Hi Thomas - I've sent the attachment to your personal email. It seems like ClamAV catches up after a day or two and starts identifying them (correctly) as a virus. If that's the case, please let me know and I can send you a fresh one.
Peter Hinman International Bridge / ParcelPool.com On 5/21/2014 11:45 PM, Thomas Eckardt wrote: > Peter - please send me such a delivered bad attachment (zip it !!!!). > > Thomas > > > > > > Von: Peter Hinman <peter.hin...@myib.com> > An: "<assp-test@lists.sourceforge.net>" > <assp-test@lists.sourceforge.net> > Datum: 22.05.2014 04:23 > Betreff: [Assp-test] Attachments getting through > > > > Hi Thomas - > > I've noticed recently that ASSP_AFC seems to be letting some attachments > through, but only some of the time. > > Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux > servers) with MySQL database and ClamAV. > > Below are logs from two instances of an email with the same attachment. > The first time, AFC lets the email and the attachment through. When I > try to reproduce it, AFC correctly stops it the 2nd time. > > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] > spf_result:none > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com > identity:www-d...@rocksolidinternet.com > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com scope:mfrom > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spf_record: > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com > local_exp:rocksolidinternet.com: No applicable sender policy available > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com > received_spf:Received-SPF: none (rocksolidinternet.com: No applicable > sender policy available) receiver=ASSP2.myib.com; identity=mailfrom; > envelope-from="www-d...@rocksolidinternet.com"; > helo=rems.rocksolidinternet.com.rocksolidinternet.com; > client-ip=209.90.66.162 > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] SPF: > none ip=209.90.66.162 mailfrom=www-d...@rocksolidinternet.com > helo=rems.rocksolidinternet.com.rocksolidinternet.com > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: > SenderBase - query using SenderBase > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX > englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP - > this MX has failed > 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX > englandlogistics.com.inbound10.mxlogic.net has no or a private IP - this > MX has failed > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com HMM Check > [scoring] - Prob: 0.00000 => ham > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Bayesian Check > [scoring] - Prob: 0.95349 => spam > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Message-Score: > added 50 for Bayesian Probability: 0.95349, total score for this message > is now 50 > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com PB-IP-Score > for '209.90.66.162' is 50, added 50 for Bayesian > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] > [MessageLimit][lowlimit] 209.90.66.162 <www-d...@rocksolidinternet.com> > to: us...@parcelpool.com [spam found] and possibly passing because > messagescore(50) low [England Logistics electronic invoice for > 2014-05-20] -> > discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spam found and > passing () [England Logistics electronic invoice for 2014-05-20] > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [Plugin] > calling plugin ASSP_AFC > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV: > scanned 626 bytes in message - OK > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: using > user based compressed attachment check > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV: > scanned 34147 bytes in message - OK > 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 > <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 1 > attachment found for Level-1 > > > 2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> Message-Score: added -0 > (tlsValencePB) for SSL-TLS-connection-OK, total score for this message > is now 0 > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > DKIM-Signature found > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > Message-Score: added -25 for 98.139.213 in griplist (0.11), total score > for this message is now -25 > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > [scoring] DKIM signature verified-OK - header-passed - sender policy is: > neutral - author policy is: neutral > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score for > this message is now -30 > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info: > domain yahoo.com has published a DMARC record > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > [scoring] spf_result:pass > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > identity:testacco...@yahoo.com > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > scope:mfrom > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > spf_record:v=spf1 redirect=_spf.mail.yahoo.com > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is > authorized to use 'testacco...@yahoo.com' in 'mfrom' identity (mechanism > 'ptr:yahoo.com' matched) > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com: > 98.139.213.147 is authorized to use 'testacco...@yahoo.com' in 'mfrom' > identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com; > identity=mailfrom; envelope-from="testacco...@yahoo.com"; > helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147 > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > Message-Score: added -2 (spfpValencePB) for SPF pass, total score for > this message is now -32 > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com > HMM-Check has given less than 6 results - using monitoring mode only > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com HMM > Check [monitoring] - Prob: 0.00000 => ham > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com Bayesian > Check [scoring] - Prob: 0.00000 => ham > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [Plugin] > calling plugin ASSP_AFC > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com ClamAV: > scanned 6 bytes in message - OK > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info: > using user based compressed attachment check > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > [Attachment] 98.139.213.147 <testacco...@yahoo.com> to: > us...@parcelpool.com SPAM FOUND bad attachment 'W5281021.zip' is a > 'compressed file 'W5281021.zip' - contains forbidden executable file > W21052014.exe - type: Win32 EXE' > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > [Attachment] 98.139.213.147 <testacco...@yahoo.com> to: > us...@parcelpool.com mail blocked by Plugin ASSP_AFC - reason > BadAttachment > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > [Attachment] 98.139.213.147 <testacco...@yahoo.com> to: > us...@parcelpool.com [spam found] (BadAttachment) [test]; > 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] > 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [SMTP > Error] 550 5.7.1 These attachments are not allowed. > > My UserAttach setting is: > zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh] > > If you can see what I'm missing, or if you need me to enable additional > logging, please let me know. I'd like to stop this from coming > through. There are several users that have a bad habit of opening > things they shouldn't. > > Thanks, > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
