Hi Thomas thanks for your help. I have some way to actívate a log? or some that help me to find out why this messages are marked like ok? My value of the local penalty limit is similar to the classic penalty limit. I only enable the okmail folder to view if some spam email pass like if was ok. Actually we haven’t any policy to the files we receive, and for now I try to mark the suspect/bad files like spam.
These are the change what I made when I started to configure the attach policy: Feb-27-19 11:05:06 [Main_Thread] AdminUpdate: [root 127.0.0.1] DoBlockExes changed from 'disabled (0)' to 'monitor (2)' Feb-27-19 11:06:33 [Main_Thread] AdminUpdate: [root 127.0.0.1] BlockExes changed from 'no check (0)' to 'Level 1 (1)' Feb-27-19 11:19:02 [Main_Thread] AdminUpdate: [root 127.0.0.1] DoASSP_AFC updated from '0' to '1' Feb-27-19 11:43:49 [Main_Thread] AdminUpdate: [root 127.0.0.1] ASSP_AFCinsize changed from '1024' to '' Feb-27-19 11:43:49 [Main_Thread] AdminUpdate: [root 127.0.0.1] ASSP_AFCoutsize changed from '1024' to '' Feb-27-19 12:27:53 [Main_Thread] AdminUpdate: [root 127.0.0.1] baValencePB updated from '20' to '40' - new message score: 40 , new IP score 40 Feb-27-19 16:14:52 [Main_Thread] AdminUpdate: [root 127.0.0.1] baysNonSpamLog changed from 'no collection (0)' to 'okmail folder (4)' When I start to view the behaviour of the incoming attachments I decide to score it: Mar-21-19 15:24:28 [Main_Thread] AdminUpdate: [root 127.0.0.1] DoBlockExes changed from 'monitor (2)' to 'score (3)' Thanks in advance, I really appreciate the work you do with this product! De: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] Enviado el: miércoles, 27 de marzo de 2019 07:28 Para: For Users of ASSP Asunto: Re: [Assp-user] Problem with ASSP_AFC > [scoring] bad attachment > added 40 (baValencePB) for bad attachment It make no sense to me, to let a bad attachment pass, if the attachment is the only issue. Bad attachments should be blocked or replaced. How ever, scoring is a valid option and should work. > message ok [Febrero Factura de servicio y soporte] -> c:/assp/okmail/ It looks like assp has detected the mail as local mail, because the mail is stored in 'okmail'. In this case the scoring limits are used from LocalPenaltyMessageLow and LocalPenaltyMessageLimit. - DoLocalPenaltyMessage instead of PenaltyMessageLow and PenaltyMessageLimit. - DoPenaltyMessage The scoring-engine ignores the result from the plugin. Thomas Von: "Leandro N. Castro - INSETEC Informática" <leandro.cas...@insetec.com.ar<mailto:leandro.cas...@insetec.com.ar>> An: "For Users of ASSP" <assp-user@lists.sourceforge.net<mailto:assp-user@lists.sourceforge.net>> Datum: 26.03.2019 21:23 Betreff: [Assp-user] Problem with ASSP_AFC ________________________________ Hi everyone I start to use the ASSP_AFC plugin after some monitoring testing and I detect a problem, may be because a fault in my configuration. I’m actually using ASSP version 2.6.1 *Fortress* build 19007, and ASSP_AFC ver 4.89. The thing is that AFC correctly add point to the mail, but then it’s send without this added points, for example (this is part of my log, I changed the domains): ----- Mar-26-19 10:02:42 [Worker_3] Connected: session:5A2161D0 95.142.156.27:60415 > 172.20.1.55:25 > 172.20.1.22:25 Mar-26-19 10:02:42 [Worker_3] 95.142.156.27 [SMTP Reply] 220 mail.MyDomain.com.ar Microsoft ESMTP MAIL Service ready at Tue, 26 Mar 2019 10:02:39 -0300 Mar-26-19 10:02:43 [Worker_3] 95.142.156.27 [SMTP Reply] 250 NOOP Mar-26-19 10:02:43 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> info: found message size announcement: 236.78 kByte Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> [SMTP Reply] 250 2.1.0 Sender OK Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [SMTP Reply] 250 2.1.5 Recipient OK Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [SMTP Reply] 354 Start mail input; end with <CRLF>.