > Thanks > > log: > > Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org [scoring] DKIM domain-check skipped - spam.xx > does not support DKIM > Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org [scoring] SPF: softfail ip=37.xx.xx.xx.xx > mailfrom=thespam...@spam.xx helo=*randomhost.com* <http://randomhost.com/> > Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org Message-Score: added 5 (spfsValencePB) for SPF > softfail, total score for this message is now 5 > Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org checking MX/A for spam.xx , otherspam.xx > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org spam.xx - MX '*mx1.compromised.net* > <http://mx1.compromised.net/>' - got IP (18.xx.xx.xx) > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org otherspam.xx - MX 'mx2.mail.otherspam.xx' - got > IP (14.xx.xx.xx) > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org MX found: spam.xx (Mail From: , From) -> > *mx1.compromised.net* <http://mx1.compromised.net/> > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org A record found for MX: spam.xx (Mail From: , > From) -> 18.xx.xx.xx > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org MX found: otherspam.xx (Reply-To) -> > mx2.mail.otherspam.xx > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org A record found for MX: otherspam.xx (Reply-To) -> > 14.xx.xx.xx > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org [scoring] found valid PTR *hosted-by-xx.com* > <http://hosted-by-xx.com/> > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org HMM-Check has given less than 6 results - using > monitoring mode only > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org HMM Check [monitoring] - Prob: 1.00000 - > Confidence: 0.00028 => doubtful.spam - answer/query relation: 0% of 137 > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org Bayesian Check [scoring] - Prob: 1.00000 - > Confidence: 0.00000 => doubtful.spam - answer/query relation: 100% of 138 > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org Message-Score: added 25 for Bayesian Probability: > 1.00000, total score for this message is now 30 *WE'RE AT 30* > Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org [Plugin] calling plugin ASSP_AFC *AFC CALLED* > Jan-08-19 03:02:55 17771-28711 [MessageOK] 37.xx.xx.xx.xx > <thespam...@spam.xx> to: our.u...@ourcharity.org message ok [ Subject] -> > messages/okmail/Spam_Subject--3092281.txt > Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org info: PB-IP-Score for '37.xx.xx.xx.xx' is 5, > added 5 in this session > Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org finished message - received DATA size: 1.87 kByte > - sent DATA size: 2.97 kByte > Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org disconnected: session:11EAAF22 37.xx.xx.xx.xx - > processing time 5 seconds *DELIVERED* > Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org ClamAV: scanned 2805 bytes in file > messages/okmail/Spam_Subject--3092281.txt - FOUND > winnow.spam.ts.xmailer.2.UNOFFICIAL *Spam (Virus) found 1 second after > AFC called* > Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org deleting spamming safelisted tuplet: > (37.48.120.0,spam.xx) age: 3s > Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: > our.u...@ourcharity.org Message-Score: added 50 (vdValencePB) for virus > detected: 'winnow.spam.ts.xmailer.2.UNOFFICIAL', total score for this > message is now 80 *ADDED 50, but only after delivery* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
