We rely heavily on ASSP's resend functionality. I store the entire email, which I can't recommend enough! .It's great. I'm not storing files separately.
The corpus cleans itself up after we hit the maxFiles limit. It's a relatively small installation, about 50 users in total, so 30k messages max files easily stores all the good and bad emails along with discarded etc (each folder is it's own max count). Sure, after a couple days, there's a good chance that a file will no longer exist, but that's infrequent. On Fri, Mar 13, 2020 at 11:57 AM Robert K Coffman Jr. -Info From Data Corp. <bcoff...@infofromdata.com> wrote: > Thanks Ken. > > I think I am not set to store these emails/attachments, because I don't > think we have the resend function - and I honestly am sure I don't have > enough space in our installation to store those currently. > > I am increasing the storage at colo right now, so I may want to start > doing that - do you know what I need enabled in ASSP to store the entire > email and attachments? Is there an automated cleanup of those files, > say after some time period? > > Thanks! > > - Bob > > On 3/13/2020 11:05 AM, K Post wrote: > > Thomas- > > Having a sandbox that could test/scan and auto release the myriad of > > PDF's with javascript in them would be a big boost to our tiny charity. > > No more staff requests to let a PDF through!! Can you provide some > > more information on what opensource packages you've selected to piece > > together? The integration into ASSP sounds fantastic! I think your > > cloud offering would get some real traction with those who can afford it > > and have policies that allow external scanning of emails. > > > > Bob- > > I do nightly block reporting reviews and also get requests from users > > throughout the day (10x a day or more sometimes). It's a pain, but I've > > found it necessary to keep ASSP healthy given the variety and sometimes > > not of our messages. Releasing is easy through the ASSP GUI: open the > > mail from the log or the block report, select Resend and Force > > Attachments. You used to have to hand edit the header, but Thomas was > > gracious enough to entertain my suggestion of having a drop down to do > > it. That alone saved me a good amount of brain power :) > > > > > > > > > > On Wed, Mar 11, 2020 at 6:58 AM Thomas Eckardt > > <thomas.ecka...@thockar.com <mailto:thomas.ecka...@thockar.com>> wrote: > > > > You can buy such sandbox systems from different vendors (eg. > > checkpoint, cisco .. and some more - prices from 30.000 EUR to > > 500.000 EUR). Or you can build your own sandbox system (like me), > > based on heavily customized open source software. > > > > goals: > > > > - 100% build on open source (except prof. virus scanners for > > Brain-IRMA) > > - is able to run in every cloud or your own cloud (DMZ) > > - requires zero customer system maintenance > > - easy and functional WEB-interface for the quarantine ( virus / > > banned) with ASSP GUI integration (show log, show mail), the sandbox > > analyzer, system monitoring > > - integration in to ASSP (special actions and header mods to prevent > > unneeded and expensive sandbox actions) > > - variable mail delivery and admin/user notifications > > - full VirusTotal integration (full attachment scan) > > - preconfigured honeypot analyses windows VM's are integrated - any > > customized builds can be integrated > > > > disadvantage: > > > > - password protected attachments and attachments with an unknown > > type are banned to 100% and have to be manually released after a > > manual check (like in every sandbox) > > - prof. virus scanners for Brain-IRMA and VirusTotal may produce > > extra costs > > > > There are currently two of these systems running since nearly one > > year. A small one on VMWare ESXi 6.7 and one on ProxmoxVE for ~800 > > office users. > > > > I plan offer this as a cloud service within this year. > > > > Thomas > > > > > > > > Von: "K Post" <nntp.p...@gmail.com <mailto:nntp.p...@gmail.com>> > > An: "For Users of ASSP" <assp-user@lists.sourceforge.net > > <mailto:assp-user@lists.sourceforge.net>> > > Datum: 10.03.2020 17:16 > > Betreff: Re: [Assp-user] PDF Scanning > > > ------------------------------------------------------------------------ > > > > > > > > This is incredible! Can you give some detail on what the system is > > that does this analysis, scoring, etc. Then once confirmed okay, how > > does the user get the attachment that's been cleared? This would be > > a HUGE benefit to my user base. There's tons of pdf's that I'm > > releasing on a daily basis. > > Thanks > > > > On Tue, Mar 10, 2020 at 10:36 AM Thomas Eckardt > > <_Thomas.Eckardt@thockar.com_ <mailto:thomas.ecka...