Re: [Assp-user] bad attachment [...] possibly a virus infected file (can't extract archive)'

Fri, 18 Mar 2016 20:26:04 -0700 

Even the [MessageOK] detection before the plugin is called is missing! I 
can't reproduce this and I've no clue, how this can be happen - I'm sorry.

If you can reproduce this - set SessionLog to diagnostic and AttachmentLog 
to verbose. Or debug such a mail.

Thomas




Von:    aquilinux <[email protected]>
An:     For Users of ASSP <[email protected]>
Datum:  17.03.2016 13:41
Betreff:        Re: [Assp-user] bad attachment [...] possibly a virus 
infected file (can't extract archive)'



and in this case the message is blocked, but it is not stored anywhere:

Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> info: found message size announcement:
23.25 kByte
Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> [SMTP Reply] 250 2.1.0 Ok
Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 250 2.1.5 Ok
Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 354 End data
with <CR><LF>.<CR><LF>
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] DKIM-Signature found
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] info: found known good
HELO 'smtp.tiscali.it' - weight is -2
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] Message-Score: added -40
for KnownGoodHelo, total score for this message is now -40
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] info: domain tiscali.it
has published a DMARC record
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] strictspf Regex:
strictSPFRe 'tiscali.it'
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] Message-Score: added -15
(pbwValencePB) for In Penalty White Box, total score for this message is
now -55
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] removed
Disposition-Notification headers from mail
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] HMM Check [scoring] -
Prob: 0.00000 => ham - answer/query relation: 22% of 50
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] Bayesian Check [scoring] 
-
Prob: 0.00000 => ham - answer/query relation: 71% of 52
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] [Plugin] calling plugin
ASSP_AFC
Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] info: using user based
compressed attachment check
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
[Attachment] 213.205.33.246 <[email protected]> to: [email protected] SPAM FOUND
bad attachment 'N 19 convitto barcellona 20 23 marzo.xlsx' is a ' - the
file extension: '.xlsx' does not match the content based detected file 
type
'''
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
[Attachment] 213.205.33.246 <[email protected]> to: [email protected] mail blocked
by Plugin ASSP_AFC - reason BadAttachment
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
[Attachment] 213.205.33.246 <[email protected]> to: [email protected] [spam found]
(BadAttachment) [societa sardinia new tavel polizza 33489q 19 2016];
Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 250 OK
Mar-17-16 13:20:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 221
<myassphost> closing transmission

this message is actually marked as spam but it is LOST....

On Thu, Mar 17, 2016 at 12:41 PM, aquilinux <[email protected]> wrote:

