> BadAttachL1:=\.(ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zip)
reading the GUI for BadAttachRe I can see: This regular expression is used to identify Level 1 attachments that should be blocked. Separate entries with a pipe |. The dot . is assumed to precede these, so don't include it. For example: ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh] Now tell me, why you use: \.(.....) assp will now search for example : file..zip - which will never match Thomas Von: Nigel Kukard <nkukard+as...@lbsd.net> An: assp-user@lists.sourceforge.net Datum: 20.01.2015 15:21 Betreff: [Assp-user] Tagging messages & blocking attachments Hi guys, I have a system running ASSP version 2.4.3(14349). Everything works 100% except I have configured content blocking and it seems attachment matches are getting through. DoBlockExes:=1 BlockExes:=1 BlockWLExes:=2 BlockNPExes:=2 BadAttachL1:=\.(ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zip) Mail is set to tagging with message score on end. DoPenaltyMessage:=4 MsgScoreOnEnd:=1 Here is the logs... Jan 20 12:00:18 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] Message-Score: added -10 (spfpValencePB) for SPF pass, total score for this message is now -10 Jan 20 12:00:19 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] Message-Score: added 150 for DNSBL: failed, 79.182.x.y listed in bl.spameatingmonkey.net dnsbl.sorbs.net zen.spamhaus.org, total score for this message is now 140 Jan 20 12:00:19 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] [scoring] (DNSBL: failed, 79.182.x.y listed in (bl.spameatingmonkey.net<-127.0.0.3; dnsbl.sorbs.net<-127.0.0.14; zen.spamhaus.org<-127.0.0.10; )) Jan 20 12:00:19 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] Regex:BombHeaderRe 'PB 40: for 0 Jan 2015 14:00:13 +' Jan 20 12:00:19 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] [BombHeaderRe] 79.182.x.y <[redacted]> to: [redacted]@[redacted] [scoring] (BombHeaderRe '0 Jan 2015 14:00:13 +0200') Jan 20 12:00:19 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] Message-Score: added 40 for BombHeaderRe '0 Jan 2015 14:00:13 +0200', total score for this message is now 180 Jan 20 12:00:19 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] info: 1 attachment found for Level-1 This is what is odd. Even though its detected, the message is set to tagging and the attachment level 1 is set to block, its passing below. Jan 20 12:00:20 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] HMM-Check has given less than 6 results - using monitoring mode only Jan 20 12:00:20 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] HMM Check [monitoring] - Prob: 1.00000 => spam Jan 20 12:00:20 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] Bayesian Check [scoring] - Prob: 1.00000 => spam Jan 20 12:00:20 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] Message-Score: added 30 for Bayesian Probability: 1.00000, total score for this message is now 210 Jan 20 12:00:20 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] [MessageLimit][lowlimit] 79.182.x.y <[redacted]> to: [redacted]@[redacted] [spam found] and possibly passing because messagescore(210) low [] -> /opt/assp/discarded/5067--632373.eml Jan 20 12:00:20 [redacted]-inboundmx assp[22740]: id-55214-05067 [Worker_3] 79.182.x.y <[redacted]> to: [redacted]@[redacted] spam found and passing () [] Have I possibly missed something? I am delaying the scoring until the entire mail is received. -N ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