@thockar.com>> > > wrote: > > Sorry - you wanted to know how we deal with such attachments. > > > > For me, ASSP_AFC marks them for a sandbox system for analysing and > > let them all pass. The sandbox system extracts all attachments to > > their atomic parts, let some windows VM's open every single part or > > attachment and analyses every VM memory for malicious code and > actions. > > The sandbox system has ~600 blocking rules and several thousand > > scoring rules. If an attachment is classified as bad, the mail is > > moved to a quarantine for manual investigation. > > > > Thomas > > > > > > > > > > > > Von: "Robert K Coffman Jr. -Info From Data Corp." > > <_bcoffman@infofromdata.com_ <mailto:bcoff...@infofromdata.com>> > > An: _assp-user@lists.sourceforge.net_ > > <mailto:assp-user@lists.sourceforge.net> > > Datum: 10.03.2020 12:23 > > Betreff: Re: [Assp-user] PDF Scanning > > > ------------------------------------------------------------------------ > > > > > > > > They all have this in common: > > > > 'prohibited JavaScript in PDF file' - SHA256: > > D6CB05FFD99283A4C5C6BEAF37D0274B985E1D47DD3B12F08B348F42CC1A60CA > > > > However the checksums vary unfortunately. > > > > Thanks! > > > > - Bob > > > > On 3/10/2020 2:29 AM, Thomas Eckardt wrote: > > > It would be nice to know, why these PDF's are blocked - the > reason is > > > shown in the maillog.txt. > > > > > > Thomas > > > > > > > > > > > > > > > > > > Von: "Robert K Coffman Jr. -Info From Data Corp." > > > <_bcoffman@infofromdata.com_ <mailto:bcoff...@infofromdata.com>> > > > An: _assp-user@lists.sourceforge.net_ > > <mailto:assp-user@lists.sourceforge.net> > > > Datum: 09.03.2020 17:53 > > > Betreff: [Assp-user] PDF Scanning > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > We are getting a large number of false positives on PDFs received. > > > > > > What are other people doing with these? > > > > > > Thanks! > > > > > > - Bob > > > > > > > > > > > > _______________________________________________ > > > Assp-user mailing list > > > _Assp-user@lists.sourceforge.net_ > > <mailto:Assp-user@lists.sourceforge.net> > > > _https://lists.sourceforge.net/lists/listinfo/assp-user_ > > > > > > > > > > > > > > > > > > > > > DISCLAIMER: > > > ******************************************************* > > > This email and any files transmitted with it may be confidential, > > > legally privileged and protected in law and are intended solely > for the > > > use of the > > > individual to whom it is addressed. > > > This email was multiple times scanned for viruses. There should > be no > > > known virus in this email! > > > ******************************************************* > > > > > > > > > > > > _______________________________________________ > > > Assp-user mailing list > > > _Assp-user@lists.sourceforge.net_ > > <mailto:Assp-user@lists.sourceforge.net> > > > _https://lists.sourceforge.net/lists/listinfo/assp-user_ > > > > > > > > > > > _______________________________________________ > > Assp-user mailing list_ > > __Assp-user@lists.sourceforge.net_ > > <mailto:Assp-user@lists.sourceforge.net>_ > > __https://lists.sourceforge.net/lists/listinfo/assp-user_ > > > > > > > > > > > > > > DISCLAIMER: > > ******************************************************* > > This email and any files transmitted with it may be confidential, > > legally privileged and protected in law and are intended solely for > > the use of the > > individual to whom it is addressed. > > This email was multiple times scanned for viruses. There should be > > no known virus in this email! > > ******************************************************* > > > > _______________________________________________ > > Assp-user mailing list_ > > __Assp-user@lists.sourceforge.net_ > > <mailto:Assp-user@lists.sourceforge.net>_ > > __ > https://lists.sourceforge.net/lists/listinfo/assp-user________________________________________________ > > Assp-user mailing list > > Assp-user@lists.sourceforge.net <mailto: > Assp-user@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > > > > > > DISCLAIMER: > > ******************************************************* > > This email and any files transmitted with it may be confidential, > > legally privileged and protected in law and are intended solely for > > the use of the > > individual to whom it is addressed. > > This email was multiple times scanned for viruses. There should be > > no known virus in this email! > > ******************************************************* > > > > _______________________________________________ > > Assp-user mailing list > > Assp-user@lists.sourceforge.net <mailto: > Assp-user@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > > > > _______________________________________________ > > Assp-user mailing list > > Assp-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user >
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
