I can send you the raw email as a zip file.
Yes , please !
Thomas
Von: Michael Thomas <m...@mathbox.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>,
Datum: 20.07.2013 11:54
Betreff: Re: [Assp-test] Antwort: Javascript SRC URI
Thomas,
I noticed it was missing from X-Assp-Detected-URI. I just pulled the log
entries, which match. Not detected in log either.
I can send you the raw email as a zip file.
X-Assp-Detected-URI: emailonline.chase.com(1), chase.com(2),
emerytelcom.net(1)
Here are the log entries for mine:
Find all "71345-07122", Subfolders, Find Results 1, "F:\LogNo\mx03", "*.*"
F:\LogNo\mx03\13-07-19.maillog.txt(687902):13-Jul-19 18:02:25
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> IP
67.22.175.244 matches noPBwhite - with 0.0.0.0/1
F:\LogNo\mx03\13-07-19.maillog.txt(687905):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> [SMTP
Reply] 250 OK
F:\LogNo\mx03\13-07-19.maillog.txt(687908):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com>
m...@mathbox.com validated by ldapcache
F:\LogNo\mx03\13-07-19.maillog.txt(687909):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com recipient accepted: m...@mathbox.com
F:\LogNo\mx03\13-07-19.maillog.txt(687910):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [SMTP Reply] 250 OK
F:\LogNo\mx03\13-07-19.maillog.txt(687911):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [SMTP Reply] 354 OK, send.
F:\LogNo\mx03\13-07-19.maillog.txt(687913):13-Jul-19 18:02:26
71345-07122 [Worker_1] [MsgID] 67.22.175.244
<sm...@emailonline.chase.com> to: m...@mathbox.com [scoring] (Message-ID
missing)
F:\LogNo\mx03\13-07-19.maillog.txt(687914):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com Message-Score: added 10 (midmValencePB) for Message-ID
missing, total score for this message is now 10
F:\LogNo\mx03\13-07-19.maillog.txt(687915):13-Jul-19 18:02:26
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com PB-IP-Score for '67.22.175.244' is 10, added 10 for
Msg-IDmissing
F:\LogNo\mx03\13-07-19.maillog.txt(687916):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] DKIM domain-check skipped -
emailonline.chase.com does not support DKIM
F:\LogNo\mx03\13-07-19.maillog.txt(687925):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: domain emailonline.chase.com has published a
DMARC record
F:\LogNo\mx03\13-07-19.maillog.txt(687926):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] SPF: fail ip=67.22.175.244
mailfrom=sm...@emailonline.chase.com helo=magicmail.etv.net
F:\LogNo\mx03\13-07-19.maillog.txt(687927):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com Message-Score: added 10 (spfValencePB) for SPF fail,
total score for this message is now 20
F:\LogNo\mx03\13-07-19.maillog.txt(687928):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com PB-IP-Score for '67.22.175.244' is 20, added 10 for
SPFfail
F:\LogNo\mx03\13-07-19.maillog.txt(687929):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com DMARC: this mail breakes the DKIM policies defined in
the DMARC record for domain emailonline.chase.com - there is no
DKIM-signature found in this mail for domain emailonline.chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687930):13-Jul-19 18:02:27
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com SenderBase -- country:US orgname:EMERY TELCOM
domain:etv.net
F:\LogNo\mx03\13-07-19.maillog.txt(687932):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] no Bomb found in header
F:\LogNo\mx03\13-07-19.maillog.txt(687934):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com MX found: emailonline.chase.com ->
cluster14.us.messagelabs.com
F:\LogNo\mx03\13-07-19.maillog.txt(687935):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com A record found: emailonline.chase.com -> 216.82.254.196
F:\LogNo\mx03\13-07-19.maillog.txt(687936):13-Jul-19 18:02:28
71345-07122 [Worker_1] [PTRinvalid] 67.22.175.244
<sm...@emailonline.chase.com> to: m...@mathbox.com found valid PTR
mail.etv.net
F:\LogNo\mx03\13-07-19.maillog.txt(687937):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: attachment Chase Online Profile Verification
Form.htm found for Level-1
F:\LogNo\mx03\13-07-19.maillog.txt(687938):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: 1 attachment found for Level-1
F:\LogNo\mx03\13-07-19.maillog.txt(687939):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] no Bomb found for 'bombSuspiciousRe'
F:\LogNo\mx03\13-07-19.maillog.txt(687940):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] no Bomb found for 'bombDataRe'
F:\LogNo\mx03\13-07-19.maillog.txt(687941):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] no Bomb found for 'bombRe'
F:\LogNo\mx03\13-07-19.maillog.txt(687942):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [scoring] no Bomb found for 'bombCharSets'
F:\LogNo\mx03\13-07-19.maillog.txt(687943):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com no Bomb found for 'bombBlack'
F:\LogNo\mx03\13-07-19.maillog.txt(687944):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com ClamAV: scanned 29512 bytes in message - OK
F:\LogNo\mx03\13-07-19.maillog.txt(687946):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: found URI chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687948):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: found URI emailonline.chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687949):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: registered URI chase.com for check
F:\LogNo\mx03\13-07-19.maillog.txt(687950):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: registered URI emailonline.chase.com for check
