Re: [Assp-user] ASSP sending only portion of URL to blacklist

[Phil Quesinberry]

Feature Matching:

. bombRe: 'highest match: "'viagra (10)' , 'the virus (10)'" with valence:
10 - PB value = 20'
. matching bombRe(file:files/bombre.txt[line 20]): 't+he v+irus'
. blackRe: 'highest match: "'viagra (10)'" with valence: 10 - PB value = 10'
. matching blackRe(file:files/blackre.txt[line 13]): '\bViagra\b'


Bayesian Analysis:

Bad Words       Bad Prob                        Good Words
Good Prob
                                                philq rcpt
0.0000
                                                rcpt philq
0.0000
                                                href qsystemsengineering
0.0000
                                                phil quesinberry
0.0000
                                                systems engineering
0.0000
                                                engineering inc
0.0000
                                                410 969-xxxx
0.0000
                                                and embedded
0.0000
                                                inc electronic
0.0000
                                                systems development
0.0000
                                                embedded systems
0.0000
                                                electronic controls
0.0000
                                                development 410
0.0000
                                                969-xxxx href
0.0000
                                                virus ssub
0.0000
                                                ssub virus
0.0000
                                                the virus
0.0014
                                                controls and
0.0041
                                                asspdomain.com ssub
0.0153
                                                ssub test
0.0248
                                                test ssub
0.0253
                                                ssub viagra
0.9633          

Totals: 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000
0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0014
0.0041 0.0153 0.0248 0.0248 0.0253 0.0253 0.9633 0.0779 0.0830 0.1751 0.1751

Spam Probability:

probability:    0.0000

----------
Re: [Assp-user] ASSP sending only portion of URL to blacklist
From: Fritz Borgstedt <fb@iw...> - 2011-02-16 19:44

It shows to kme that somewhere in the body is an URI "g.com".

What does Analyze show for that mail?


-----Original Message-----
From: Phil Quesinberry [mailto:ph...@qsystemsengineering.com] 
Sent: Wednesday, February 16, 2011 1:41 PM
To: 'assp-user@lists.sourceforge.net'
Subject: Re: [Assp-user] ASSP sending only portion of URL to blacklist

Ok, that seems to confirm that ASSP is pulling 'g.com' out of
qsystemsengineering.com.  Interestingly, it never shows
qsystemsengineering.com as being registered for check, only g.com.  Later
though, it shows 0 hits on qsystemsengineering.com and a hit on g.com.  Log
excerpt follows.

- Phil


Feb-16-11 11:35:07 29787-26248 206.46.xx.xx <m...@...engineering.com> added -5
(PBwhite), total score for this message is now -5;
Feb-16-11 11:35:09 29787-26248 206.46.xx.xx <m...@...engineering.com> to:
t...@asspdomain.com added 10 (blackRe: 'viagra'), total score for this
message is now 5;
Feb-16-11 11:35:09 29787-26248 [BombBlack] 206.46.xx.xx
<m...@...engineering.com> to: t...@asspdomain.com [scoring:10] -- blackRe:
'viagra (10)' -- [Returned mail the virus test];
Feb-16-11 11:35:09 29787-26248 [BombRe] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com [scoring:10] -- bombRe: 'the virus (10)';
Feb-16-11 11:35:09 29787-26248 206.46.xx.xx <m...@...engineering.com> to:
t...@asspdomain.com added 10 (bombRe: 'the virus'), total score for this
message is now 15;
Feb-16-11 11:35:09 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com info: found URI schemas.microsoft.com;
Feb-16-11 11:35:09 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com info: registered URI microsoft.com for check;
Feb-16-11 11:35:09 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com info: found URI www.w3.org;
Feb-16-11 11:35:09 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com info: registered URI w3.org for check;
Feb-16-11 11:35:09 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com info: found URI g.com;
Feb-16-11 11:35:09 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com info: registered URI g.com for check;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on dbl.spamhaus.org
for URIBL checks on microsoft.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on multi.surbl.org
for URIBL checks on microsoft.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on black.uribl.com
for URIBL checks on microsoft.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on
dob.sibl.support-intelligence.net for URIBL checks on microsoft.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on uribl.swinog.ch
for URIBL checks on microsoft.com;
Feb-16-11 11:35:09 Commencing URIBL checks on 'microsoft.com';
Feb-16-11 11:35:09 Got 5 answers, 0 replies and 0 hits after 0 seconds for
URIBL checks on 'microsoft.com';
Feb-16-11 11:35:09 Completed URIBL checks on 'microsoft.com';
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on dbl.spamhaus.org
for URIBL checks on qsystemsengineering.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on multi.surbl.org
for URIBL checks on qsystemsengineering.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on black.uribl.com
for URIBL checks on qsystemsengineering.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on
dob.sibl.support-intelligence.net for URIBL checks on
qsystemsengineering.com;
Feb-16-11 11:35:09 Sending DNS(TXT)-query to 10.0.0.13 on uribl.swinog.ch
for URIBL checks on qsystemsengineering.com;
Feb-16-11 11:35:09 Commencing URIBL checks on 'qsystemsengineering.com';
Feb-16-11 11:35:10 Got 5 answers, 0 replies and 0 hits after 1 seconds for
URIBL checks on 'qsystemsengineering.com';
Feb-16-11 11:35:10 Completed URIBL checks on 'qsystemsengineering.com';
Feb-16-11 11:35:10 29787-26248 [URIBL] 206.46.xx.xx <m...@...engineering.com>
to: t...@asspdomain.com [scoring:15] -- URIBL neutral:
'g.com'(uribl.swinog.ch<-127.0.0.2);
Feb-16-11 11:35:10 29787-26248 206.46.xx.xx <m...@...engineering.com> to:
t...@asspdomain.com added 15 (URIBL neutral:
'g.com'(uribl.swinog.ch<-127.0.0.2)), total score for this message is now
30;
Feb-16-11 11:35:10 29787-26248 206.46.xx.xx <m...@...engineering.com> to:
t...@asspdomain.com ClamAV: scanned 7468 bytes in  message - OK ;
Feb-16-11 11:35:10 29787-26248 [MessageOK] 206.46.xx.xx
<m...@...engineering.com> to: t...@asspdomain.com -- Message OK -- [Returned
mail the virus test] ->
D:/AntiSpam/ASSP/okmail/Returned_mail_the_virus_test__103.eml;


-----Original Message-----

Message: 9
Date: Wed, 16 Feb 2011 16:27:21 +0100
From: "Fritz Borgstedt"
Subject: Re: [Assp-user] ASSP sending only portion of URL to blacklist
To: <assp-user@lists.sourceforge.net>
Message-ID:
        
<assp.002893cb38.fc.000f4555071f7a2e3b9aca00cde0ab3a.71f7...@iworld.de>
        
Content-Type: text/plain; charset=ISO-8859-1

m...@...engineering.com schreibt:
>m...@...engineering.com

Please set URIBLLog to verbose.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user