Hi Thomas, i'm running latest assp.pl and latest AFC plugin with sessionLog
diagnostic and AttachmentLog verbose. if i run into the missing mail issue
again i'll update this thread.
in the meantime, i think that AFC plugin is still failing to detect correct
extension for unzipped files with spaces and i could reproduce the issue.
let's take the following scenario: a PDF in a FOLDER in a ZIP.
assp is ALWAYS failing in AFC detection whenever the FOLDER contains spaces
in the name.
Any other combination of spaces and no-spaces leads to a correct detection
of the FILE extension.
Regars,
aqx
On Fri, Mar 18, 2016 at 4:54 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> Before you start the test, please upgrade assp.pl and ASSP_AFC.pm to the
> latest dev version!
>
> Thomas
>
>
>
>
> Von: aquilinux <aquili...@gmail.com>
> An: For Users of ASSP <assp-user@lists.sourceforge.net>
> Datum: 18.03.2016 16:45
> Betreff: Re: [Assp-user] bad attachment [...] possibly a virus
> infected file (can't extract archive)'
>
>
>
> Monday i'll try to reproduce it.
> it should be quite easy, since it happened a couple of times during my
> attachment blocking tests..
>
> On Fri, Mar 18, 2016 at 3:29 PM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > Even the [MessageOK] detection before the plugin is called is missing! I
> > can't reproduce this and I've no clue, how this can be happen - I'm
> sorry.
> >
> > If you can reproduce this - set SessionLog to diagnostic and
> AttachmentLog
> > to verbose. Or debug such a mail.
> >
> > Thomas
> >
> >
> >
> >
> > Von: aquilinux <aquili...@gmail.com>
> > An: For Users of ASSP <assp-user@lists.sourceforge.net>
> > Datum: 17.03.2016 13:41
> > Betreff: Re: [Assp-user] bad attachment [...] possibly a virus
> > infected file (can't extract archive)'
> >
> >
> >
> > and in this case the message is blocked, but it is not stored anywhere:
> >
> > Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> info: found message size announcement:
> > 23.25 kByte
> > Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> [SMTP Reply] 250 2.1.0 Ok
> > Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 250 2.1.5
> Ok
> > Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 354 End
> data
> > with <CR><LF>.<CR><LF>
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld DKIM-Signature found
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld info: found known good
> > HELO 'smtp.tiscali.it' - weight is -2
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld Message-Score: added
> -40
> > for KnownGoodHelo, total score for this message is now -40
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld info: domain tiscali.it
> > has published a DMARC record
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld strictspf Regex:
> > strictSPFRe 'tiscali.it'
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld Message-Score: added
> -15
> > (pbwValencePB) for In Penalty White Box, total score for this message is
> > now -55
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld removed
> > Disposition-Notification headers from mail
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld HMM Check [scoring] -
> > Prob: 0.00000 => ham - answer/query relation: 22% of 50
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld Bayesian Check
> [scoring]
> > -
> > Prob: 0.00000 => ham - answer/query relation: 71% of 52
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld [Plugin] calling plugin
> > ASSP_AFC
> > Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld info: using user based
> > compressed attachment check
> > Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > [Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld SPAM FOUND
> > bad attachment 'N 19 convitto barcellona 20 23 marzo.xlsx' is a ' - the
> > file extension: '.xlsx' does not match the content based detected file
> > type
> > '''
> > Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > [Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld mail
> blocked
> > by Plugin ASSP_AFC - reason BadAttachment
> > Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > [Attachment] 213.205.33.246 <o...@remote.tld> to: i...@local.tld [spam
> found]
> > (BadAttachment) [societa sardinia new tavel polizza 33489q 19 2016];
> > Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 250 OK
> > Mar-17-16 13:20:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> > 213.205.33.246 <o...@remote.tld> to: i...@local.tld [SMTP Reply] 221
> > <myassphost> closing transmission
> >
> > this message is actually marked as spam but it is LOST....
> >
> > On Thu, Mar 17, 2016 at 12:41 PM, aquilinux <aquili...@gmail.com> wrote:
> >
> > > here's a different case of uncorrect detection:
> > >
> > > Mar-17-16 12:33:38 m1-14417-13392 [Worker_3] [TLS-in] [TLS-out]
> > > [Attachment] 92.246.34.74 <o...@remote.tld> to: i...@local.tld SPAM FOUND
> > > bad attachment 'Copia di Lista mezzi Truckcenter.xlsx' is a ' - the
> file
> > > extension: '.xlsx' does not match the content based detected file type
> > '''
> > >
> > >
> > > On Thu, Mar 17, 2016 at 10:40 AM, aquilinux <aquili...@gmail.com>
> wrote:
> > >
> > >> Upgraded, thanks.
