Would it be a big deal to have AFC also scan the header? it's not like
message headers are that big. This might help catch these pesky spam
messages in foreign languages that bayesian/hmm are useless for.
On Thu, Jul 19, 2018 at 1:49 AM Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> - the header and body scan in assp.pl is skipped, if ASSP_AFC is active
> - ASSP_AFC does not scan the MIME header - it only scans MIME parts.
> - the final filescan scans the complete mail (header and body)
>
> So : 'SecuriteInfo.com.Spam-718.UNOFFICIAL' must be a hit in the MIME
> header.
>
> Thomas
>
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum: 18.07.2018 17:10
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> I can't find any setting that would prohibit a regular scan from happening
> for the instances that I've found. Do you have suggestions of where to
> look?
>
> On Sun, Jul 15, 2018 at 1:38 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >I'm sorry, I don't understand what you mean. What do you mean "any
> header part causes this detection?"
>
> for example: ASSP_AFC scans each MIME part separately (MIME is decoded
> here)
> or : any defined scan exception prevents the regular scan (check your
> setup)
>
> The final scan is done for the complete MIME source, if the regular scan
> was skipped for any reason. It may happen, that a unofficial hit is found
> for this case - but not in any other case.
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 14.07.2018 21:10
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> I'm sorry, I don't understand what you mean. What do you mean "any header
> part causes this detection?"
>
> The unofficial securiteinfo clam definitions do a nice job of detecting
> spam that bayesian might not. I just don't understand why all of a sudden
> >some< mail doesn't seem to be scanned during delivery.
>
>
> On Sat, Jul 14, 2018 at 12:55 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >SecuriteInfo.com.Spam-718.UNOFFICIAL
>
> For me it looks like any header part causes this detection. The header is
> not scanned regulary - but the complete mail (the file) is scanned finaly.
>
> Thomas
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 13.07.2018 16:24
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> Thanks Thomas as always. Where is that setting though? I've never seen
> this happen before, the signatures regularly reject messages >prior< to
> delivery. Could anything else be causing the scan to be skipped during the
> delivery process?
>
> On Fri, Jul 13, 2018 at 1:54 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> Your settings prevent assp from scanning the mail regulary (while
> processed). Because this is (may be) wanted, assp scans the stored corpus
> file to be sure, that there is no virus in the file.
> You can see this - the file is scanned after disconnect.
>
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 12.07.2018 18:18
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> and sorry, this one was Swedish, but still.
>
> On Thu, Jul 12, 2018 at 12:15 PM K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
> I can't figure this one out.
>
> French language message slips through bayesian and HMM because almost
> everything is in English here. BUT, one of the SecureSite unofficial
> clamav lists catches it. GREAT.
>
> However, for some reason, this message was still delivered to our user.
> In the log, it goes to OK mail and THEN gets scored by ClamAV. That's not
> normal right?
>
> What could I be missing on this one?
>
> Jul-12-18 06:19:31 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org DKIM-Signature
> found
> Jul-12-18 06:19:39 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org checking MX/A
> for *apsis.com* <http://apsis.com/> , *chef.anpdm.com*
> <http://chef.anpdm.com/> , *chef.se* <http://chef.se/>
> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *apsis.com*
> <http://apsis.com/> - MX '*aspmx.l.google.com*
> <http://aspmx.l.google.com/>' - got IP (209.85.201.27)
> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *chef.anpdm.com*
> <http://chef.anpdm.com/> - MX '*mx10.anpdm.com* <http://mx10.anpdm.com/>'
> - got IP (91.213.250.35)
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *chef.se*
> <http://chef.se/> - MX '*chef-se.mail.protection.outlook.com*
> <http://chef-se.mail.protection.outlook.com/>' - got IP (213.199.154.106)
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
> *apsis.com* <http://apsis.com/> (List-Unsubscribe) -> *aspmx.l.google.com*
> <http://aspmx.l.google.com/>
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
> for MX: *apsis.com* <http://apsis.com/> (List-Unsubscribe) ->
> 209.85.201.27
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
> *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) -> *mx10.anpdm.com*
> <http://mx10.anpdm.com/>
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
> for MX: *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) ->
> 91.213.250.35
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
> *chef.se* <http://chef.se/> (Reply-To , From) ->
> *chef-se.mail.protection.outlook.com*
> <http://chef-se.mail.protection.outlook.com/>
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
> for MX: *chef.se* <http://chef.se/> (Reply-To , From) -> 213.199.154.106
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org HMM-Check has
> given less than 6 results - using monitoring mode only
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Bayesian Check
> [scoring] - Prob: 1.00000 - Confidence: 0.00004 => doubtful.spam -
> answer/query relation: 27% of 54
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
> added 25 for Bayesian Probability: 1.00000, total score for this message is
> now 25
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org info: found
> DKIM signature identity '@*anpdm.com* <http://anpdm.com/>'
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org [scoring] DKIM
> signature verified-OK - pass - identity is: @*anpdm.com*
> <http://anpdm.com/> - sender policy is: neutral - author policy is:
> neutral
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
> added -5 (dkimOkValencePB) for DKIM pass, total score for this message is
> now 20
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org [Plugin]
> calling plugin ASSP_AFC
> Jul-12-18 06:19:41 59810-00211 [MessageOK] x.x.208.208 <
> *senderstr...@chef.anpdm.com* <senderstr...@chef.anpdm.com>> to:
> ouru...@ourcharity.org message ok [Saknar du din chef p semestern
> Nominera hen till Chefgalan] ->
> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
>
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org finished
> message - received DATA size: 21.73 kByte - sent DATA size: 22.85 kByte
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org disconnected:
> session:F51B9E10 x.x.208.208 - processing time 13 seconds
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org ClamAV: scanned
> 22973 bytes in file
> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
> - FOUND SecuriteInfo.com.Spam-718.UNOFFICIAL
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org deleting
> spamming safelisted tuplet: (x.x.208.0,*chef.anpdm.com*
> <http://chef.anpdm.com/>) age: 11s
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
> added 50 (vdValencePB) for virus detected:
> 'SecuriteInfo.com.Spam-718.UNOFFICIAL', total score for this message is now
> 70
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
