Re: [Assp-user] bad attachment [...] possibly a virus infected file (can't extract archive)'

Fri, 18 Mar 2016 22:41:08 -0700 

Monday i'll try to reproduce it.
it should be quite easy, since it happened a couple of times during my
attachment blocking tests..

On Fri, Mar 18, 2016 at 3:29 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> Even the [MessageOK] detection before the plugin is called is missing! I
> can't reproduce this and I've no clue, how this can be happen - I'm sorry.
>
> If you can reproduce this - set SessionLog to diagnostic and AttachmentLog
> to verbose. Or debug such a mail.
>
> Thomas
>
>
>
>
> Von:    aquilinux <aquili...@gmail.com>
> An:     For Users of ASSP <assp-user@lists.sourceforge.net>
> Datum:  17.03.2016 13:41
> Betreff:        Re: [Assp-user] bad attachment [...] possibly a virus
> infected file (can't extract archive)'
>
>
>
> and in this case the message is blocked, but it is not stored anywhere:
>
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> info: found message size announcement:
> 23.25 kByte
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> [SMTP Reply] 250 2.1.0 Ok
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 250 2.1.5 Ok
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 354 End data
> with <CR><LF>.<CR><LF>
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld DKIM-Signature found
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld info: found known good
> HELO 'smtp.tiscali.it' - weight is -2
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld Message-Score: added -40
> for KnownGoodHelo, total score for this message is now -40
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld info: domain tiscali.it
> has published a DMARC record
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld strictspf Regex:
> strictSPFRe 'tiscali.it'
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld Message-Score: added -15
> (pbwValencePB) for In Penalty White Box, total score for this message is
> now -55
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld removed
> Disposition-Notification headers from mail
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld HMM Check [scoring] -
> Prob: 0.00000 => ham - answer/query relation: 22% of 50
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld Bayesian Check [scoring]
> -
> Prob: 0.00000 => ham - answer/query relation: 71% of 52
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld [Plugin] calling plugin
> ASSP_AFC
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld info: using user based
> compressed attachment check
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld SPAM FOUND
> bad attachment 'N 19 convitto barcellona 20 23 marzo.xlsx' is a ' - the
> file extension: '.xlsx' does not match the content based detected file
> type
> '''
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld mail blocked
> by Plugin ASSP_AFC - reason BadAttachment
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld [spam found]
> (BadAttachment) [societa sardinia new tavel polizza 33489q 19 2016];
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 250 OK
> Mar-17-16 13:20:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 221
> <myassphost> closing transmission
>
> this message is actually marked as spam but it is LOST....
>
> On Thu, Mar 17, 2016 at 12:41 PM, aquilinux <aquili...@gmail.com> wrote:
>
> > here's a different case of uncorrect detection:
> >
> > Mar-17-16 12:33:38 m1-14417-13392 [Worker_3] [TLS-in] [TLS-out]
> > [Attachment] 92.246.34.74 <o...@remote.tld> to: i...@local.tld SPAM FOUND
> > bad attachment 'Copia di Lista mezzi Truckcenter.xlsx' is a ' - the file
> > extension: '.xlsx' does not match the content based detected file type
> '''
> >
> >
> > On Thu, Mar 17, 2016 at 10:40 AM, aquilinux <aquili...@gmail.com> wrote:
> >
> >> Upgraded, thanks.
> >> I have now an issue with another legitimate attachment:
> >>
> >> Mar-17-16 09:37:24 m1-03839-03606 [Worker_4] [TLS-in] [TLS-out]
> >> [Attachment] 212.82.97.124 <sen...@yahoo.it> to: m...@my.tld SPAM FOUND
> >> bad attachment 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' is a
> 'compressed
> >> file 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' - contains forbidden
> >> executable file CITYLIFE - type: possibly a virus infected file (can't
> >> read)'
> >>
> >> the zip file contains a folder (with spaces), containing 6 PDF files
> >> (with spaces), all clean.
> >> So, i removed the spaces from the zip (in folder and file names) and
> now
> >> the mail gets through as expected.
> >> I think there is an issue with zip attachment with spaces that prevets
> >> AFC from detecting correct file extensions.
> >>
> >> Regards,
> >>
> >> On Thu, Mar 17, 2016 at 7:36 AM, Thomas Eckardt <
> >> thomas.ecka...@thockar.com> wrote:
> >>
> >>> To detect .emz files you need to upgrade MIME::Types at least to
> version
> >>> 2.13 (CPAN has it).
> >>>
> >>> Thomas
> >>>
> >>>
> >>>
> >>>
> >>> Von:    aquilinux <aquili...@gmail.com>
> >>> An:     For Users of ASSP <assp-user@lists.sourceforge.net>
> >>> Datum:  16.03.2016 10:08
> >>> Betreff:        Re: [Assp-user] bad attachment [...] possibly a virus
> >>> infected file (can't extract archive)'
> >>>
> >>>
> >>>
> >>> thanks Thomas, i upgraded both assp.pl and plugin.
> >>> now i'm facing this:
> >>>
> >>> Mar-16-16 09:56:08 m1-18566-15642 [Worker_5] [TLS-in] [TLS-out]
> >>> [Attachment] 92.246.34.74 <x...@xyz.tld> to: a...@abc.tld SPAM FOUND bad
> >>> attachment 'image001.emz' is a ' - the file extension: '.emz' does not
> >>> match the content based detected file type '''
> >>>
> >>> Mar-16-16 09:56:08 [Worker_5] Warning: possibly a virus infected file
> >>> (can't read) '/opt/assp/tmp/zip_5_1458118567/.10/.10' - Not a