> > >> I have now an issue with another legitimate attachment:
> > >>
> > >> Mar-17-16 09:37:24 m1-03839-03606 [Worker_4] [TLS-in] [TLS-out]
> > >> [Attachment] 212.82.97.124 <sen...@yahoo.it> to: m...@my.tld SPAM FOUND
> > >> bad attachment 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' is a
> > 'compressed
> > >> file 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' - contains forbidden
> > >> executable file CITYLIFE - type: possibly a virus infected file
> (can't
> > >> read)'
> > >>
> > >> the zip file contains a folder (with spaces), containing 6 PDF files
> > >> (with spaces), all clean.
> > >> So, i removed the spaces from the zip (in folder and file names) and
> > now
> > >> the mail gets through as expected.
> > >> I think there is an issue with zip attachment with spaces that
> prevets
> > >> AFC from detecting correct file extensions.
> > >>
> > >> Regards,
> > >>
> > >> On Thu, Mar 17, 2016 at 7:36 AM, Thomas Eckardt <
> > >> thomas.ecka...@thockar.com> wrote:
> > >>
> > >>> To detect .emz files you need to upgrade MIME::Types at least to
> > version
> > >>> 2.13 (CPAN has it).
> > >>>
> > >>> Thomas
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> Von: aquilinux <aquili...@gmail.com>
> > >>> An: For Users of ASSP <assp-user@lists.sourceforge.net>
> > >>> Datum: 16.03.2016 10:08
> > >>> Betreff: Re: [Assp-user] bad attachment [...] possibly a
> virus
> > >>> infected file (can't extract archive)'
> > >>>
> > >>>
> > >>>
> > >>> thanks Thomas, i upgraded both assp.pl and plugin.
> > >>> now i'm facing this:
> > >>>
> > >>> Mar-16-16 09:56:08 m1-18566-15642 [Worker_5] [TLS-in] [TLS-out]
> > >>> [Attachment] 92.246.34.74 <x...@xyz.tld> to: a...@abc.tld SPAM FOUND
> bad
> > >>> attachment 'image001.emz' is a ' - the file extension: '.emz' does
> not
> > >>> match the content based detected file type '''
> > >>>
> > >>> Mar-16-16 09:56:08 [Worker_5] Warning: possibly a virus infected
> file
> > >>> (can't read) '/opt/assp/tmp/zip_5_1458118567/.10/.10' - Not a
> > directory
> > >>>
> > >>>
> > >>> regards,
> > >>> aqx
> > >>>
> > >>> On Wed, Mar 16, 2016 at 8:13 AM, Thomas Eckardt
> > >>> <thomas.ecka...@thockar.com>
> > >>> wrote:
> > >>>
> > >>> > ASSP version 2.4.8(16074) + ASSP_AFC 3.26
> > >>> >
> > >>> > both available at SF-CVS
> > >>> >
> > >>> > will fix this.
> > >>> >
> > >>> > Thomas
> > >>> > ps: please use the "ASSP List" assp-t...@lists.sourceforge.net if
> > you
> > >>> use
> > >>> > a dev version 2.4.8
> > >>> >
> > >>> >
> > >>> >
> > >>> >
> > >>> > Von: aquilinux <aquili...@gmail.com>
> > >>> > An: For Users of ASSP <assp-user@lists.sourceforge.net>
> > >>> > Datum: 15.03.2016 15:00
> > >>> > Betreff: [Assp-user] bad attachment [...] possibly a virus
> > >>> infected
> > >>> > file (can't extract archive)'
> > >>> >
> > >>> >
> > >>> >
> > >>> > Hi all,
> > >>> > I recently enforced attachment blocking with zip inspection but
> > >>> legitimate
> > >>> > attachements are blocked because of this:
> > >>> >
> > >>> > Mar-15-16 14:09:55 [Worker_5] Warning: possibly a virus infected
> > file
> > >>> > (can't extract archive)
> > >>> >
> > >>> >
> > >>>
> > >>>
> >
> >
>
> '/opt/assp/tmp/zip_5_1458047395/MSC_Implementation_Activities_15.03.2016.xlsx'
> > >>> >
> > >>> > Mar-15-16 14:39:15 [Worker_10] Warning: possibly a virus infected
> > file
> > >>> > (can't extract archive)
> > >>> >
> > >>> >
> > >>>
> > >>>
> >
> >
>
> '/opt/assp/tmp/zip_10_1458049154/20150922_GAA_Global_Corporate_Commercial_ok.docx'
> > >>> > - - Could not chdir back to start dir '': '
> > >>> >
> > >>> > Mar-15-16 14:04:22 [Worker_1] Warning: possibly a virus infected
> > file
> > >>> > (can't extract archive)
> > >>> > '/opt/assp/tmp/zip_1_1458047062/Figures_wo_VolvoTrucks.xlsm' - -
> > Could
> > >>> > not
> > >>> > chdir back to start dir '': '
> > >>> >
> > >>> > Mar-15-16 14:08:09 [Worker_1] Warning: possibly a virus infected
> > file
> > >>> > (can't extract archive)
> '/opt/assp/tmp/zip_1_1458047289/errori.zip'
> > -
> > >>> -
> > >>> > Could not chdir back to start dir '': '
> > >>> >
> > >>> > what's happening?