F:\LogNo\mx03\13-07-19.maillog.txt(687951):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: found raw URI/URL @emailonline.chase.com>
F:\LogNo\mx03\13-07-19.maillog.txt(687954):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: found URI emailonline.chase.com
F:\LogNo\mx03\13-07-19.maillog.txt(687955):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: registered TLD URI chase.com for check
F:\LogNo\mx03\13-07-19.maillog.txt(687956):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: found raw URI/URL @emerytelcom.net
F:\LogNo\mx03\13-07-19.maillog.txt(687959):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: found URI emerytelcom.net
F:\LogNo\mx03\13-07-19.maillog.txt(687960):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: registered TLD URI emerytelcom.net for check
F:\LogNo\mx03\13-07-19.maillog.txt(687971):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com URIBL: lookup returned <1> for chase.com - res: ''
F:\LogNo\mx03\13-07-19.maillog.txt(687982):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com URIBL: lookup returned <1> for emailonline.chase.com -
res: ''
F:\LogNo\mx03\13-07-19.maillog.txt(687993):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com URIBL: lookup returned <1> for emerytelcom.net - res: ''
F:\LogNo\mx03\13-07-19.maillog.txt(687994):13-Jul-19 18:02:28
71345-07122 [Worker_1] [MessageLimit][lowlimit] 67.22.175.244
<sm...@emailonline.chase.com> to: m...@mathbox.com [spam found] and
possibly passing because messagescore(20) low [Urgent Verification of
Recent Activities Required]
F:\LogNo\mx03\13-07-19.maillog.txt(687995):13-Jul-19 18:02:28
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com spam found and passing () [Urgent Verification of
Recent Activities Required]
F:\LogNo\mx03\13-07-19.maillog.txt(687996):13-Jul-19 18:02:29
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com [SMTP Reply] 250 Queued (2.344 seconds)
F:\LogNo\mx03\13-07-19.maillog.txt(687997):13-Jul-19 18:02:29
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com info: no (more) data readable from 67.22.175.244
(connection closed by peer) - last command was 'QUIT'
F:\LogNo\mx03\13-07-19.maillog.txt(687998):13-Jul-19 18:02:29
71345-07122 [Worker_1] 67.22.175.244 <sm...@emailonline.chase.com> to:
m...@mathbox.com finished message - received DATA size: 29.67 kByte -
sent DATA size: 29.67 kByte
Matching lines: 46 Matching files: 1 Total files searched: 3
Michael Thomas
Mathbox
978-687-3300
Toll Free: 1-877-MATHBOX (1-877-628-4269)
On 7/20/2013 5:11 AM, Thomas Eckardt wrote:
I can't reproduce this - the URI is detected in a HTML header. But is
not
detected by the URIBL providers.
I've included the URI this way:
<HTML><HEAD>
<script type=3D"text/javascript" src=3D"
http://kanaatbiber.com.tr/images/cr=
editcard.js"></script>
</HEAD>
Jul-20-13 10:56:22 [Worker_1] Info: found raw URI/URL
kanaatbiber.com.tr/
Jul-20-13 10:56:22 [Worker_1] LDAP - @com.tr not found in LDAP-cache
(ldaplistdb)
Jul-20-13 10:56:22 [Worker_1] LDAP - @kanaatbiber.com.tr not found in
LDAP-cache (ldaplistdb)
Jul-20-13 10:56:22 [Worker_1] Info: found URI kanaatbiber.com.tr
Jul-20-13 10:56:22 [Worker_1] Info: registered TLD(2/3) URI
kanaatbiber.com.tr for check
.....
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53]
on
multi.surbl.org for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to
194.25.2.129[:53]
on multi.surbl.org for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on
black.uribl.com for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53]
on black.uribl.com for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53]
on
multi.uribl.com for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53]
on
multi.uribl.com for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53]
on
uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to
194.25.2.129[:53]
on uribl.swinog.ch for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 10.69.5.50[:53] on
sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 192.168.2.1[:53]
on sbl.spamhaus.org for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 194.25.2.129[:53]
on
uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to 10.69.5.50[:53]
on
uribl.spameatingmonkey.net for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(A)-query to 192.168.2.1[:53]
on
dob.sibl.support-intelligence.net for URIBL checks on kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Sending DNS(TXT)-query to
194.25.2.129[:53]
on dob.sibl.support-intelligence.net for URIBL checks on
kanaatbiber.com.tr
Jul-20-13 10:56:23 [Worker_1] Commencing URIBL checks on
'kanaatbiber.com.tr'
Jul-20-13 10:56:23 [Worker_1] Got 4 answers, 4 replies and 0 hits after
0
seconds for URIBL checks on 'kanaatbiber.com.tr'
Jul-20-13 10:56:23 [Worker_1] Got OK replies from (black.uribl.com
multi.uribl.com uribl.swinog.ch) - NOTOK replies from () for URIBL on
'kanaatbiber.com.tr'
Jul-20-13 10:56:23 [Worker_1] Completed URIBL checks on
'kanaatbiber.com.tr'
Jul-20-13 10:56:23 [Worker_1] URIBL: lookup returned <1> for
kanaatbiber.com.tr - res: ''
Thomas
Von: Michael Thomas <m...@mathbox.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>,
Datum: 20.07.2013 06:03
Betreff: [Assp-test] Javascript SRC URI
Thomas,
ASSP version 2.3.4(13187)
Failed to detect URI in head section of HTML section. This message was a
bank scam. The only external URI in the body of the message were image
src URI of actual bank image URI. The active scam URI were all
javascript invocations.
<script type=3D"text/javascript" src=3D"
http://kanaatbiber.com.tr/images/cr=
editcard.js"></script>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
