Re: [Assp-test] Spam found using ClamAV still being delivered?

K Post Mon, 23 Jul 2018 11:17:22 -0700

Thank you Thomas!

FYI, for anyone following this thread:
fixed in assp 2.6.2 *Fortress* build 18204:
ASSP_AFC 4.83 now scans the MIME header for viruses (possibly used by some
UNOFFICIAL clamav signatures)


On Sat, Jul 21, 2018 at 4:18 PM K Post <nntp.p...@gmail.com> wrote:

> Okay, I clearly don't understand why that would be difficult, so let this
> be, but leave you with this parting thought on this:
>
> ClamAV has unofficial signatures that match known spam, apparently
> sometimes only when some header information is included.  It's a shame that
> we can't make use of this match when the header is required, especially
> since ASSP is smart enough to catch the spam (virus as far as ASSP knows)
> AFTER the message has been delivered.   I don't understand why we would
> want to do it this way, but there's obviously a reason. What if this were
> actually a VIRUS vs just a pesky spam message that wasn't otherwise
> caught?  I just figure that if we can catch something and
> block/reject/remove, why not do that prior to delivery?
>
> No need to reply unless you have the desire.  Hopeful that you'll give
> this some consideration again sometime in the future.
>
> Thanks
>
>
> On Thu, Jul 19, 2018 at 4:17 PM Thomas Eckardt <thomas.ecka...@thockar.com>
> wrote:
>
>> >Would it be a big deal to have AFC also scan the header?
>>
>> Yes
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von:        "K Post" <nntp.p...@gmail.com>
>> An:        "ASSP development mailing list" <
>> assp-test@lists.sourceforge.net>
>> Datum:        19.07.2018 20:12
>> Betreff:        Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> Would it be a big deal to have AFC also scan the header?  it's not like
>> message headers are that big.  This might help catch these pesky spam
>> messages in foreign languages that bayesian/hmm are useless for.
>>
>> On Thu, Jul 19, 2018 at 1:49 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> - the header and body scan in *assp.pl* <http://assp.pl/> is skipped, if
>> ASSP_AFC is active
>> - ASSP_AFC does not scan the MIME header - it only scans MIME parts.
>> - the final filescan scans the complete mail (header and body)
>>
>> So :  'SecuriteInfo.com.Spam-718.UNOFFICIAL' must be a hit in the MIME
>> header.
>>
>> Thomas
>>
>>
>>
>>
>> Von:        "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An:        "ASSP development mailing list" <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum:        18.07.2018 17:10
>> Betreff:        Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> I can't find any setting that would prohibit a regular scan from
>> happening for the instances that I've found.  Do you have suggestions of
>> where to look?
>>
>> On Sun, Jul 15, 2018 at 1:38 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> >I'm sorry, I don't understand what you mean.  What do you mean "any
>> header part causes this detection?"
>>
>> for example: ASSP_AFC scans each MIME part separately (MIME is decoded
>> here)
>> or : any defined scan exception prevents the regular scan (check your
>> setup)
>>
>> The final scan is done for the complete MIME source, if the regular scan
>> was skipped for any reason. It may happen, that a unofficial hit is found
>> for this case - but not in any other case.
>>
>> Thomas
>>
>>
>>
>> Von:        "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An:        "ASSP development mailing list" <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum:        14.07.2018 21:10
>> Betreff:        Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> I'm sorry, I don't understand what you mean.  What do you mean "any
>> header part causes this detection?"
>>
>> The unofficial securiteinfo clam definitions do a nice job of detecting
>> spam that bayesian might not.  I just don't understand why all of a sudden
>> >some< mail doesn't seem to be scanned during delivery.
>>
>>
>> On Sat, Jul 14, 2018 at 12:55 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> >SecuriteInfo.com.Spam-718.UNOFFICIAL
>>
>> For me it looks like any header part causes this detection. The header is
>> not scanned regulary - but the complete mail (the file) is scanned finaly.
>>
>> Thomas
>>
>>
>>
>>
>> Von:        "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An:        "ASSP development mailing list" <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum:        13.07.2018 16:24
>> Betreff:        Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> Thanks Thomas as always.  Where is that setting though?  I've never seen
>> this happen before, the signatures regularly reject messages >prior< to
>> delivery.  Could anything else be causing the scan to be skipped during the
>> delivery process?
>>
>> On Fri, Jul 13, 2018 at 1:54 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> Your settings prevent assp from scanning the mail regulary (while
>> processed). Because this is (may be) wanted, assp scans the stored corpus