<CRLF> Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> info: detected IP's on the mail routing way: 103.255.5.254 Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> info: detected source IP: 103.255.5.254 Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] [MsgID] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [scoring] (Message-ID missing) Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> Message-Score: added 10 (midmValencePB) for Message-ID missing, total score for this message is now 10 Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> info: remove IP-score from 95.142.156.27 - this mail passed the SPF check Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> Message-Score: added 25 for Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED), total score for this message is now 35 Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [scoring] SenderBase -- Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED) Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> HMM-Check has given less than 6 results - using monitoring mode only Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> HMM Check [monitoring] - Prob: 0.00000 => ham - answer/query relation: 9% of 41 Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 40% of 44 ---- … at this point the message score is 35, my low limit start in 40. --- Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [Plugin] calling plugin ASSP_AFC Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [scoring] bad attachment 'Fa_Num_X216754265.doc' cause: 'MS Office Macro' Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> Message-Score: added 40 (baValencePB) for bad attachment 'Fa_Num_X216754265.doc' cause: 'MS Office Macro', total score for this message is now 75 Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> info: 1 attachment found for Level-1 --- After AFC the total score is 75 but the message pass like MessageOK ¿? --- Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [MessageOK] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> message ok [Febrero Factura de servicio y soporte] -> c:/assp/okmail/Febrero_Factura_de_servicio_y_soporte--960167.eml Mar-26-19 10:02:51 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [SMTP Reply] 250 2.6.0 <d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar<mailto:d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar>> Queued mail for delivery Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> [SMTP Reply] 221 2.0.0 Service closing transmission channel Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> info: PB-IP-Score for '95.142.156.0' is 0, added 10 in this session Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> finished message - received DATA size: 236.96 kByte - sent DATA size: 237.62 kByte Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> to: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> disconnected: session:5A2161D0 95.142.156.27 - processing time 10 seconds --- This is the header in the Outlook client that receive that mail like NOT Spam: Received: from outmx-004.london.gridhost.co.uk (172.20.1.55) by mail.MyDomain.com.ar (172.20.1.22) with Microsoft SMTP Server id 8.3.406.0; Tue, 26 Mar 2019 10:02:42 -0300 X-Assp-ID: fwas.MyDomain.com.ar m1-05363-09821 X-Assp-Session: 5A2161D0 (mail 1) X-Assp-Detected-RIP: 103.255.5.254 X-Assp-Source-IP: 103.255.5.254 X-Assp-Envelope-From: victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk> X-Assp-Intended-For: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> X-Assp-Version: 2.6.1(19007) on fwas.MyDomain.com.ar X-Assp-Message-Score: 10 (Message-ID missing) X-Assp-IP-Score: 10 (Message-ID missing) X-Original-Authentication-Results: fwas.MyDomain.com.ar; spf=pass X-Assp-Message-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED)) X-Assp-IP-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED)) X-Assp-Spam-Level: ******** Received: from outmx-004.london.gridhost.co.uk ([95.142.156.27] helo=outmx-004.london.gridhost.co.uk) by fwas.MyDomain.com.ar with SMTP (2.6.1); 26 Mar 2019 10:02:42 -0300 Received: from [103.255.5.254] (unknown [103.255.5.117]) (Authenticated sender: victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>) by outmx-004.london.gridhost.co.uk (Postfix) with ESMTPA id 52B9620B77F90 for <l...@mydomain.com.ar<mailto:l...@mydomain.com.ar>>; Tue, 26 Mar 2019 13:02:39 +0000 (GMT) Date: Tue, 26 Mar 2019 18:02:39 +0500 From: Ricardo Horacio <victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk>> To: l...@mydomain.com.ar<mailto:l...@mydomain.com.ar> Subject: Febrero, Factura de servicio y soporte MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_63752_1379494856.26294462821815354808" Message-ID: <d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar<mailto:d5aa1274-a8f4-4209-82b3-353033866...@servidor02.mydomain.com.ar>> Return-Path: victo...@spoofeddomain.co.uk<mailto:victo...@spoofeddomain.co.uk> --- Someone can help me to figure it out what could be happened? Thanks in advance! :) _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net<mailto:Assp-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
