Hi All, I'm using ASSP 2.1.1(12090). I have configured SpamVirusLog:=0. Inside the maillog.txt I found one message which is stored in ./spam. Here is the log:
May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> Message-Score: added 5 (fiphValencePB) for Suspicious HELO - contains IP: '[37.45.95.183]', total score for this message is now 5 May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> [scoring] (Suspicious HELO - contains IP: '[37.45.95.183]') May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] [scoring] SPF: fail ip=37.45.95.183 [email protected] helo=[37.45.95.183] May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] Message-Score: added 10 (spfValencePB) for SPF fail, total score for this message is now 15 May-18-12 07:52:28 m1-20347-11296 [Worker_2] [DNSBL] 37.45.95.183 <[email protected]> to: [email protected] [scoring] DNSBL: neutral, 37.45.95.183 listed in zen.spamhaus.org May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] Message-Score: added 25 for DNSBL: neutral, 37.45.95.183 listed in zen.spamhaus.org, total score for this message is now 40 May-18-12 07:52:28 m1-20347-11296 [Worker_2] [PTRmissing] 37.45.95.183 <[email protected]> to: [email protected] [scoring] (PTR missing) May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] Message-Score: added 10 (ptmValencePB) for PTR missing, total score for this message is now 50 May-18-12 07:52:28 m1-20347-11296 [Worker_2] [MessageLimit][sl] 37.45.95.183 <[email protected]> to: [email protected] [spam found] and possibly passing because spamlover for this check, otherwise blocked (MessageScore 50, limit 50) [FW Check the attachment you have to react somehow to this picture] -> /opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] ClamAV: scanned 60690 bytes in message - FOUND Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690) May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)', total score for this message is now 100 May-18-12 07:52:38 m1-20347-11296 [Worker_2] [VIRUS] 37.45.95.183 <[email protected]> to: [email protected] [spam found] (virus detected: 'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)') [FW Check the attachment you have to react somehow to this picture] -> /opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml; May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] [SMTP Error] 554 5.7.1 Mail appears infected with \[Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)\]. May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <[email protected]> to: [email protected] [SMTP Status] 451 4.7.1 Greylisted - Please try again later After the message gets some penalty points because of HELO, SPF, DNSBL and PTR the MessageScore limit of 50 is reached and the message is stored in ./spam folder. Then ASSP detects via ClamAV that the message contains a virus and rejects it. Shouldn't ASSP do the virus check before the spam check, reject and don't store the message? We want to use the following policy: faked local sender or unknown local receiver or message contains virus -> reject them all, don't store; all other spam -> reject (e.g. DNSBL) or tag (e.g. Baysian), store in ./spam for resed via reports. Thank you, Marcus ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
