host and sender authentications: 
host ' ( 2.111.174.26 )' authenticated to 
'host-212-171-45-199.retail.telecomitalia.it' using 'ESMTPA' 

sender and reply addresses: 
From: upsbillingcen...@ups.com 

recipient addresses: 
To: m_sa...@epiinc.com 

Subject: Your UPS Invoice is Ready 
Feature Matching: 

• [ http://10.0.21.10:55555/#DoNoFrom | DoNoFrom ] : OK - mode is scoring 
• [ http://10.0.21.10:55555/#strictSPFRe | Strict SPF RE ] : '@ups.com' 
• matching strictSPFRe( file:files/strictspf.txt[line 21] ): '@ups.com' 
• SPF-check returned FAILED for 212.171.45.199 -> upsbillingcen...@ups.com , 
host-212-171-45-199.retail.telecomitalia.it 
• Received-SPF: fail (ups.com: Sender is not authorized by default to use 
'upsbillingcen...@ups.com' in 'mfrom' identity (mechanism '-all' matched)) 
receiver=assp.epiinc.inet; identity=mailfrom; envelope-from=" 
upsbillingcen...@ups.com "; helo=host-212-171-45-199.retail.telecomitalia.it; 
client-ip= 212.171.45.199 (strict) 
• DMARC-check returned OK - results: dmarc: fail , spf: fail , dkim: neutral 
• [ http://10.0.21.10:55555/#ValidateURIBL | URIBL check ] : 'OK' 
• [ http://10.0.21.10:55555/#DoValidFormatHelo | Valid Format of HELO ] : 
'host-212-171-45-199.retail.telecomitalia.it' 
• Invalid Format of HELO : 'highest match: "212-171-45" with valence: 5 - PB 
value = 5' 
• matching invalidFormatHeloRe( file:files/invalidhelo.txt[line 4] ): 
'\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' 
• [ http://10.0.21.10:55555/#DoIPinHelo | IP in Helo check ] : 'failed' 
• IP in Helo result: 'Suspicious HELO - contains IP: 
'host-212-171-45-199.retail.telecomitalia.it'' 
• AUTH would be disabled 
• RBLCheck returned FAILED for 212.171.45.199 : DNSBL: failed, 212.171.45.199 
listed in bl.spamcop.net zen.spamhaus.org - message score: 100 
• RBLScore: bl.spamcop.net -> 127.0.0.2 -> 50 
• RBLScore: zen.spamhaus.org -> 127.0.0.4 -> 50 
• domain ups.com (in Mail From: , From) has a valid MX record : 
mxb-002b8001.gslb.pphosted.com 
• domainMX mxb-002b8001.gslb.pphosted.com has a valid A record : 148.163.151.9 
• 212.171.45.199 PTR record via DNS : status=PTR NOTOK - 
host-212-171-45-199.retail.telecomitalia.it 
• 212.171.45.199 SenderBase : status=not classified, data=[CN=IT, ORG=TELECOM 
ITALIA, DOM=interbusiness.it, BLS=, HNM=Y, CIDR=16, 
HN=host-212-171-45-199.pool212171] 

Feature Matching Log: 

Oct-29-20 14:34:41 [Main_Thread] Info: analyze detected: IP: ' 212.171.45.199 ' 
, HELO: 'host-212-171-45-199.retail.telecomitalia.it' , assp-Host: 
'assp.epiinc.inet' 
Oct-29-20 14:34:42 [Main_Thread] Info: LDAP added @epiinc.com to LDAPlist 
Oct-29-20 14:34:42 [Main_Thread] Info: 'strictSPFRe' regular expression 
'@ups.com' match in line 21 of 'files/strictspf.txt' with '@ups.com' 
Oct-29-20 14:34:42 [Main_Thread] Info: domain ups.com has published a DMARC 
record 
Oct-29-20 14:34:42 [Main_Thread] Strictspf Regex: strictSPFRe '@ups.com' 
Oct-29-20 14:34:43 [Main_Thread] DMARC: this mail breakes the relax SPF rules 
defined in the DMARC record for domain ups.com - check result='fail' 
Oct-29-20 14:34:43 [Main_Thread] [scoring] DMARC failed SPF:fail DKIM:neutral 
Oct-29-20 14:34:43 [Main_Thread] Info: analyzing MIME header in incoming email 
for virus 
Oct-29-20 14:34:43 [Main_Thread] Info: analyzing attachments in incoming email 
Oct-29-20 14:34:43 [Main_Thread] Info: weighted regex (invalidFormatHeloRe) 
result found for '212-171-45' - with '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' - weight 
is 0.5 
Oct-29-20 14:34:43 [Main_Thread] Info: 'invalidFormatHeloRe' regular expression 
'\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' match in line 4 of 'files/invalidhelo.txt' 
with '212-171-45' 
Oct-29-20 14:34:43 [Main_Thread] [scoring] (Suspicious HELO - contains IP: 
'host-212-171-45-199.retail.telecomitalia.it')

----- Original Message -----
From: "James Moe via Assp-test" <assp-test@lists.sourceforge.net>
To: assp-test@lists.sourceforge.net
Cc: "James Moe" <ji...@sohnen-moe.com>
Sent: Thursday, October 29, 2020 3:28:18 PM
Subject: Re: [Assp-test] Forged UPS messages that made it through ASSP

On 10/29/20 10:17 AM, t...@epiinc.com wrote: 

> I have attached 1 of 1000+ emails that seems to bypass ASSP and I'm not 
> sure why. 
> 
What does the Mail Analyzer have to say about the message? 

-- 
James Moe 
moe dot james at sohnen-moe dot com 
520.743.3936 
Think. 


_______________________________________________ 
Assp-test mailing list 
Assp-test@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/assp-test


_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to