[Assp-user] Problem with ASSP_AFC

Tue, 26 Mar 2019 13:23:10 -0700 

Hi everyone I start to use the ASSP_AFC plugin after some monitoring testing 
and I detect a problem, may be because a fault in my configuration.

I'm actually using  ASSP version 2.6.1  *Fortress*  build 19007, and ASSP_AFC 
ver 4.89.

The thing is that AFC correctly add point to the mail, but then it's send 
without this added points, for example (this is part of my log, I changed the 
domains):

-----
Mar-26-19 10:02:42 [Worker_3] Connected: session:5A2161D0 95.142.156.27:60415 > 
172.20.1.55:25 > 172.20.1.22:25
Mar-26-19 10:02:42 [Worker_3] 95.142.156.27 [SMTP Reply] 220 
mail.MyDomain.com.ar Microsoft ESMTP MAIL Service ready at Tue, 26 Mar 2019 
10:02:39 -0300
Mar-26-19 10:02:43 [Worker_3] 95.142.156.27 [SMTP Reply] 250 NOOP
Mar-26-19 10:02:43 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> info: found message size announcement: 236.78 
kByte
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> [SMTP Reply] 250 2.1.0 Sender OK
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 250 2.1.5 
Recipient OK
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 354 Start 
mail input; end with <CRLF>.<CRLF>
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: detected IP's on 
the mail routing way: 103.255.5.254
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: detected source 
IP: 103.255.5.254
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] [MsgID] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [scoring] (Message-ID 
missing)
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Message-Score: added 10 
(midmValencePB) for Message-ID missing, total score for this message is now 10
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: remove IP-score 
from 95.142.156.27 - this mail passed the SPF check
Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Message-Score: added 25 
for Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED), total score for 
this message is now 35
Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [scoring] SenderBase -- 
Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED)
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar HMM-Check has given 
less than 6 results - using monitoring mode only
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar HMM Check [monitoring] 
- Prob: 0.00000 => ham - answer/query relation: 9% of 41
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Bayesian Check 
[scoring] - Prob: 0.00000 => ham - answer/query relation: 40% of 44
----

... at this point the message score is 35, my low limit start in 40.

---
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [Plugin] calling plugin 
ASSP_AFC
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [scoring] bad 
attachment 'Fa_Num_X216754265.doc' cause: 'MS Office Macro'
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Message-Score: added 40 
(baValencePB) for bad attachment 'Fa_Num_X216754265.doc' cause: 'MS Office 
Macro', total score for this message is now 75
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: 1 attachment 
found for Level-1
---
After AFC the total score is 75 but the message pass like MessageOK ¿?
---
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [MessageOK] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar message ok [Febrero 
Factura de servicio y soporte] -> 
c:/assp/okmail/Febrero_Factura_de_servicio_y_soporte--960167.eml
Mar-26-19 10:02:51 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 250 2.6.0 
<d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar> Queued mail 
for delivery
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 221 2.0.0 
Service closing transmission channel
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: PB-IP-Score for 
'95.142.156.0' is 0, added 10 in this session
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar finished message - 
received DATA size: 236.96 kByte - sent DATA size: 237.62 kByte
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar disconnected: 
session:5A2161D0 95.142.156.27 - processing time 10 seconds
---

This is the header in the Outlook client that receive that mail like NOT Spam:


Received: from outmx-004.london.gridhost.co.uk (172.20.1.55) by
mail.MyDomain.com.ar (172.20.1.22) with Microsoft SMTP Server id
8.3.406.0; Tue, 26 Mar 2019 10:02:42 -0300
X-Assp-ID: fwas.MyDomain.com.ar m1-05363-09821
X-Assp-Session: 5A2161D0 (mail 1)
X-Assp-Detected-RIP: 103.255.5.254
X-Assp-Source-IP: 103.255.5.254
X-Assp-Envelope-From: victo...@spoofeddomain.co.uk
X-Assp-Intended-For: l...@mydomain.com.ar
X-Assp-Version: 2.6.1(19007) on fwas.MyDomain.com.ar
X-Assp-Message-Score: 10 (Message-ID missing)
X-Assp-IP-Score: 10 (Message-ID missing)
X-Original-Authentication-Results: fwas.MyDomain.com.ar;
                spf=pass
X-Assp-Message-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP
                LIMITED))
X-Assp-IP-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP
                LIMITED))
X-Assp-Spam-Level: ********
Received: from outmx-004.london.gridhost.co.uk ([95.142.156.27]
                helo=outmx-004.london.gridhost.co.uk) by fwas.MyDomain.com.ar 
with SMTP
                (2.6.1); 26 Mar 2019 10:02:42 -0300
Received: from [103.255.5.254] (unknown [103.255.5.117])       (Authenticated
sender: victo...@spoofeddomain.co.uk)          by 
outmx-004.london.gridhost.co.uk
(Postfix) with ESMTPA id 52B9620B77F90           for <l...@mydomain.com.ar>; 
Tue, 26
Mar 2019 13:02:39 +0000 (GMT)
Date: Tue, 26 Mar 2019 18:02:39 +0500
From: Ricardo Horacio <victo...@spoofeddomain.co.uk>
To: l...@mydomain.com.ar
Subject: Febrero, Factura de servicio y soporte
MIME-Version: 1.0
Content-Type: multipart/mixed;
                boundary="----=_Part_63752_1379494856.26294462821815354808"
Message-ID: <d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar>
Return-Path: victo...@spoofeddomain.co.uk

---


Someone can help me to figure it out what could be happened?

Thanks in advance! :)


_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user






















					Reply via email to