Re: [Assp-user] bad attachment [...] possibly a virus infected file (can't extract archive)'

Fri, 18 Mar 2016 20:26:04 -0700 

Even the [MessageOK] detection before the plugin is called is missing! I 
can't reproduce this and I've no clue, how this can be happen - I'm sorry.

If you can reproduce this - set SessionLog to diagnostic and AttachmentLog 
to verbose. Or debug such a mail.

Thomas




Von:    aquilinux <aquili...@gmail.com>
An:     For Users of ASSP <assp-user@lists.sourceforge.net>
Datum:  17.03.2016 13:41
Betreff:        Re: [Assp-user] bad attachment [...] possibly a virus 
infected file (can't extract archive)'



and in this case the message is blocked, but it is not stored anywhere:

Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> info: found message size announcement:
23.25 kByte
Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> [SMTP Reply] 250 2.1.0 Ok
Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 250 2.1.5 Ok
Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 354 End data
with <CR><LF>.<CR><LF>
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld DKIM-Signature found
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld info: found known good
HELO 'smtp.tiscali.it' - weight is -2
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld Message-Score: added -40
for KnownGoodHelo, total score for this message is now -40
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld info: domain tiscali.it
has published a DMARC record
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld strictspf Regex:
strictSPFRe 'tiscali.it'
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld Message-Score: added -15
(pbwValencePB) for In Penalty White Box, total score for this message is
now -55
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld removed
Disposition-Notification headers from mail
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld HMM Check [scoring] -
Prob: 0.00000 => ham - answer/query relation: 22% of 50
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld Bayesian Check [scoring] 
-
Prob: 0.00000 => ham - answer/query relation: 71% of 52
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld [Plugin] calling plugin
ASSP_AFC
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld info: using user based
compressed attachment check
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
[Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld SPAM FOUND
bad attachment 'N 19 convitto barcellona 20 23 marzo.xlsx' is a ' - the
file extension: '.xlsx' does not match the content based detected file 
type
'''
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
[Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld mail blocked
by Plugin ASSP_AFC - reason BadAttachment
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
[Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld [spam found]
(BadAttachment) [societa sardinia new tavel polizza 33489q 19 2016];
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 250 OK
Mar-17-16 13:20:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 221
<myassphost> closing transmission

this message is actually marked as spam but it is LOST....

On Thu, Mar 17, 2016 at 12:41 PM, aquilinux <aquili...@gmail.com> wrote:

