Re: [Assp-user] Problem with ASSP_AFC

Thomas Eckardt Wed, 27 Mar 2019 03:29:39 -0700

> [scoring] bad attachment
> added 40 (baValencePB) for bad attachment


It make no sense to me, to let a bad attachment pass, if the attachment is 
the only issue. Bad attachments should be blocked or replaced.

How ever, scoring is a valid option and should work.

> message ok [Febrero Factura de servicio y soporte] -> c:/assp/okmail/

It looks like assp has detected the mail as local mail, because the mail 
is stored in 'okmail'. In this case the scoring limits are used from 
LocalPenaltyMessageLow and LocalPenaltyMessageLimit. - 
DoLocalPenaltyMessage instead of
 PenaltyMessageLow and PenaltyMessageLimit. - DoPenaltyMessage 

The scoring-engine ignores the result from the plugin.

Thomas



Von:    "Leandro N. Castro - INSETEC Informática" 
<leandro.cas...@insetec.com.ar>
An:     "For Users of ASSP" <assp-user@lists.sourceforge.net>
Datum:  26.03.2019 21:23
Betreff:        [Assp-user] Problem with ASSP_AFC



Hi everyone I start to use the ASSP_AFC plugin after some monitoring 
testing and I detect a problem, may be because a fault in my 
configuration.
 
I’m actually using  ASSP version 2.6.1  *Fortress*  build 19007, and 
ASSP_AFC ver 4.89.
 
The thing is that AFC correctly add point to the mail, but then it’s send 
without this added points, for example (this is part of my log, I changed 
the domains):
 
-----
Mar-26-19 10:02:42 [Worker_3] Connected: session:5A2161D0 
95.142.156.27:60415 > 172.20.1.55:25 > 172.20.1.22:25
Mar-26-19 10:02:42 [Worker_3] 95.142.156.27 [SMTP Reply] 220 
mail.MyDomain.com.ar Microsoft ESMTP MAIL Service ready at Tue, 26 Mar 
2019 10:02:39 -0300
Mar-26-19 10:02:43 [Worker_3] 95.142.156.27 [SMTP Reply] 250 NOOP
Mar-26-19 10:02:43 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> info: found message size announcement: 
236.78 kByte
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> [SMTP Reply] 250 2.1.0 Sender OK
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 250 
2.1.5 Recipient OK
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 354 
Start mail input; end with <CRLF>.<CRLF>
Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: detected IP's 
on the mail routing way: 103.255.5.254
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: detected 
source IP: 103.255.5.254
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] [MsgID] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [scoring] 
(Message-ID missing)
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Message-Score: 
added 10 (midmValencePB) for Message-ID missing, total score for this 
message is now 10
Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: remove 
IP-score from 95.142.156.27 - this mail passed the SPF check
Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Message-Score: 
added 25 for Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED), total 
score for this message is now 35
Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [scoring] 
SenderBase -- Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED)
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar HMM-Check has given 
less than 6 results - using monitoring mode only
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar HMM Check 
[monitoring] - Prob: 0.00000 => ham - answer/query relation: 9% of 41
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Bayesian Check 
[scoring] - Prob: 0.00000 => ham - answer/query relation: 40% of 44
----
 
… at this point the message score is 35, my low limit start in 40.
 
---
Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [Plugin] calling 
plugin ASSP_AFC
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [scoring] bad 
attachment 'Fa_Num_X216754265.doc' cause: 'MS Office Macro'
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar Message-Score: 
added 40 (baValencePB) for bad attachment 'Fa_Num_X216754265.doc' cause: 
'MS Office Macro', total score for this message is now 75
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: 1 attachment 
found for Level-1
---
After AFC the total score is 75 but the message pass like MessageOK ¿?
---
Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [MessageOK] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar message ok [Febrero 
Factura de servicio y soporte] -> c:/assp/okmail/
Febrero_Factura_de_servicio_y_soporte--960167.eml
Mar-26-19 10:02:51 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 250 
2.6.0 <d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar> 
Queued mail for delivery
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar [SMTP Reply] 221 
2.0.0 Service closing transmission channel
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar info: PB-IP-Score 
for '95.142.156.0' is 0, added 10 in this session
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar finished message - 
received DATA size: 236.96 kByte - sent DATA size: 237.62 kByte
Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 
<victo...@spoofeddomain.co.uk> to: l...@mydomain.com.ar disconnected: 
session:5A2161D0 95.142.156.27 - processing time 10 seconds
---
 
This is the header in the Outlook client that receive that mail like NOT 
Spam:
 
 
Received: from outmx-004.london.gridhost.co.uk (172.20.1.55) by
mail.MyDomain.com.ar (172.20.1.22) with Microsoft SMTP Server id
8.3.406.0; Tue, 26 Mar 2019 10:02:42 -0300
X-Assp-ID: fwas.MyDomain.com.ar m1-05363-09821
X-Assp-Session: 5A2161D0 (mail 1)
X-Assp-Detected-RIP: 103.255.5.254
X-Assp-Source-IP: 103.255.5.254
X-Assp-Envelope-From: victo...@spoofeddomain.co.uk
X-Assp-Intended-For: l...@mydomain.com.ar
X-Assp-Version: 2.6.1(19007) on fwas.MyDomain.com.ar
X-Assp-Message-Score: 10 (Message-ID missing)
X-Assp-IP-Score: 10 (Message-ID missing)
X-Original-Authentication-Results: fwas.MyDomain.com.ar;
                spf=pass
X-Assp-Message-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP
                LIMITED))
X-Assp-IP-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP
                LIMITED))
X-Assp-Spam-Level: ********
Received: from outmx-004.london.gridhost.co.uk ([95.142.156.27]
                helo=outmx-004.london.gridhost.co.uk) by 
fwas.MyDomain.com.ar with SMTP
                (2.6.1); 26 Mar 2019 10:02:42 -0300
Received: from [103.255.5.254] (unknown [103.255.5.117]) (Authenticated
sender: victo...@spoofeddomain.co.uk)          by 
outmx-004.london.gridhost.co.uk
(Postfix) with ESMTPA id 52B9620B77F90           for 
<l...@mydomain.com.ar>; Tue, 26
Mar 2019 13:02:39 +0000 (GMT)
Date: Tue, 26 Mar 2019 18:02:39 +0500
From: Ricardo Horacio <victo...@spoofeddomain.co.uk>
To: l...@mydomain.com.ar
Subject: Febrero, Factura de servicio y soporte
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_Part_63752_1379494856.26294462821815354808"
Message-ID: 
<d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar>
Return-Path: victo...@spoofeddomain.co.uk
 
---
 
 
Someone can help me to figure it out what could be happened?
 
Thanks in advance! :)
 _______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] Problem with ASSP_AFC

Reply via email to