Running under Devuan ascii.
I have a user that is getting falsified fedex.com email. The ASSP
analyzer is throwing red flags everywhere.
User is a SPAMLOVER, but with filter rules that move anything tagged
with spam to move to the junk folder, but this version of ASSP is not
tagging as spam and is moving the email to the notspam folder.
Any suggestions on what I have incorrectly set?
Thanks!
Doug
Analyzer logs below:
*General Hints:*
analyze is restricted to a maximum length of 6438 bytes
attachments will be fully scanned for viruses
text processing uses unicode normalization
regular expression matches and results are truncated to 32 (RegExLength)
<https://smtp.drdos.info:55555/#RegExLength> characters
ASSP-ID: assp.drdos.info m1-46908-00904
ASSP-Session: 56447D709E38 (mail 1)
removed all local X-ASSP- header lines for analysis
Connecting IP: '80.20.79.130'
Connecting HELO: host-80-20-79-130.business.telecomitalia.it
*host and sender authentications:*
host ' (68.125.64.65)' authenticated to
'host-80-20-79-130.business.telecomitalia.it' using 'ESMTPA'
*sender and reply addresses:*
MAIL FROM: hardeners...@pvma00009.prod.fedex.com
From: dion.ke...@fedex.com
*recipient addresses:*
RCPT TO: hiddenaddr...@drdos.info
To: hiddenaddr...@drdos.info
*using enhanced Originated IP detection for all except the most origin
IP addresses*
•detected IP's on the mail routing way:
68.125.64.65(adsl-68-125-64-65.dsl.pltn13.pacbell.net)
•detected source IP: 68.125.64.65
*Subject: *awb 754738349582
*Feature Matching:*
*• Whitelisted Domains*: '@fedex.com'
*• DoNoFrom <https://smtp.drdos.info:55555/#DoNoFrom>*: OK - mode is scoring
*• 80.20.79.130 is in SPFCache*: status=none with
helo=host-80-20-79-130.business.telecomitalia.it
*• SPF-check returned OK* for 80.20.79.130 ->
hardeners...@pvma00009.prod.fedex.com,
host-80-20-79-130.business.telecomitalia.it
• SPF: none (cache) ip=80.20.79.130
mailfrom=hardeners...@pvma00009.prod.fedex.com
helo=host-80-20-79-130.business.telecomitalia.it
*• DMARC-check returned OK - results:* dmarc: pass , spf: pass , dkim:
neutral
*• URIBL check <https://smtp.drdos.info:55555/#ValidateURIBL>*: 'OK'
*• † • virus detected: 'Sanesecurity.Badmacro.Xls.spcshell3.UNOFFICIAL'*
*• Valid Format of HELO
<https://smtp.drdos.info:55555/#DoValidFormatHelo>*:
'host-80-20-79-130.business.telecomitalia.it'
*• Invalid Format of HELO*: 'highest match: "80-20-79" with valence: 5 -
PB value = 5'
• matching invalidFormatHeloRe(file:files/invalidhelo.txt[line 4]):
'\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}'
*• IP in Helo check <https://smtp.drdos.info:55555/#DoIPinHelo>*: 'failed'
• IP in Helo result: 'Suspicious HELO - contains IP:
'host-80-20-79-130.business.telecomitalia.it''
*• AUTH would be disabled*
*• RBLCheck returned OK for 68.125.64.65*: DNSBL: neutral, 68.125.64.65
listed in l2.apews.org - message score: 17
• RBLScore: l2.apews.org -> 127.0.0.2 -> 17
*• RBLCheck returned FAILED for 80.20.79.130*: DNSBL: failed,
80.20.79.130 listed in dnsbl-1.uceprotect.net zen.spamhaus.org - message
score: 75
• RBLScore: zen.spamhaus.org -> 127.0.0.4 -> 50
• RBLScore: dnsbl-1.uceprotect.net -> 127.0.0.2 -> 25
*• domain pvma00009.prod.fedex.com (in Mail From:) has no valid MX record*
*• domainMX has a valid A record*: 204.135.242.200
*• domain fedex.com (in From) has a valid MX record*: mapper.gslb.fedex.com
*• domainMX mapper.gslb.fedex.com has a valid A record*: 204.135.242.198
*• 80.20.79.130 is in PTRCache*: status=PTR NOTOK -
host-80-20-79-130.business.telecomitalia.it
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
