Thanks Thomas! I'll update both servers and watch it through the weekend.
Peter Hinman International Bridge / ParcelPool.com On 5/23/2014 3:08 AM, Thomas Eckardt wrote: > Peter, > > I've released ASSP_AFC.pm 3.07 on SF and SF-CVS. > It should deal with those files and detect them as bad attachment. > > Thomas > > > > > > Von: Peter Hinman <peter.hin...@myib.com> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > Datum: 22.05.2014 17:16 > Betreff: Re: [Assp-test] Attachments getting through > > > > Hi Thomas - > > I've sent the attachment to your personal email. It seems like ClamAV > catches up after a day or two and starts identifying them (correctly) as > a virus. If that's the case, please let me know and I can send you a > fresh one. > > Peter Hinman > International Bridge / ParcelPool.com > > On 5/21/2014 11:45 PM, Thomas Eckardt wrote: >> Peter - please send me such a delivered bad attachment (zip it !!!!). >> >> Thomas >> >> >> >> >> >> Von: Peter Hinman <peter.hin...@myib.com> >> An: "<assp-test@lists.sourceforge.net>" >> <assp-test@lists.sourceforge.net> >> Datum: 22.05.2014 04:23 >> Betreff: [Assp-test] Attachments getting through >> >> >> >> Hi Thomas - >> >> I've noticed recently that ASSP_AFC seems to be letting some attachments >> through, but only some of the time. >> >> Running ASSP version 2.4.2(14123) on perl 5.16 and 5.18 (two linux >> servers) with MySQL database and ClamAV. >> >> Below are logs from two instances of an email with the same attachment. >> The first time, AFC lets the email and the attachment through. When I >> try to reproduce it, AFC correctly stops it the 2nd time. >> >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] >> spf_result:none >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com >> identity:www-d...@rocksolidinternet.com >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com scope:mfrom >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spf_record: >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com >> local_exp:rocksolidinternet.com: No applicable sender policy available >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com >> received_spf:Received-SPF: none (rocksolidinternet.com: No applicable >> sender policy available) receiver=ASSP2.myib.com; identity=mailfrom; >> envelope-from="www-d...@rocksolidinternet.com"; >> helo=rems.rocksolidinternet.com.rocksolidinternet.com; >> client-ip=209.90.66.162 >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [scoring] SPF: >> none ip=209.90.66.162 mailfrom=www-d...@rocksolidinternet.com >> helo=rems.rocksolidinternet.com.rocksolidinternet.com >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: >> SenderBase - query using SenderBase >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX >> englandlogistics.com.inbound10.mxlogicmx.net has no or a private IP - >> this MX has failed >> 2014-05-21 16:52:06 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com MX >> englandlogistics.com.inbound10.mxlogic.net has no or a private IP - this >> MX has failed >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com HMM Check >> [scoring] - Prob: 0.00000 => ham >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Bayesian Check >> [scoring] - Prob: 0.95349 => spam >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com Message-Score: >> added 50 for Bayesian Probability: 0.95349, total score for this message >> is now 50 >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com PB-IP-Score >> for '209.90.66.162' is 50, added 50 for Bayesian >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] >> [MessageLimit][lowlimit] 209.90.66.162 <www-d...@rocksolidinternet.com> >> to: us...@parcelpool.com [spam found] and possibly passing because >> messagescore(50) low [England Logistics electronic invoice for >> 2014-05-20] -> >> discarded/England_Logistics_electronic_invoice_for_2014-05-2--390292.eml >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com spam found and >> passing () [England Logistics electronic invoice for 2014-05-20] >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com [Plugin] >> calling plugin ASSP_AFC >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV: >> scanned 626 bytes in message - OK >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: using >> user based compressed attachment check >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com ClamAV: >> scanned 34147 bytes in message - OK >> 2014-05-21 16:52:07 m2-91126-01125 [Worker_2] [TLS-out] 209.90.66.162 >> <www-d...@rocksolidinternet.com> to: us...@parcelpool.com info: 1 >> attachment found for Level-1 >> >> >> 2014-05-22 01:07:16 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> Message-Score: added -0 >> (tlsValencePB) for SSL-TLS-connection-OK, total score for this message >> is now 0 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> DKIM-Signature found >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> Message-Score: added -25 for 98.139.213 in griplist (0.11), total score >> for this message is now -25 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> [scoring] DKIM signature verified-OK - header-passed - sender policy is: >> neutral - author policy is: neutral >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> Message-Score: added -5 (dkimOkValencePB) for DKIM pass, total score for >> this message is now -30 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info: >> domain yahoo.com has published a DMARC record >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> [scoring] spf_result:pass >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> identity:testacco...@yahoo.com >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> scope:mfrom >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> spf_record:v=spf1 redirect=_spf.mail.yahoo.com >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> local_exp:yahoo.com ... _spf.mail.yahoo.com: 98.139.213.147 is >> authorized to use 'testacco...@yahoo.com' in 'mfrom' identity (mechanism >> 'ptr:yahoo.com' matched) >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> received_spf:Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com: >> 98.139.213.147 is authorized to use 'testacco...@yahoo.com' in 'mfrom' >> identity (mechanism 'ptr:yahoo.com' matched)) receiver=ASSP2.myib.com; >> identity=mailfrom; envelope-from="testacco...@yahoo.com"; >> helo=nm10-vm0.bullet.mail.bf1.yahoo.com; client-ip=98.139.213.147 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> Message-Score: added -2 (spfpValencePB) for SPF pass, total score for >> this message is now -32 >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> SenderBase(Cache) -- country:US orgname:YAHOO domain:yahoo.com >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com >> HMM-Check has given less than 6 results - using monitoring mode only >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com HMM >> Check [monitoring] - Prob: 0.00000 => ham >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com Bayesian >> Check [scoring] - Prob: 0.00000 => ham >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [Plugin] >> calling plugin ASSP_AFC >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com ClamAV: >> scanned 6 bytes in message - OK >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com info: >> using user based compressed attachment check >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to: >> us...@parcelpool.com SPAM FOUND bad attachment 'W5281021.zip' is a >> 'compressed file 'W5281021.zip' - contains forbidden executable file >> W21052014.exe - type: Win32 EXE' >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to: >> us...@parcelpool.com mail blocked by Plugin ASSP_AFC - reason >> BadAttachment >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> [Attachment] 98.139.213.147 <testacco...@yahoo.com> to: >> us...@parcelpool.com [spam found] (BadAttachment) [test]; >> 2014-05-22 01:07:17 m2-20836-05275 [Worker_1] [TLS-in] [TLS-out] >> 98.139.213.147 <testacco...@yahoo.com> to: us...@parcelpool.com [SMTP >> Error] 550 5.7.1 These attachments are not allowed. >> >> My UserAttach setting is: >> > zip:*@*=>block-in=>crypt-zip|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh] >> If you can see what I'm missing, or if you need me to enable additional >> logging, please let me know. I'd like to stop this from coming >> through. There are several users that have a bad habit of opening >> things they shouldn't. >> >> Thanks, >> >> >> >> > ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. >> Get unparalleled scalability from the best Selenium testing platform > available >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