> > >>> > ASSP version 2.4.8(16060) + ASSP_AFC 3.19
> > >>> >
> > >>> > thanks!
> > >>> >
> > >>> > --
> > >>> > "Madness, like small fish, runs in hosts, in vast numbers of
> > >>> instances."
> > >>> >
> > >>> > Nessuno mi pettina bene come il vento.
> > >>> >
> > >>> >
> > >>>
> > >>>
> >
> >
>
> ------------------------------------------------------------------------------
> > >>> > Transform Data into Opportunity.
> > >>> > Accelerate data analysis in your applications with
> > >>> > Intel Data Analytics Acceleration Library.
> > >>> > Click to learn more.
> > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> > >>> > _______________________________________________
> > >>> > Assp-user mailing list
> > >>> > Assp-user@lists.sourceforge.net
> > >>> > https://lists.sourceforge.net/lists/listinfo/assp-user
> > >>> >
> > >>> >
> > >>> >
> > >>> >
> > >>> > DISCLAIMER:
> > >>> > *******************************************************
> > >>> > This email and any files transmitted with it may be confidential,
> > >>> legally
> > >>> > privileged and protected in law and are intended solely for the
> use
> > of
> > >>> the
> > >>> >
> > >>> > individual to whom it is addressed.
> > >>> > This email was multiple times scanned for viruses. There should be
> > no
> > >>> > known virus in this email!
> > >>> > *******************************************************
> > >>> >
> > >>> >
> > >>> >
> > >>> >
> > >>>
> > >>>
> >
> >
>
> ------------------------------------------------------------------------------
> > >>> > Transform Data into Opportunity.
> > >>> > Accelerate data analysis in your applications with
> > >>> > Intel Data Analytics Acceleration Library.
> > >>> > Click to learn more.
> > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> > >>> > _______________________________________________
> > >>> > Assp-user mailing list
> > >>> > Assp-user@lists.sourceforge.net
> > >>> > https://lists.sourceforge.net/lists/listinfo/assp-user
> > >>> >
> > >>> >
> > >>>
> > >>>
> > >>> --
> > >>> "Madness, like small fish, runs in hosts, in vast numbers of
> > instances."
> > >>>
> > >>> Nessuno mi pettina bene come il vento.
> > >>>
> > >>>
> >
> >
>
> ------------------------------------------------------------------------------
> > >>> Transform Data into Opportunity.
> > >>> Accelerate data analysis in your applications with
> > >>> Intel Data Analytics Acceleration Library.
> > >>> Click to learn more.
> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> > >>> _______________________________________________
> > >>> Assp-user mailing list
> > >>> Assp-user@lists.sourceforge.net
> > >>> https://lists.sourceforge.net/lists/listinfo/assp-user
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> DISCLAIMER:
> > >>> *******************************************************
> > >>> This email and any files transmitted with it may be confidential,
> > legally
> > >>> privileged and protected in law and are intended solely for the use
> of
> > >>> the
> > >>>
> > >>> individual to whom it is addressed.
> > >>> This email was multiple times scanned for viruses. There should be
> no
> > >>> known virus in this email!
> > >>> *******************************************************
> > >>>
> > >>>
> > >>>
> > >>>
> >
> >
>
> ------------------------------------------------------------------------------
> > >>> Transform Data into Opportunity.
> > >>> Accelerate data analysis in your applications with
> > >>> Intel Data Analytics Acceleration Library.
> > >>> Click to learn more.
> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> > >>> _______________________________________________
> > >>> Assp-user mailing list
> > >>> Assp-user@lists.sourceforge.net
> > >>> https://lists.sourceforge.net/lists/listinfo/assp-user
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >> "Madness, like small fish, runs in hosts, in vast numbers of
> > instances."
> > >>
> > >> Nessuno mi pettina bene come il vento.
> > >>
> > >
> > >
> > >
> > > --
> > > "Madness, like small fish, runs in hosts, in vast numbers of
> instances."
> > >
> > > Nessuno mi pettina bene come il vento.
> > >
> >
> >
> >
> > --
> > "Madness, like small fish, runs in hosts, in vast numbers of instances."
> >
> > Nessuno mi pettina bene come il vento.
> >
> >
>
> ------------------------------------------------------------------------------
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> > _______________________________________________
> > Assp-user mailing list
> > Assp-user@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >
> >
> >
> >
> > DISCLAIMER:
> > *******************************************************
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > *******************************************************
> >
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> > _______________________________________________
> > Assp-user mailing list
> > Assp-user@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >
> >
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
--
"Madness, like small fish, runs in hosts, in vast numbers of instances."
Nessuno mi pettina bene come il vento.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
