Finally I got another one of these random files sneaking through attachment blocking... and quite helpful in displaying my point...3 near simulaneous connections from the same sender and IP, to the same user.
-Attachment logging is on verbose. -the sender's address is whitelisted. -the sending server is not a secondary mx, and is in no other whitelists or noprocessing lists. Now, Notice the two near simultaneous connections from the same server at 14:22:00-04. One was a wmv, 2 separate messages the other was a joke. The joke got through, the wmv was blocked. Then at 14:22:15 there is another message containing a wmv, which gets through, and is trapped in a second filter I have. This is also a wmv file, but not the same file as the previous blocked one. Then at 14:25:xx there is a retry on the message containing the first wmv that was rejected, and it is blocked. I'll mention here that I have seen retries on this file for many hours before, and up until now. All have been rejected. I'm really confused as to why some of these get through, and some don't... Log clip begins --------------------------------- Dec-4-08 14:22:00 Connected: 12.105.xxx.xx:3858 -> 192.168.x.x:port -> 192.168.x.x:port Dec-4-08 14:22:00 LDAP - found [EMAIL PROTECTED] in LDAP-cache (ldaplistdb) Dec-4-08 14:22:03 Connected: 12.105.xxx.xx:3858 -> 192.168.x.x:port -> 192.168.x.x:port Dec-4-08 14:22:00 18520-06222 12.105.xxx.xx <[EMAIL PROTECTED]> message proxied without antispam-processing - message size (4116907) is above 500000 (npSize). Dec-4-08 14:22:04 Connected: 12.105.xxx.xx:3868 -> 192.168.x.x:port -> 192.168.x.x:port Dec-4-08 14:22:04 18520-06222 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] info: attachment 'HowManyBeersBeforeYouLetYourFriendDoThis.wmv' found for Level-1 Dec-4-08 14:22:04 18520-06222 [Attachment] 12.105.xxx.xx <[EMAIL PROTECTED]> to:[EMAIL PROTECTED] [spam found] (bad attachment 'HowManyBeersBeforeYouLetYourFriendDoThis.wmv') Dec-4-08 14:22:04 18520-06222 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] [SMTP Error] 554 5.7.1 File type refused. Dec-4-08 14:22:04 Disconnected: 12.105.xxx.xx Dec-4-08 14:22:04 LDAP - found [EMAIL PROTECTED] in LDAP-cache (ldaplistdb) Dec-4-08 14:22:05 18524-04951 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] ClamAV: scanned 15712 bytes in whitelisted message - OK Dec-4-08 14:22:05 18524-04951 [Whitelisted] 12.105.xxx.xx <[EMAIL PROTECTED]> to:[EMAIL PROTECTED] whitelisted (no bad attachments) -> C:\assp-110/notspam/4951.eml Dec-4-08 14:22:06 18526-05487 12.105.xxx.xx <[EMAIL PROTECTED]> message proxied without antispam-processing - message size (5707465) is above 500000 (npSize). Dec-4-08 14:22:12 LDAP - found [EMAIL PROTECTED] in LDAP-cache (ldaplistdb) Dec-4-08 14:22:15 18526-05487 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] ClamAV: scanned 100000 bytes in noprocessing message - OK Dec-4-08 14:22:15 18526-05487 [NoProcessing] 12.105.xxx.xx <[EMAIL PROTECTED]> to:[EMAIL PROTECTED] message proxied without processing (no bad attachments) Dec-4-08 14:25:17 Disconnected: 12.105.xxx.xx Dec-4-08 14:25:21 Connected: 12.105.xxx.xx:3978 -> 192.168.x.x:port -> 192.168.x.x:port Dec-4-08 14:25:22 18722-14294 12.105.xxx.xx <[EMAIL PROTECTED]> message proxied without antispam-processing - message size (4116907) is above 500000 (npSize). Dec-4-08 14:25:26 18722-14294 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] info: attachment 'HowManyBeersBeforeYouLetYourFriendDoThis.wmv' found for Level-1 Dec-4-08 14:25:26 18722-14294 [Attachment] 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] [spam found] (bad attachment 'HowManyBeersBeforeYouLetYourFriendDoThis.wmv') Dec-4-08 14:25:26 18722-14294 12.105.xxx.xx <[EMAIL PROTECTED]> to: [EMAIL PROTECTED] [SMTP Error] 554 5.7.1 File type refused. Dec-4-08 14:25:26 Disconnected: 12.105.xxx.xx ---------------------- Log clip ends -----Original Message----- From: Donald Brooks [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 10:16 AM To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy Subject: Re: [Assp-user] Random problem with attachment blocking I'm glad with all the other discussion my original thread was remembered. I set attachment logging to verbose on Friday, hoping that I would catch something over the weekend, but have not seen anything come through yet. When it does, I'll post an update. Thanks all. -----Original Message----- From: Fritz Borgstedt [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 7:06 AM To: [email protected] Subject: Re: [Assp-user] Random problem with attachment blocking Please set logging level of attachment logging to verbose. ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
