host and sender authentications: host ' ( 2.111.174.26 )' authenticated to 'host-212-171-45-199.retail.telecomitalia.it' using 'ESMTPA'
sender and reply addresses: From: upsbillingcen...@ups.com recipient addresses: To: m_sa...@epiinc.com Subject: Your UPS Invoice is Ready Feature Matching: • [ http://10.0.21.10:55555/#DoNoFrom | DoNoFrom ] : OK - mode is scoring • [ http://10.0.21.10:55555/#strictSPFRe | Strict SPF RE ] : '@ups.com' • matching strictSPFRe( file:files/strictspf.txt[line 21] ): '@ups.com' • SPF-check returned FAILED for 212.171.45.199 -> upsbillingcen...@ups.com , host-212-171-45-199.retail.telecomitalia.it • Received-SPF: fail (ups.com: Sender is not authorized by default to use 'upsbillingcen...@ups.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=assp.epiinc.inet; identity=mailfrom; envelope-from=" upsbillingcen...@ups.com "; helo=host-212-171-45-199.retail.telecomitalia.it; client-ip= 212.171.45.199 (strict) • DMARC-check returned OK - results: dmarc: fail , spf: fail , dkim: neutral • [ http://10.0.21.10:55555/#ValidateURIBL | URIBL check ] : 'OK' • [ http://10.0.21.10:55555/#DoValidFormatHelo | Valid Format of HELO ] : 'host-212-171-45-199.retail.telecomitalia.it' • Invalid Format of HELO : 'highest match: "212-171-45" with valence: 5 - PB value = 5' • matching invalidFormatHeloRe( file:files/invalidhelo.txt[line 4] ): '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' • [ http://10.0.21.10:55555/#DoIPinHelo | IP in Helo check ] : 'failed' • IP in Helo result: 'Suspicious HELO - contains IP: 'host-212-171-45-199.retail.telecomitalia.it'' • AUTH would be disabled • RBLCheck returned FAILED for 212.171.45.199 : DNSBL: failed, 212.171.45.199 listed in bl.spamcop.net zen.spamhaus.org - message score: 100 • RBLScore: bl.spamcop.net -> 127.0.0.2 -> 50 • RBLScore: zen.spamhaus.org -> 127.0.0.4 -> 50 • domain ups.com (in Mail From: , From) has a valid MX record : mxb-002b8001.gslb.pphosted.com • domainMX mxb-002b8001.gslb.pphosted.com has a valid A record : 148.163.151.9 • 212.171.45.199 PTR record via DNS : status=PTR NOTOK - host-212-171-45-199.retail.telecomitalia.it • 212.171.45.199 SenderBase : status=not classified, data=[CN=IT, ORG=TELECOM ITALIA, DOM=interbusiness.it, BLS=, HNM=Y, CIDR=16, HN=host-212-171-45-199.pool212171] Feature Matching Log: Oct-29-20 14:34:41 [Main_Thread] Info: analyze detected: IP: ' 212.171.45.199 ' , HELO: 'host-212-171-45-199.retail.telecomitalia.it' , assp-Host: 'assp.epiinc.inet' Oct-29-20 14:34:42 [Main_Thread] Info: LDAP added @epiinc.com to LDAPlist Oct-29-20 14:34:42 [Main_Thread] Info: 'strictSPFRe' regular expression '@ups.com' match in line 21 of 'files/strictspf.txt' with '@ups.com' Oct-29-20 14:34:42 [Main_Thread] Info: domain ups.com has published a DMARC record Oct-29-20 14:34:42 [Main_Thread] Strictspf Regex: strictSPFRe '@ups.com' Oct-29-20 14:34:43 [Main_Thread] DMARC: this mail breakes the relax SPF rules defined in the DMARC record for domain ups.com - check result='fail' Oct-29-20 14:34:43 [Main_Thread] [scoring] DMARC failed SPF:fail DKIM:neutral Oct-29-20 14:34:43 [Main_Thread] Info: analyzing MIME header in incoming email for virus Oct-29-20 14:34:43 [Main_Thread] Info: analyzing attachments in incoming email Oct-29-20 14:34:43 [Main_Thread] Info: weighted regex (invalidFormatHeloRe) result found for '212-171-45' - with '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' - weight is 0.5 Oct-29-20 14:34:43 [Main_Thread] Info: 'invalidFormatHeloRe' regular expression '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' match in line 4 of 'files/invalidhelo.txt' with '212-171-45' Oct-29-20 14:34:43 [Main_Thread] [scoring] (Suspicious HELO - contains IP: 'host-212-171-45-199.retail.telecomitalia.it') ----- Original Message ----- From: "James Moe via Assp-test" <assp-test@lists.sourceforge.net> To: assp-test@lists.sourceforge.net Cc: "James Moe" <ji...@sohnen-moe.com> Sent: Thursday, October 29, 2020 3:28:18 PM Subject: Re: [Assp-test] Forged UPS messages that made it through ASSP On 10/29/20 10:17 AM, t...@epiinc.com wrote: > I have attached 1 of 1000+ emails that seems to bypass ASSP and I'm not > sure why. > What does the Mail Analyzer have to say about the message? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
