>Shouldn't ASSP do the virus check before the spam check
May-18-12 07:52:28
May-18-12 07:52:38
It has taken 10 seconds to do the virus check, It is not possible to do
this check (before spam checks) on every mail on high load systems.
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] [scoring] SPF: fail
ip=37.45.95.183 [email protected] helo=[37.45.95.183]
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] Message-Score: added 10
(spfValencePB) for SPF fail, total score for this message is now 15
There is no good reason to do any further check if SPF failes! Increase
the score or set SPF to block.
>I found one message which is stored in ./spam.
ASSP was unable to remove the file in ./spam for any reason.
Normaly assp will remove the stored file and will recreate a new one - in
you case the new one would be NULL.
Thomas
Von: Marcus Bergmann <[email protected]>
An: "[email protected]"
<[email protected]>,
Datum: 19.05.2012 18:07
Betreff: [Assp-user] Spam lover mail is stored even it contains
virus
Hi All,
I'm using ASSP 2.1.1(12090). I have configured SpamVirusLog:=0. Inside the
maillog.txt I found one message which is stored in ./spam. Here is the
log:
May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> Message-Score: added 5 (fiphValencePB) for
Suspicious HELO - contains IP: '[37.45.95.183]', total score for this
message is now 5
May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> [scoring] (Suspicious HELO - contains IP:
'[37.45.95.183]')
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] [scoring] SPF: fail
ip=37.45.95.183 [email protected] helo=[37.45.95.183]
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] Message-Score: added 10
(spfValencePB) for SPF fail, total score for this message is now 15
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [DNSBL] 37.45.95.183
<[email protected]> to: [email protected] [scoring] DNSBL: neutral,
37.45.95.183 listed in zen.spamhaus.org
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] Message-Score: added 25 for
DNSBL: neutral, 37.45.95.183 listed in zen.spamhaus.org, total score for
this message is now 40
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [PTRmissing] 37.45.95.183
<[email protected]> to: [email protected] [scoring] (PTR missing)
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] Message-Score: added 10
(ptmValencePB) for PTR missing, total score for this message is now 50
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [MessageLimit][sl]
37.45.95.183 <[email protected]> to: [email protected] [spam found] and
possibly passing because spamlover for this check, otherwise blocked
(MessageScore 50, limit 50) [FW Check the attachment you have to react
somehow to this picture] ->
/opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] ClamAV: scanned 60690 bytes in
message - FOUND Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] Message-Score: added 50
(vdValencePB) for virus detected:
'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)', total score
for this message is now 100
May-18-12 07:52:38 m1-20347-11296 [Worker_2] [VIRUS] 37.45.95.183
<[email protected]> to: [email protected] [spam found] (virus detected:
'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)') [FW Check the
attachment you have to react somehow to this picture] ->
/opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml;
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] [SMTP Error] 554 5.7.1 Mail
appears infected with
\[Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)\].
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183
<[email protected]> to: [email protected] [SMTP Status] 451 4.7.1
Greylisted - Please try again later
After the message gets some penalty points because of HELO, SPF, DNSBL and
PTR the MessageScore limit of 50 is reached and the message is stored in
./spam folder. Then ASSP detects via ClamAV that the message contains a
virus and rejects it. Shouldn't ASSP do the virus check before the spam
check, reject and don't store the message? We want to use the following
policy: faked local sender or unknown local receiver or message contains
virus -> reject them all, don't store; all other spam -> reject (e.g.
DNSBL) or tag (e.g. Baysian), store in ./spam for resed via reports.
Thank you,
Marcus
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
