Thank you. I've disabled the testmode but he just got another one. Here
are the details:
p-12-14 10:04:31 m-30667-01599 [Worker_1] [BombCharSets] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com [scoring]
(BombCharSets 'charset=cp1251')
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com Message-Score: added
42 for BombCharSets 'charset=cp1251', total score for this message is
now 188
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] [BombCharSets]
119.254.105.202 <dhl.internatio...@pisem.net> to: u...@domain.com
[scoring] (BombCharSets 'charset=cp1251')
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com Message-Score: added
25 for Regex:BombCharSets 'PB 25: for charset=cp1251' BombCharSets:
'charset=cp1251', total score for this message is now 213
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com FileScan: scanned 2147
bytes in message
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com Bayesian Check
[scoring] - Prob: 0.00000 => ham
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] [PenaltyBox] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com [monitoring]
totalscore for 119.254.105.202 is 72, last bad penalty was 'BombCharSets'
Sep-12-14 10:04:31 m-30667-01599 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com spam found and passing
() [URGENT] -> discarded/URGENT--1497048.eml
Sep-12-14 10:04:31 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com FileScan: scanned 5373
bytes in message
Sep-12-14 10:04:31 [Worker_1] 119.254.105.202
<dhl.internatio...@pisem.net> to: u...@domain.com info: message
forwarded to monitors...@domain.com
From Mail analyzer:
• SPF-check returned OK for 119.254.105.202 ->
dhl.internatio...@pisem.net, mail.t3.com.cn
• SPF: neutral (cache) ip=119.254.105.202
mailfrom=dhl.internatio...@pisem.net helo=mail.t3.com.cn
• BombSubject RE: 'highest match: "URGENT" with valence: 17 - PB value = 17'
• matching bombSubjectRe(file:files/bombsubjectre.txt[line 1]):
'(?-i)^[A-Zs!:.,/ ]+$'
• BombCharsets RE: 'highest match: "charset=cp1251" with valence: 25 -
PB value = 25'
• matching bombCharSets(file:files/charsets.txt[line 8]):
'charset=.?CP1251'
• URIBL check: 'OK'
• Valid Format of HELO: 'mail.t3.com.cn'
• IP in Helo check: 'OK'
• 92.79.164.51 is in PB Black: score:141, last event - DNSBLfailed
• 119.254.105.202 is in PB Black: score:72, last event - BombCharSets
• RBLCacheCheck returned OK for 92.79.164.51: inserted as not ok at
2014-09-12 10:04:31 , listed by bb.barracudacentral.org{127.0.0.2}
bl.spamcop.net{127.0.0.2} - message score: 141
• RBLScore: bl.spamcop.net -> 127.0.0.2 -> 91
• RBLScore: bb.barracudacentral.org -> 127.0.0.2 -> 50
• RBLCheck returned OK for 119.254.105.202: DNSBL: failed,
119.254.105.202 listed in bb.barracudacentral.org dnsbl-1.uceprotect.net
- message score: 117
• RBLScore: bb.barracudacentral.org -> 127.0.0.2 -> 50
• RBLScore: dnsbl-1.uceprotect.net -> 127.0.0.2 -> 67
On 9/12/2014 9:55 AM, Thomas Eckardt wrote:
> - switch off all testmodes - looks like the penaltybox is running in
> testmode - if you want, you could have read it in the maillog (while copy
> and paste - for example)
>
>> Sep-12-14 07:35:28 m-21721-03024 [Worker_2]
>> [MessageLimit][tagging][testmode] 100.43.187.172 <nore...@esurgas.us>
>> to: u...@domain.com [spam found] and possibly passing because testmode,
>> otherwise blocked (MessageScore 79, limit 50) [Pure Garcinia Cambogia
>> Extract] -> spam/Pure_Garcinia_Cambogia_Extract--1496652.eml
>
>> 100.43.187.172 <nore...@esurgas.us> to: u...@domain.com [scoring]
>> (BombHeaderRe '2 Sep 2014 04:03:20 -0700')
> remove the related regular expression from BomHeaderRe - or replace it
> with
>
> \d\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d\d\d\d\s+\d\d:\d\d(:\d\d)?\s+[+\-]\d\d[6-9]\d
>
> in normal cases this entry is not required, because it catches MIME
> timestamps with wrong GMT offset like:
> 2 Sep 2014 04:03:20 -0760
> ...
> 2 Sep 2014 04:03:20 -0790
>
>
> Thomas
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
