Thomas, I noticed it was missing from X-Assp-Detected-URI. I just pulled the log entries, which match. Not detected in log either.
I can send you the raw email as a zip file. X-Assp-Detected-URI: emailonline.chase.com(1), chase.com(2), emerytelcom.net(1) Here are the log entries for mine: Find all "71345-07122", Subfolders, Find Results 1, "F:\LogNo\mx03", "*.*" F:\LogNo\mx03\13-07-19.maillog.txt(687902):13-Jul-19 18:02:25 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> IP 67.22.175.244 matches noPBwhite - with 0.0.0.0/1 F:\LogNo\mx03\13-07-19.maillog.txt(687905):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> [SMTP Reply] 250 OK F:\LogNo\mx03\13-07-19.maillog.txt(687908):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> m...@mathbox.com validated by ldapcache F:\LogNo\mx03\13-07-19.maillog.txt(687909):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com recipient accepted: m...@mathbox.com F:\LogNo\mx03\13-07-19.maillog.txt(687910):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [SMTP Reply] 250 OK F:\LogNo\mx03\13-07-19.maillog.txt(687911):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [SMTP Reply] 354 OK, send. F:\LogNo\mx03\13-07-19.maillog.txt(687913):13-Jul-19 18:02:26 71345-07122 [Worker_1] [MsgID] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] (Message-ID missing) F:\LogNo\mx03\13-07-19.maillog.txt(687914):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com Message-Score: added 10 (midmValencePB) for Message-ID missing, total score for this message is now 10 F:\LogNo\mx03\13-07-19.maillog.txt(687915):13-Jul-19 18:02:26 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com PB-IP-Score for '67.22.175.244' is 10, added 10 for Msg-IDmissing F:\LogNo\mx03\13-07-19.maillog.txt(687916):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] DKIM domain-check skipped - emailonline.chase.com does not support DKIM F:\LogNo\mx03\13-07-19.maillog.txt(687925):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: domain emailonline.chase.com has published a DMARC record F:\LogNo\mx03\13-07-19.maillog.txt(687926):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] SPF: fail ip=67.22.175.244 mailfrom=sm...@emailonline.chase.com helo=magicmail.etv.net F:\LogNo\mx03\13-07-19.maillog.txt(687927):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com Message-Score: added 10 (spfValencePB) for SPF fail, total score for this message is now 20 F:\LogNo\mx03\13-07-19.maillog.txt(687928):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com PB-IP-Score for '67.22.175.244' is 20, added 10 for SPFfail F:\LogNo\mx03\13-07-19.maillog.txt(687929):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com DMARC: this mail breakes the DKIM policies defined in the DMARC record for domain emailonline.chase.com - there is no DKIM-signature found in this mail for domain emailonline.chase.com F:\LogNo\mx03\13-07-19.maillog.txt(687930):13-Jul-19 18:02:27 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com SenderBase -- country:US orgname:EMERY TELCOM domain:etv.net F:\LogNo\mx03\13-07-19.maillog.txt(687932):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] no Bomb found in header F:\LogNo\mx03\13-07-19.maillog.txt(687934):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com MX found: emailonline.chase.com -> cluster14.us.messagelabs.com F:\LogNo\mx03\13-07-19.maillog.txt(687935):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com A record found: emailonline.chase.com -> 216.82.254.196 F:\LogNo\mx03\13-07-19.maillog.txt(687936):13-Jul-19 18:02:28 71345-07122 [Worker_1] [PTRinvalid] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com found valid PTR mail.etv.net F:\LogNo\mx03\13-07-19.maillog.txt(687937):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: attachment Chase Online Profile Verification Form.htm found for Level-1 F:\LogNo\mx03\13-07-19.maillog.txt(687938):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: 1 attachment found for Level-1 F:\LogNo\mx03\13-07-19.maillog.txt(687939):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] no Bomb found for 'bombSuspiciousRe' F:\LogNo\mx03\13-07-19.maillog.txt(687940):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] no Bomb found for 'bombDataRe' F:\LogNo\mx03\13-07-19.maillog.txt(687941):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] no Bomb found for 'bombRe' F:\LogNo\mx03\13-07-19.maillog.txt(687942):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] no Bomb found for 'bombCharSets' F:\LogNo\mx03\13-07-19.maillog.txt(687943):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com no Bomb found for 'bombBlack' F:\LogNo\mx03\13-07-19.maillog.txt(687944):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com ClamAV: scanned 29512 bytes in message - OK F:\LogNo\mx03\13-07-19.maillog.txt(687946):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: found URI chase.com F:\LogNo\mx03\13-07-19.maillog.txt(687948):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: found URI emailonline.chase.com F:\LogNo\mx03\13-07-19.maillog.txt(687949):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: registered URI chase.com for check F:\LogNo\mx03\13-07-19.maillog.txt(687950):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: registered URI emailonline.chase.com for check F:\LogNo\mx03\13-07-19.maillog.txt(687951):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: found raw URI/URL @emailonline.chase.com> F:\LogNo\mx03\13-07-19.maillog.txt(687954):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: found URI emailonline.chase.com F:\LogNo\mx03\13-07-19.maillog.txt(687955):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: registered TLD URI chase.com for check F:\LogNo\mx03\13-07-19.maillog.txt(687956):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: found raw URI/URL @emerytelcom.net F:\LogNo\mx03\13-07-19.maillog.txt(687959):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: found URI emerytelcom.net F:\LogNo\mx03\13-07-19.maillog.txt(687960):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: registered TLD URI emerytelcom.net for check F:\LogNo\mx03\13-07-19.maillog.txt(687971):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com URIBL: lookup returned <1> for chase.com - res: '' F:\LogNo\mx03\13-07-19.maillog.txt(687982):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com URIBL: lookup returned <1> for emailonline.chase.com - res: '' F:\LogNo\mx03\13-07-19.maillog.txt(687993):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com URIBL: lookup returned <1> for emerytelcom.net - res: '' F:\LogNo\mx03\13-07-19.maillog.txt(687994):13-Jul-19 18:02:28 71345-07122 [Worker_1] [MessageLimit][lowlimit] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [spam found] and possibly passing because messagescore(20) low [Urgent Verification of Recent Activities Required] F:\LogNo\mx03\13-07-19.maillog.txt(687995):13-Jul-19 18:02:28 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com spam found and passing () [Urgent Verification of Recent Activities Required] F:\LogNo\mx03\13-07-19.maillog.txt(687996):13-Jul-19 18:02:29 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com [SMTP Reply] 250 Queued (2.344 seconds) F:\LogNo\mx03\13-07-19.maillog.txt(687997):13-Jul-19 18:02:29 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com info: no (more) data readable from 67.22.175.244 (connection closed by peer) - last command was 'QUIT' F:\LogNo\mx03\13-07-19.maillog.txt(687998):13-Jul-19 18:02:29 71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to: m...@mathbox.com finished message - received DATA size: 29.67 kByte - sent DATA size: 29.67 kByte Matching lines: 46 Matching files: 1 Total files searched: 3 Michael Thomas Mathbox 978-687-3300 Toll Free: 1-877-MATHBOX (1-877-628-4269) On 7/20/2013 5:11 AM, Thomas Eckardt wrote: > I can't reproduce this - the URI is detected in a HTML header. But is not > detected by the URIBL providers. > I've included the URI this way: > > <HTML><HEAD> > <script type=3D"text/javascript" src=3D" > http://kanaatbiber.com.tr/images/cr= > editcard.js"></script> > </HEAD> > > Jul-20-13 10:56:22 [Worker_1] Info: found raw URI/URL kanaatbiber.com.tr/ > Jul-20-13 10:56:22 [Worker_1] LDAP - @com.tr not found in LDAP-cache > (ldaplistdb) > Jul-20-13 10:56:22 [Worker_1] LDAP - @kanaatbiber.com.tr not found in > LDAP-cache (ldaplistdb) > Jul-20-13 10:56:22 [Worker_1] Info: found URI kanaatbiber.com.tr > Jul-20-13 10:56:22 [Worker_1] Info: registered TLD(2/3) URI > kanaatbiber.com.tr for check > ..... > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] on > multi.surbl.org for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 194.25.2.129[:53] > on multi.surbl.org for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on > black.uribl.com for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53] > on black.uribl.com for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53] on > multi.uribl.com for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53] on > multi.uribl.com for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] on > uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 194.25.2.129[:53] > on uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on > sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53] > on sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53] on > uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53] on > uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53] on > dob.sibl.support-intelligence.net for URIBL checks on kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 194.25.2.129[:53] > on dob.sibl.support-intelligence.net for URIBL checks on > kanaatbiber.com.tr > Jul-20-13 10:56:23 [Worker_1] Commencing URIBL checks on > 'kanaatbiber.com.tr' > Jul-20-13 10:56:23 [Worker_1] Got 4 answers, 4 replies and 0 hits after 0 > seconds for URIBL checks on 'kanaatbiber.com.tr' > Jul-20-13 10:56:23 [Worker_1] Got OK replies from (black.uribl.com > multi.uribl.com uribl.swinog.ch) - NOTOK replies from () for URIBL on > 'kanaatbiber.com.tr' > Jul-20-13 10:56:23 [Worker_1] Completed URIBL checks on > 'kanaatbiber.com.tr' > Jul-20-13 10:56:23 [Worker_1] URIBL: lookup returned <1> for > kanaatbiber.com.tr - res: '' > > Thomas > > > > > Von: Michael Thomas <m...@mathbox.com> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>, > Datum: 20.07.2013 06:03 > Betreff: [Assp-test] Javascript SRC URI > > > > Thomas, > > ASSP version 2.3.4(13187) > > Failed to detect URI in head section of HTML section. This message was a > bank scam. The only external URI in the body of the message were image > src URI of actual bank image URI. The active scam URI were all > javascript invocations. > > <script type=3D"text/javascript" src=3D" > http://kanaatbiber.com.tr/images/cr= > editcard.js"></script> > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test