> directory
> >>>
> >>>
> >>> regards,
> >>> aqx
> >>>
> >>> On Wed, Mar 16, 2016 at 8:13 AM, Thomas Eckardt
> >>> <thomas.ecka...@thockar.com>
> >>> wrote:
> >>>
> >>> > ASSP version 2.4.8(16074) + ASSP_AFC 3.26
> >>> >
> >>> > both available at SF-CVS
> >>> >
> >>> > will fix this.
> >>> >
> >>> > Thomas
> >>> > ps: please use the "ASSP List" assp-t...@lists.sourceforge.net if
> you
> >>> use
> >>> > a dev version 2.4.8
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > Von:    aquilinux <aquili...@gmail.com>
> >>> > An:     For Users of ASSP <assp-user@lists.sourceforge.net>
> >>> > Datum:  15.03.2016 15:00
> >>> > Betreff:        [Assp-user] bad attachment [...] possibly a virus
> >>> infected
> >>> > file    (can't extract archive)'
> >>> >
> >>> >
> >>> >
> >>> > Hi all,
> >>> > I recently enforced attachment blocking with zip inspection but
> >>> legitimate
> >>> > attachements are blocked because of this:
> >>> >
> >>> > Mar-15-16 14:09:55 [Worker_5] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
> >>> >
> >>> >
> >>>
> >>>
>
> '/opt/assp/tmp/zip_5_1458047395/MSC_Implementation_Activities_15.03.2016.xlsx'
> >>> >
> >>> > Mar-15-16 14:39:15 [Worker_10] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
> >>> >
> >>> >
> >>>
> >>>
>
> '/opt/assp/tmp/zip_10_1458049154/20150922_GAA_Global_Corporate_Commercial_ok.docx'
> >>> > -  - Could not chdir back to start dir '': '
> >>> >
> >>> > Mar-15-16 14:04:22 [Worker_1] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
> >>> > '/opt/assp/tmp/zip_1_1458047062/Figures_wo_VolvoTrucks.xlsm' -  -
> Could
> >>> > not
> >>> > chdir back to start dir '': '
> >>> >
> >>> > Mar-15-16 14:08:09 [Worker_1] Warning: possibly a virus infected
> file
> >>> > (can't extract archive) '/opt/assp/tmp/zip_1_1458047289/errori.zip'
> -
> >>> -
> >>> > Could not chdir back to start dir '': '
> >>> >
> >>> > what's happening?
> >>> > ASSP version 2.4.8(16060) + ASSP_AFC 3.19
> >>> >
> >>> > thanks!
> >>> >
> >>> > --
> >>> > "Madness, like small fish, runs in hosts, in vast numbers of
> >>> instances."
> >>> >
> >>> > Nessuno mi pettina bene come il vento.
> >>> >
> >>> >
> >>>
> >>>
>
> ------------------------------------------------------------------------------
> >>> > Transform Data into Opportunity.
> >>> > Accelerate data analysis in your applications with
> >>> > Intel Data Analytics Acceleration Library.
> >>> > Click to learn more.
> >>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> > _______________________________________________
> >>> > Assp-user mailing list
> >>> > Assp-user@lists.sourceforge.net
> >>> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > DISCLAIMER:
> >>> > *******************************************************
> >>> > This email and any files transmitted with it may be confidential,
> >>> legally
> >>> > privileged and protected in law and are intended solely for the use
> of
> >>> the
> >>> >
> >>> > individual to whom it is addressed.
> >>> > This email was multiple times scanned for viruses. There should be
> no
> >>> > known virus in this email!
> >>> > *******************************************************
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
> >>>
>
> ------------------------------------------------------------------------------
> >>> > Transform Data into Opportunity.
> >>> > Accelerate data analysis in your applications with
> >>> > Intel Data Analytics Acceleration Library.
> >>> > Click to learn more.
> >>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> > _______________________________________________
> >>> > Assp-user mailing list
> >>> > Assp-user@lists.sourceforge.net
> >>> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> "Madness, like small fish, runs in hosts, in vast numbers of
> instances."
> >>>
> >>> Nessuno mi pettina bene come il vento.
> >>>
> >>>
>
> ------------------------------------------------------------------------------
> >>> Transform Data into Opportunity.
> >>> Accelerate data analysis in your applications with
> >>> Intel Data Analytics Acceleration Library.
> >>> Click to learn more.
> >>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> _______________________________________________
> >>> Assp-user mailing list
> >>> Assp-user@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/assp-user
> >>>
> >>>
> >>>
> >>>
> >>> DISCLAIMER:
> >>> *******************************************************
> >>> This email and any files transmitted with it may be confidential,
> legally
> >>> privileged and protected in law and are intended solely for the use of
> >>> the
> >>>
> >>> individual to whom it is addressed.
> >>> This email was multiple times scanned for viruses. There should be no
> >>> known virus in this email!
> >>> *******************************************************
> >>>
> >>>
> >>>
> >>>
>
> ------------------------------------------------------------------------------
> >>> Transform Data into Opportunity.
> >>> Accelerate data analysis in your applications with
> >>> Intel Data Analytics Acceleration Library.
> >>> Click to learn more.
> >>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> _______________________________________________
> >>> Assp-user mailing list
> >>> Assp-user@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/assp-user
> >>>
> >>>
> >>
> >>
> >> --
> >> "Madness, like small fish, runs in hosts, in vast numbers of
> instances."
> >>
> >> Nessuno mi pettina bene come il vento.
> >>
> >
> >
> >
> > --
> > "Madness, like small fish, runs in hosts, in vast numbers of instances."
> >
> > Nessuno mi pettina bene come il vento.
> >
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>


-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to