*SUMMARY*: Emailed analyze reports when in response to a forward as attachment error report .eml from Outlook, doesn't seem to find the subject, from, and potentially more. The .eml is extracted and saved properly in the error-spam/error-notspam folder though, with the subject/from/etc.
For the longest time, any time someone forwards a message to the spam or notspam reporting address by doing a "forward as attachment" from MS Outlook, the resulting analyze report is broken. I found an unanswered post from me from 2016 on this same problem. Exchange was always in the mix here, but in 2016, it was a totally different set up with the same symptoms. Working as expected: The content of .eml file in the error report to EmailHam/EmailSpam will appear in errors-spam or errors-notspam correctly with the contents intact. If I go into the log, find the entry with the .rpt file and analyze that, it shows everything correctly including the FROM line, the original subject, and information about the original DKIM signature. I'm confident that it'll be used for rebuild properly, so good there.*✔* However, the *analyze report *that is automatically sent when a message is sent in as an attachment (either as an email to EmailHam, EmailSpam, or EmailAnalyze) from MS Outlook as an .eml attachment shows: General Hints: m...@ourcharity.org has requested this analyze report analyze is restricted to a maximum length of 10791 bytes *<-- temporarily set to 10k. I've tried 25k too. Doesn't matter * *(separate question: is the 3k spam average still true?? most of mine are 20k+ and notpsm is 60k+ average. Is 3000 still a recommended size for a mature installation? * *related, would it be possible to consider only MaxBytes for bayesian, but have bomb expressions search more of a message or would the be too slow / cumbersome?)* attachments will be fully analyzed using ASSP_AFC attachments will be fully scanned for viruses text processing uses unicode normalization regular expression matches and results are truncated to 32 (RegExLength) characters removed all local X-ASSP- header lines for analysis sender and reply addresses: *MAIL FROM: r...@badsender.org <r...@badsender.org> <--- envelope from's found. envelope from is in the report file. So at least some of the header is exposed to analyze* recipient addresses: RCPT TO: ad...@ourcharity.org using enhanced Originated IP detection for all except the most origin IP addresses •detected IP's on the mail routing way: 2603:10b6:a03:1e4:0:0:0:24(no PTR) •detected source IP: 2603:10b6:a03:1e4:0:0:0:24 Subject: no subject found *<-- no subject? it's in the header. I see it in the .rpt file* Feature Matching: • DoNoFrom: detected (1) faults in scoring mode - last reason: missing 'From:' and 'Sender:' header tag ( DoNoFrom ) - penalty: 1 * 50 = 50 -- shouldn't be!! • DKIM-check returned OK no domain to fetch policy for for identity '' <-- of course that's a problem, if there's no from • URIBL check: 'OK' • RBLCacheCheck returned OK for 2603:10b6:a03:1e4:0:0:0:24: inserted as ok at 2021-10-26 17:11:05 • domain ipv4depot.com (in Mail From:) has a valid MX record: badsender-org.mail.protection.outlook.com • domainMX ipv4depot-com.mail.protection.outlook.com has a valid A record: 104.47.57.110 • PTR record via DNS: status=no PTR • RWLcheck returned OK for : status=unknown Then the feature matching log is displayed, still complaining about no from, bad DKIM. I've spent the better part of 2 hours looking at the ConfigAnalyze function. I can't spot where the issue lies, if there is one, but I'm hopeful it's an easy fix (or nudge in the right direction for me). Thanks again for hearing me out on so much in the last couple of days.... Ken
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
