Hi Thomas, You are absolutely right. I have read over this Information. Without any entry I have no "Edit file" at the end of the Line (User based Good and Bad Attachments* (UserAttach)) and also in the Explanation of "Analyzing Compressed Attachments" there is no "User-Attach-File" Button. So I never thought about the file Option this time....
Thank you so much for this big hint: file:files/userattach.txt Now it´s working so I want to use it. Martin -----Ursprüngliche Nachricht----- Von: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] Gesendet: Donnerstag, 11. Februar 2016 06:30 An: ASSP development mailing list Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 So .... ???? what should I say? RTMF GUI - UserAttach.. ... To define entries you have to use the 'file:...' option .... .Like in dozens other config parameters, where it is possible (you can use) to use the 'file:...' option - here you 'HAVE TO' use it. example: file:files/userattach.txt http://www.dict.cc/englisch-deutsch/You+have+to.html btw. UserAttach and the ASSP_AFC are used together at one of the largest courthouse in germany, to prevent (successfully) zero day viruses in mails. There is still one 'loophole' in the detection code - DOS .com executables are very hard to detect by there structure. So a .com file renamed to bill.pdf and zipped - may pass the assp logic. But I'm working on this. Thomas Von: Martin Voßloh <martin.voss...@mhp.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 10.02.2016 23:19 Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 Hi, Invalid 'UserAttach' - unchanged. This is what I become back if I try to apply this for UserAttach: zip:user@domain=>block-in=>doc\.js or u...@domain.tld => good => ai|asc|bhx|dat|doc|eps|gif|htm|html|ics|jpg|jpeg|hqx|od[tsp]|pdf|ppt|rar ai|asc|bhx|dat|doc|eps|gif|htm|html|ics|jpg|jpeg|hqx||rpt|rtf|snp|txt|xl ai|asc|bhx|dat|doc|eps|gif|htm|html|ics|jpg|jpeg|hqx|s|zip or *@domain.tld => good => ai|asc|bhx , good-out => eps|gif , good-in => htm|html , block => pdf|ppt , block-out => rar|rpt , block-in => xls|exe\-bin ASSP_AFC.pm 3.20 Version ...any idea? Regards Martin -----Ursprüngliche Nachricht----- Von: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] Gesendet: Mittwoch, 10. Februar 2016 08:26 An: ASSP development mailing list Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 I've published an updated version of ASSP_AFC.pm (3.20 and 4.12) at CVS. There are no functional changes, only the GUI description is changed. Hope this explains the ZIP handling better. Thomas Von: Martin Voßloh <martin.voss...@mhp.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 10.02.2016 02:48 Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 I don´t understand what the ASSP_AFCblockEncrypedZIP part could do for me... This time I only want to block files I configured in Attachment Blocking and to to the same in compressed files. In my tests the attached allowed zip file contains the unwanted .js attachment. And this is not blocked. Encrypted is nothing. In ASSP_AFCblockEncrypedZIP: "If set, encrypted or password protected compressed attachments will be blocked or replaced ..." I don´t use Encrypted or password protected Attachments. The ASSP_AFC Plugin, so I understand, give me the possibility to scan internal a compressed Attachment for "Attachment Blocking" definitions. For: zip:user@domain=>block-in=>doc\.js This is for a User based rule and I want it for all. Regards Martin ________________________________________ Von: Thomas Eckardt [thomas.ecka...@thockar.com] Gesendet: Dienstag, 9. Februar 2016 18:17 An: ASSP development mailing list Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 simply configure what you want assp to do zip:user@domain=>block-in=>doc\.js read the Plugin doc again - ASSP_AFCblockEncrypedZIP I want to know, what is unclear in the description and the provided examples. Thomas Von: Martin Voßloh <martin.voss...@mhp.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 09.02.2016 16:56 Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 Hi, I understand that the AFC_Plugin could find attachments in a file like "zip". AFC will open by a max decompression level of 10 and find out files from "attachment blocking". If there is some of these files found, the mail will blocked by ASSP. Actually attachments are blocked by "Attachment blocking" if the block-file is not in a zip file. Now I have tested these function by my site, because I have received a zip file without encryption/password which has a ".doc.js" script inside I don't want. Martin -----Ursprüngliche Nachricht----- Von: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] Gesendet: Dienstag, 9. Februar 2016 16:30 An: ASSP development mailing list Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 What did you not understand, if you read the GUI for the Plugin, ClamAV, attachment blocking? Thomas Von: Martin Voßloh <martin.voss...@mhp.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 09.02.2016 15:24 Betreff: Re: [Assp-test] fixes in assp 2.4.8 build 16036 Hello, I use the assp 2.4.8 build 16036 with ClamAV and AFC Plugin. If I send me a testmail from anonymous account with an attachment name.zip without password an with a file called name2.doc.js it will not be blocked by the plugin. Bad Attachment is enabled with the default endings except .js How could I check this plugin for missing dependencies? Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de orbit.eternalimpact.info - no MX record found - (NOERROR) Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] [MissingMX] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de [[scoring]] MX missing: beck.fr (From) Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de Message-Score: added 10 (mxValencePB) for MX missing: beck.fr (From), total score for this message is now 10 Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] [MissingMXA] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de [[scoring]] A record missing: beck.fr (From) Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de deleting spamming safelisted tuplet: (37.48.122.0,orbit.eternalimpact.info) age: 0s Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de Message-Score: added 15 (mxaValencePB) for A record missing: beck.fr (From), total score for this message is now 25 Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] [MissingMX] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de [[scoring]] MX missing: orbit.eternalimpact.info (Mail From:) Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de Bayesian Check - Prob: 0.00000 => ham - answer/query relation: 23% of 26 Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de [Plugin] calling plugin ASSP_AFC Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de info: 1 attachment found for Level-1 Feb-09-16 14:38:18 m1-25098-12141 [Worker_8] [TLS-in] [TLS-out] [MessageOK] 37.48.122.29 <anon...@orbit.eternalimpact.info> to: mvoss...@mhp.de message ok [Michi testet 25] Regards Martin ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