>> file to be sure, that there is no virus in the file.
>> You can see this - the file is scanned after  disconnect.
>>
>>
>> Thomas
>>
>>
>>
>> Von:        "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An:        "ASSP development mailing list" <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum:        12.07.2018 18:18
>> Betreff:        Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> and sorry, this one was Swedish, but still.
>>
>> On Thu, Jul 12, 2018 at 12:15 PM K Post <*nntp.p...@gmail.com*
>> <nntp.p...@gmail.com>> wrote:
>> I can't figure this one out.
>>
>> French language message slips through bayesian and HMM because almost
>> everything is in English here.  BUT, one of the SecureSite unofficial
>> clamav lists catches it.  GREAT.
>>
>> However, for some reason, this message was still delivered to our user.
>> In the log, it goes to OK mail and THEN gets scored by ClamAV.  That's not
>> normal right?
>>
>> What could I be missing on this one?
>>
>> Jul-12-18 06:19:31 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org DKIM-Signature
>> found
>> Jul-12-18 06:19:39 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org checking MX/A
>> for *apsis.com* <http://apsis.com/> , *chef.anpdm.com*
>> <http://chef.anpdm.com/> , *chef.se* <http://chef.se/>
>> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *apsis.com*
>> <http://apsis.com/> - MX '*aspmx.l.google.com*
>> <http://aspmx.l.google.com/>' - got IP (209.85.201.27)
>> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org
>> *chef.anpdm.com* <http://chef.anpdm.com/> - MX '*mx10.anpdm.com*
>> <http://mx10.anpdm.com/>' - got IP (91.213.250.35)
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *chef.se*
>> <http://chef.se/> - MX '*chef-se.mail.protection.outlook.com*
>> <http://chef-se.mail.protection.outlook.com/>' - got IP
>> (213.199.154.106)
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
>> *apsis.com* <http://apsis.com/> (List-Unsubscribe) ->
>> *aspmx.l.google.com* <http://aspmx.l.google.com/>
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
>> for MX: *apsis.com* <http://apsis.com/> (List-Unsubscribe) ->
>> 209.85.201.27
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
>> *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) ->
>> *mx10.anpdm.com* <http://mx10.anpdm.com/>
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
>> for MX: *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) ->
>> 91.213.250.35
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
>> *chef.se* <http://chef.se/> (Reply-To , From) ->
>> *chef-se.mail.protection.outlook.com*
>> <http://chef-se.mail.protection.outlook.com/>
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
>> for MX: *chef.se* <http://chef.se/> (Reply-To , From) -> 213.199.154.106
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org HMM-Check has
>> given less than 6 results - using monitoring mode only
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Bayesian Check
>> [scoring] - Prob: 1.00000 - Confidence: 0.00004 => doubtful.spam -
>> answer/query relation: 27% of 54
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
>> added 25 for Bayesian Probability: 1.00000, total score for this message is
>> now 25
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org info: found
>> DKIM signature identity '@*anpdm.com* <http://anpdm.com/>'
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org [scoring] DKIM
>> signature verified-OK - pass - identity is: @*anpdm.com*
>> <http://anpdm.com/> - sender policy is: neutral - author policy is:
>> neutral
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
>> added -5 (dkimOkValencePB) for DKIM pass, total score for this message is
>> now 20
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org [Plugin]
>> calling plugin ASSP_AFC
>> Jul-12-18 06:19:41 59810-00211 [MessageOK] x.x.208.208 <
>> *senderstr...@chef.anpdm.com* <senderstr...@chef.anpdm.com>> to:
>> ouru...@ourcharity.org message ok [Saknar du din chef p semestern
>> Nominera hen till Chefgalan] ->
>> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
>>
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org finished
>> message - received DATA size: 21.73 kByte - sent DATA size: 22.85 kByte
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org disconnected:
>> session:F51B9E10 x.x.208.208 - processing time 13 seconds
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org ClamAV:
>> scanned 22973 bytes in file
>> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
>> - FOUND SecuriteInfo.com.Spam-718.UNOFFICIAL
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org deleting
>> spamming safelisted tuplet: (x.x.208.0,*chef.anpdm.com*
>> <http://chef.anpdm.com/>) age: 11s
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
>> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
>> added 50 (vdValencePB) for virus detected:
>> 'SecuriteInfo.com.Spam-718.UNOFFICIAL', total score for this message is now
>> 70
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Spam found using ClamAV still being delivered?

Reply via email to