Thanks, set to verbose and reports like below, unfortunately I am still out of ideas.
Sep-18-20 19:05:54 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> info: found message size announcement: 105.50 kByte Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com redlisted: us...@domain1.com - not white Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com DKIM-Signature found Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com info: found known good HELO 'eur04-he1-obe.outbound.protection.outlook.com' - weight is -0.9 Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added -18 for KnownGoodHelo, total score for this message is now -18 Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [scoring] DKIM signature verified-OK - header-passed - identity is: @outlook.com - sender policy is: neutral - author policy is: neutral Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com info: domain outlook.com has published a DMARC record Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added -10 (spfpValencePB) for SPF pass, total score for this message is now -28 Sep-18-20 19:05:57 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added 10 for Foreign IP-Country FI (MICROSOFT CORPORATION), total score for this message is now -18 Sep-18-20 19:05:57 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added -15 (pbwValencePB) for In Penalty White Box, total score for this message is now -33 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com ClamAV: scanned 64981 bytes in message - OK Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 55% of 20 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [Plugin] calling plugin ASSP_AFC Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com info: 1 attachment found for Level-0 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [Plugin] calling plugin ASSP_Razor Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com razor message [check]: Razor-Agents v2.86 starting razor-check Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com razor message [check]: mail 1 is not known spam. Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [Plugin] calling plugin ASSP_DCC Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] [MessageOK] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com message ok [attach scan 2] From: Thomas Eckardt <thomas.ecka...@thockar.com> Sent: Friday, September 18, 2020 1:42 PM To: For Users of ASSP <assp-user@lists.sourceforge.net> Subject: Re: [Assp-user] ASSP_AFC not using VirusTotal inrease the level of 'ScanLog' Thomas Von: "Thomas Kofler" <k...@outlook.com> An: "assp-user@lists.sourceforge.net" <assp-user@lists.sourceforge.net> Datum: 18.09.2020 13:29 Betreff: [Assp-user] ASSP_AFC not using VirusTotal Hi, we enabled and configured ASSP_AFC, but it seems that its not using VirusTotal, which we configured including the API key (clamav is fine). Based on maillog calling plugin ASSP_AFC is called, but we see no API calls on the dashboard of VirusTotal (only, if we enable URI-based scanning outside of ASSP_AFC). Is there any possibility to debug ASSP_AFC? Thanks, Thomas ASSP 2.6.3 (20002), all module version requirements met based on assp gui ASSP_AFCSelect:=1 ASSP_AFCPriority:=6 ASSP_AFCDoVirusTotalVirusScan:=1 ASSP_AFCblockEncryptedZIP:= ASSP_AFCMaxZIPLevel:=10 ASSP_AFCextractAttMail:=3 ASSP_AFCKnownGoodEXE:=file:files/knowngoodattach.txt ASSP_AFCReplBadAttach:= ASSP_AFCReplBadAttachText:=The attached file (FILENAME) was removed from this email by ASSP for policy reasons! The file was detected as REASON . ASSP_AFCReplViriParts:= ASSP_AFCReplViriPartsText:=There was a virus (VIRUS) removed from this email (attachment FILENAME) by ASSP! ASSP_AFCMSGSIZEscore:= ASSP_AFCDetectSpamAttachRe:=image\/ ASSP_AFCWebScript:= ASSP_AFCinsize:=1024 ASSP_AFCoutsize:=1024 ASSP_AFCSMIME:=7060944965f8076143302e50d79550fb55522c0b8346275100187c0954 ClamAVBytes:=60000 UseAvClamd:=1 AvClamdPort:=/var/run/clamd.scan/clamd.sock ClamAVLogScan:=2 ClamAVtimeout:=30 _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
