Okay, I clearly don't understand why that would be difficult, so let this
be, but leave you with this parting thought on this:
ClamAV has unofficial signatures that match known spam, apparently
sometimes only when some header information is included. It's a shame that
we can't make use of this match when the header is required, especially
since ASSP is smart enough to catch the spam (virus as far as ASSP knows)
AFTER the message has been delivered. I don't understand why we would
want to do it this way, but there's obviously a reason. What if this were
actually a VIRUS vs just a pesky spam message that wasn't otherwise
caught? I just figure that if we can catch something and
block/reject/remove, why not do that prior to delivery?
No need to reply unless you have the desire. Hopeful that you'll give this
some consideration again sometime in the future.
Thanks
On Thu, Jul 19, 2018 at 4:17 PM Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> >Would it be a big deal to have AFC also scan the header?
>
> Yes
>
> Thomas
>
>
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum: 19.07.2018 20:12
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> Would it be a big deal to have AFC also scan the header? it's not like
> message headers are that big. This might help catch these pesky spam
> messages in foreign languages that bayesian/hmm are useless for.
>
> On Thu, Jul 19, 2018 at 1:49 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> - the header and body scan in *assp.pl* <http://assp.pl/> is skipped, if
> ASSP_AFC is active
> - ASSP_AFC does not scan the MIME header - it only scans MIME parts.
> - the final filescan scans the complete mail (header and body)
>
> So : 'SecuriteInfo.com.Spam-718.UNOFFICIAL' must be a hit in the MIME
> header.
>
> Thomas
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 18.07.2018 17:10
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> I can't find any setting that would prohibit a regular scan from happening
> for the instances that I've found. Do you have suggestions of where to
> look?
>
> On Sun, Jul 15, 2018 at 1:38 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >I'm sorry, I don't understand what you mean. What do you mean "any
> header part causes this detection?"
>
> for example: ASSP_AFC scans each MIME part separately (MIME is decoded
> here)
> or : any defined scan exception prevents the regular scan (check your
> setup)
>
> The final scan is done for the complete MIME source, if the regular scan
> was skipped for any reason. It may happen, that a unofficial hit is found
> for this case - but not in any other case.
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 14.07.2018 21:10
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> I'm sorry, I don't understand what you mean. What do you mean "any header
> part causes this detection?"
>
> The unofficial securiteinfo clam definitions do a nice job of detecting
> spam that bayesian might not. I just don't understand why all of a sudden
> >some< mail doesn't seem to be scanned during delivery.
>
>
> On Sat, Jul 14, 2018 at 12:55 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >SecuriteInfo.com.Spam-718.UNOFFICIAL
>
> For me it looks like any header part causes this detection. The header is
> not scanned regulary - but the complete mail (the file) is scanned finaly.
>
> Thomas
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 13.07.2018 16:24
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> Thanks Thomas as always. Where is that setting though? I've never seen
> this happen before, the signatures regularly reject messages >prior< to
> delivery. Could anything else be causing the scan to be skipped during the
> delivery process?
>
> On Fri, Jul 13, 2018 at 1:54 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> Your settings prevent assp from scanning the mail regulary (while
> processed). Because this is (may be) wanted, assp scans the stored corpus
> file to be sure, that there is no virus in the file.
> You can see this - the file is scanned after disconnect.
>
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 12.07.2018 18:18
> Betreff: Re: [Assp-test] Spam found using ClamAV still being
> delivered?
> ------------------------------
>
>
>
> and sorry, this one was Swedish, but still.
>
> On Thu, Jul 12, 2018 at 12:15 PM K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
> I can't figure this one out.
>
> French language message slips through bayesian and HMM because almost
> everything is in English here. BUT, one of the SecureSite unofficial
> clamav lists catches it. GREAT.
>
> However, for some reason, this message was still delivered to our user.
> In the log, it goes to OK mail and THEN gets scored by ClamAV. That's not
> normal right?
>
> What could I be missing on this one?
>
> Jul-12-18 06:19:31 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org DKIM-Signature
> found
> Jul-12-18 06:19:39 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org checking MX/A
> for *apsis.com* <http://apsis.com/> , *chef.anpdm.com*
> <http://chef.anpdm.com/> , *chef.se* <http://chef.se/>
> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *apsis.com*
> <http://apsis.com/> - MX '*aspmx.l.google.com*
> <http://aspmx.l.google.com/>' - got IP (209.85.201.27)
> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *chef.anpdm.com*
> <http://chef.anpdm.com/> - MX '*mx10.anpdm.com* <http://mx10.anpdm.com/>'
> - got IP (91.213.250.35)
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org *chef.se*
> <http://chef.se/> - MX '*chef-se.mail.protection.outlook.com*
> <http://chef-se.mail.protection.outlook.com/>' - got IP (213.199.154.106)
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
> *apsis.com* <http://apsis.com/> (List-Unsubscribe) -> *aspmx.l.google.com*
> <http://aspmx.l.google.com/>
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
> for MX: *apsis.com* <http://apsis.com/> (List-Unsubscribe) ->
> 209.85.201.27
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
> *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) -> *mx10.anpdm.com*
> <http://mx10.anpdm.com/>
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
> for MX: *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) ->
> 91.213.250.35
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org MX found:
> *chef.se* <http://chef.se/> (Reply-To , From) ->
> *chef-se.mail.protection.outlook.com*
> <http://chef-se.mail.protection.outlook.com/>
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org A record found
> for MX: *chef.se* <http://chef.se/> (Reply-To , From) -> 213.199.154.106
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org HMM-Check has
> given less than 6 results - using monitoring mode only
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Bayesian Check
> [scoring] - Prob: 1.00000 - Confidence: 0.00004 => doubtful.spam -
> answer/query relation: 27% of 54
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
> added 25 for Bayesian Probability: 1.00000, total score for this message is
> now 25
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org info: found
> DKIM signature identity '@*anpdm.com* <http://anpdm.com/>'
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org [scoring] DKIM
> signature verified-OK - pass - identity is: @*anpdm.com*
> <http://anpdm.com/> - sender policy is: neutral - author policy is:
> neutral
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
> added -5 (dkimOkValencePB) for DKIM pass, total score for this message is
> now 20
> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org [Plugin]
> calling plugin ASSP_AFC
> Jul-12-18 06:19:41 59810-00211 [MessageOK] x.x.208.208 <
> *senderstr...@chef.anpdm.com* <senderstr...@chef.anpdm.com>> to:
> ouru...@ourcharity.org message ok [Saknar du din chef p semestern
> Nominera hen till Chefgalan] ->
> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
>
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org finished
> message - received DATA size: 21.73 kByte - sent DATA size: 22.85 kByte
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org disconnected:
> session:F51B9E10 x.x.208.208 - processing time 13 seconds
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org ClamAV: scanned
> 22973 bytes in file
> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
> - FOUND SecuriteInfo.com.Spam-718.UNOFFICIAL
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org deleting
> spamming safelisted tuplet: (x.x.208.0,*chef.anpdm.com*
> <http://chef.anpdm.com/>) age: 11s
> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*senderstr...@chef.anpdm.com*
> <senderstr...@chef.anpdm.com>> to: ouru...@ourcharity.org Message-Score:
> added 50 (vdValencePB) for virus detected:
> 'SecuriteInfo.com.Spam-718.UNOFFICIAL', total score for this message is now
> 70
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