> here's a different case of uncorrect detection:
>
> Mar-17-16 12:33:38 m1-14417-13392 [Worker_3] [TLS-in] [TLS-out]
> [Attachment] 92.246.34.74 <o...@remote.tld> to: i...@local.tld SPAM FOUND
> bad attachment 'Copia di Lista mezzi Truckcenter.xlsx' is a ' - the file
> extension: '.xlsx' does not match the content based detected file type 
'''
>
>
> On Thu, Mar 17, 2016 at 10:40 AM, aquilinux <aquili...@gmail.com> wrote:
>
>> Upgraded, thanks.
>> I have now an issue with another legitimate attachment:
>>
>> Mar-17-16 09:37:24 m1-03839-03606 [Worker_4] [TLS-in] [TLS-out]
>> [Attachment] 212.82.97.124 <sen...@yahoo.it> to: m...@my.tld SPAM FOUND
>> bad attachment 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' is a 
'compressed
>> file 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' - contains forbidden
>> executable file CITYLIFE - type: possibly a virus infected file (can't
>> read)'
>>
>> the zip file contains a folder (with spaces), containing 6 PDF files
>> (with spaces), all clean.
>> So, i removed the spaces from the zip (in folder and file names) and 
now
>> the mail gets through as expected.
>> I think there is an issue with zip attachment with spaces that prevets
>> AFC from detecting correct file extensions.
>>
>> Regards,
>>
>> On Thu, Mar 17, 2016 at 7:36 AM, Thomas Eckardt <
>> thomas.ecka...@thockar.com> wrote:
>>
>>> To detect .emz files you need to upgrade MIME::Types at least to 
version
>>> 2.13 (CPAN has it).
>>>
>>> Thomas
>>>
>>>
>>>
>>>
>>> Von:    aquilinux <aquili...@gmail.com>
>>> An:     For Users of ASSP <assp-user@lists.sourceforge.net>
>>> Datum:  16.03.2016 10:08
>>> Betreff:        Re: [Assp-user] bad attachment [...] possibly a virus
>>> infected file (can't extract archive)'
>>>
>>>
>>>
>>> thanks Thomas, i upgraded both assp.pl and plugin.
>>> now i'm facing this:
>>>
>>> Mar-16-16 09:56:08 m1-18566-15642 [Worker_5] [TLS-in] [TLS-out]
>>> [Attachment] 92.246.34.74 <x...@xyz.tld> to: a...@abc.tld SPAM FOUND bad
>>> attachment 'image001.emz' is a ' - the file extension: '.emz' does not
>>> match the content based detected file type '''
>>>
>>> Mar-16-16 09:56:08 [Worker_5] Warning: possibly a virus infected file
>>> (can't read) '/opt/assp/tmp/zip_5_1458118567/.10/.10' - Not a 
directory
>>>
>>>
>>> regards,
>>> aqx
>>>
>>> On Wed, Mar 16, 2016 at 8:13 AM, Thomas Eckardt
>>> <thomas.ecka...@thockar.com>
>>> wrote:
>>>
>>> > ASSP version 2.4.8(16074) + ASSP_AFC 3.26
>>> >
>>> > both available at SF-CVS
>>> >
>>> > will fix this.
>>> >
>>> > Thomas
>>> > ps: please use the "ASSP List" assp-t...@lists.sourceforge.net if 
you
>>> use
>>> > a dev version 2.4.8
>>> >
>>> >
>>> >
>>> >
>>> > Von:    aquilinux <aquili...@gmail.com>
>>> > An:     For Users of ASSP <assp-user@lists.sourceforge.net>
>>> > Datum:  15.03.2016 15:00
>>> > Betreff:        [Assp-user] bad attachment [...] possibly a virus
>>> infected
>>> > file    (can't extract archive)'
>>> >
>>> >
>>> >
>>> > Hi all,
>>> > I recently enforced attachment blocking with zip inspection but
>>> legitimate
>>> > attachements are blocked because of this:
>>> >
>>> > Mar-15-16 14:09:55 [Worker_5] Warning: possibly a virus infected 
file
>>> > (can't extract archive)
>>> >
>>> >
>>>
>>> 
'/opt/assp/tmp/zip_5_1458047395/MSC_Implementation_Activities_15.03.2016.xlsx'
>>> >
>>> > Mar-15-16 14:39:15 [Worker_10] Warning: possibly a virus infected 
file
>>> > (can't extract archive)
>>> >
>>> >
>>>
>>> 
'/opt/assp/tmp/zip_10_1458049154/20150922_GAA_Global_Corporate_Commercial_ok.docx'
>>> > -  - Could not chdir back to start dir '': '
>>> >
>>> > Mar-15-16 14:04:22 [Worker_1] Warning: possibly a virus infected 
file
>>> > (can't extract archive)
>>> > '/opt/assp/tmp/zip_1_1458047062/Figures_wo_VolvoTrucks.xlsm' -  - 
Could
>>> > not
>>> > chdir back to start dir '': '
>>> >
>>> > Mar-15-16 14:08:09 [Worker_1] Warning: possibly a virus infected 
file
>>> > (can't extract archive) '/opt/assp/tmp/zip_1_1458047289/errori.zip' 
-
>>> -
>>> > Could not chdir back to start dir '': '
>>> >
>>> > what's happening?
>>> > ASSP version 2.4.8(16060) + ASSP_AFC 3.19
>>> >
>>> > thanks!
>>> >
>>> > --
>>> > "Madness, like small fish, runs in hosts, in vast numbers of
>>> instances."
>>> >
>>> > Nessuno mi pettina bene come il vento.
>>> >
>>> >
>>>
>>> 
------------------------------------------------------------------------------
>>> > Transform Data into Opportunity.
>>> > Accelerate data analysis in your applications with
>>> > Intel Data Analytics Acceleration Library.
>>> > Click to learn more.
>>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> > _______________________________________________
>>> > Assp-user mailing list
>>> > Assp-user@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/assp-user
>>> >
>>> >
>>> >
>>> >
>>> > DISCLAIMER:
>>> > *******************************************************
>>> > This email and any files transmitted with it may be confidential,
>>> legally
>>> > privileged and protected in law and are intended solely for the use 
of
>>> the
>>> >
>>> > individual to whom it is addressed.
>>> > This email was multiple times scanned for viruses. There should be 
no
>>> > known virus in this email!
>>> > *******************************************************
>>> >
>>> >
>>> >
>>> >
>>>
>>> 
------------------------------------------------------------------------------
>>> > Transform Data into Opportunity.
>>> > Accelerate data analysis in your applications with
>>> > Intel Data Analytics Acceleration Library.
>>> > Click to learn more.
>>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> > _______________________________________________
>>> > Assp-user mailing list
>>> > Assp-user@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/assp-user
>>> >
>>> >
>>>
>>>
>>> --
>>> "Madness, like small fish, runs in hosts, in vast numbers of 
instances."
>>>
>>> Nessuno mi pettina bene come il vento.
>>>
>>> 
------------------------------------------------------------------------------
>>> Transform Data into Opportunity.
>>> Accelerate data analysis in your applications with
>>> Intel Data Analytics Acceleration Library.
>>> Click to learn more.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> _______________________________________________
>>> Assp-user mailing list
>>> Assp-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>
>>>
>>>
>>>
>>> DISCLAIMER:
>>> *******************************************************
>>> This email and any files transmitted with it may be confidential, 
legally
>>> privileged and protected in law and are intended solely for the use of
>>> the
>>>
>>> individual to whom it is addressed.
>>> This email was multiple times scanned for viruses. There should be no
>>> known virus in this email!
>>> *******************************************************
>>>
>>>
>>>
>>> 
------------------------------------------------------------------------------
>>> Transform Data into Opportunity.
>>> Accelerate data analysis in your applications with
>>> Intel Data Analytics Acceleration Library.
>>> Click to learn more.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> _______________________________________________
>>> Assp-user mailing list
>>> Assp-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>
>>>
>>
>>
>> --
>> "Madness, like small fish, runs in hosts, in vast numbers of 
instances."
>>
>> Nessuno mi pettina bene come il vento.
>>
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>



-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to