> here's a different case of uncorrect detection:
>
> Mar-17-16 12:33:38 m1-14417-13392 [Worker_3] [TLS-in] [TLS-out]
> [Attachment] 92.246.34.74 <[email protected]> to: [email protected] SPAM FOUND
> bad attachment 'Copia di Lista mezzi Truckcenter.xlsx' is a ' - the file
> extension: '.xlsx' does not match the content based detected file type 
'''
>
>
> On Thu, Mar 17, 2016 at 10:40 AM, aquilinux <[email protected]> wrote:
>
>> Upgraded, thanks.
>> I have now an issue with another legitimate attachment:
>>
>> Mar-17-16 09:37:24 m1-03839-03606 [Worker_4] [TLS-in] [TLS-out]
>> [Attachment] 212.82.97.124 <[email protected]> to: [email protected] SPAM FOUND
>> bad attachment 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' is a 
'compressed
>> file 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' - contains forbidden
>> executable file CITYLIFE - type: possibly a virus infected file (can't
>> read)'
>>
>> the zip file contains a folder (with spaces), containing 6 PDF files
>> (with spaces), all clean.
>> So, i removed the spaces from the zip (in folder and file names) and 
now
>> the mail gets through as expected.
>> I think there is an issue with zip attachment with spaces that prevets
>> AFC from detecting correct file extensions.
>>
>> Regards,
>>
>> On Thu, Mar 17, 2016 at 7:36 AM, Thomas Eckardt <
>> [email protected]> wrote:
>>
>>> To detect .emz files you need to upgrade MIME::Types at least to 
version
>>> 2.13 (CPAN has it).
>>>
>>> Thomas
>>>
>>>
>>>
>>>
>>> Von:    aquilinux <[email protected]>
>>> An:     For Users of ASSP <[email protected]>
>>> Datum:  16.03.2016 10:08
>>> Betreff:        Re: [Assp-user] bad attachment [...] possibly a virus
>>> infected file (can't extract archive)'
>>>
>>>
>>>
>>> thanks Thomas, i upgraded both assp.pl and plugin.
>>> now i'm facing this:
>>>
>>> Mar-16-16 09:56:08 m1-18566-15642 [Worker_5] [TLS-in] [TLS-out]
>>> [Attachment] 92.246.34.74 <[email protected]> to: [email protected] SPAM FOUND bad
>>> attachment 'image001.emz' is a ' - the file extension: '.emz' does not
>>> match the content based detected file type '''
>>>
>>> Mar-16-16 09:56:08 [Worker_5] Warning: possibly a virus infected file
>>> (can't read) '/opt/assp/tmp/zip_5_1458118567/.10/.10' - Not a 
directory
>>>
>>>
>>> regards,
>>> aqx
>>>
>>> On Wed, Mar 16, 2016 at 8:13 AM, Thomas Eckardt
>>> <[email protected]>
>>> wrote:
>>>
>>> > ASSP version 2.4.8(16074) + ASSP_AFC 3.26
>>> >
>>> > both available at SF-CVS
>>> >
>>> > will fix this.
>>> >
>>> > Thomas
>>> > ps: please use the "ASSP List" [email protected] if 
you
>>> use
>>> > a dev version 2.4.8
>>> >
>>> >
>>> >
>>> >
>>> > Von:    aquilinux <[email protected]>
>>> > An:     For Users of ASSP <[email protected]>
>>> > Datum:  15.03.2016 15:00
>>> > Betreff:        [Assp-user] bad attachment [...] possibly a virus
>>> infected
>>> > file    (can't extract archive)'
>>> >
>>> >
>>> >
>>> > Hi all,
>>> > I recently enforced attachment blocking with zip inspection but
>>> legitimate
>>> > attachements are blocked because of this:
>>> >
>>> > Mar-15-16 14:09:55 [Worker_5] Warning: possibly a virus infected 
file
>>> > (can't extract archive)
>>> >
>>> >
>>>
>>> 
'/opt/assp/tmp/zip_5_1458047395/MSC_Implementation_Activities_15.03.2016.xlsx'
>>> >
>>> > Mar-15-16 14:39:15 [Worker_10] Warning: possibly a virus infected 
file
>>> > (can't extract archive)
>>> >
>>> >
>>>
>>> 
'/opt/assp/tmp/zip_10_1458049154/20150922_GAA_Global_Corporate_Commercial_ok.docx'
>>> > -  - Could not chdir back to start dir '': '
>>> >
>>> > Mar-15-16 14:04:22 [Worker_1] Warning: possibly a virus infected 
file
>>> > (can't extract archive)
>>> > '/opt/assp/tmp/zip_1_1458047062/Figures_wo_VolvoTrucks.xlsm' -  - 
Could
>>> > not
>>> > chdir back to start dir '': '
>>> >
>>> > Mar-15-16 14:08:09 [Worker_1] Warning: possibly a virus infected 
file
>>> > (can't extract archive) '/opt/assp/tmp/zip_1_1458047289/errori.zip' 
-
>>> -
>>> > Could not chdir back to start dir '': '
>>> >
>>> > what's happening?
>>> > ASSP version 2.4.8(16060) + ASSP_AFC 3.19
>>> >
>>> > thanks!
>>> >
>>> > --
>>> > "Madness, like small fish, runs in hosts, in vast numbers of
>>> instances."
>>> >
>>> > Nessuno mi pettina bene come il vento.
>>> >
>>> >
>>>
>>> 
------------------------------------------------------------------------------
>>> > Transform Data into Opportunity.
>>> > Accelerate data analysis in your applications with
>>> > Intel Data Analytics Acceleration Library.
>>> > Click to learn more.
>>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> > _______________________________________________
>>> > Assp-user mailing list
>>> > [email protected]
>>> > https://lists.sourceforge.net/lists/listinfo/assp-user
>>> >
>>> >
>>> >
>>> >
>>> > DISCLAIMER:
>>> > *******************************************************
>>> > This email and any files transmitted with it may be confidential,
>>> legally
>>> > privileged and protected in law and are intended solely for the use 
of
>>> the
>>> >
>>> > individual to whom it is addressed.
>>> > This email was multiple times scanned for viruses. There should be 
no
>>> > known virus in this email!
>>> > *******************************************************
>>> >
>>> >
>>> >
>>> >
>>>
>>> 
------------------------------------------------------------------------------
>>> > Transform Data into Opportunity.
>>> > Accelerate data analysis in your applications with
>>> > Intel Data Analytics Acceleration Library.
>>> > Click to learn more.
>>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> > _______________________________________________
>>> > Assp-user mailing list
>>> > [email protected]
>>> > https://lists.sourceforge.net/lists/listinfo/assp-user
>>> >
>>> >
>>>
>>>
>>> --
>>> "Madness, like small fish, runs in hosts, in vast numbers of 
instances."
>>>
>>> Nessuno mi pettina bene come il vento.
>>>
>>> 
------------------------------------------------------------------------------
>>> Transform Data into Opportunity.
>>> Accelerate data analysis in your applications with
>>> Intel Data Analytics Acceleration Library.
>>> Click to learn more.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> _______________________________________________
>>> Assp-user mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>
>>>
>>>
>>>
>>> DISCLAIMER:
>>> *******************************************************
>>> This email and any files transmitted with it may be confidential, 
legally
>>> privileged and protected in law and are intended solely for the use of
>>> the
>>>
>>> individual to whom it is addressed.
>>> This email was multiple times scanned for viruses. There should be no
>>> known virus in this email!
>>> *******************************************************
>>>
>>>
>>>
>>> 
------------------------------------------------------------------------------
>>> Transform Data into Opportunity.
>>> Accelerate data analysis in your applications with
>>> Intel Data Analytics Acceleration Library.
>>> Click to learn more.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> _______________________________________________
>>> Assp-user mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>
>>>
>>
>>
>> --
>> "Madness, like small fish, runs in hosts, in vast numbers of 
instances."
>>
>> Nessuno mi pettina bene come il vento.
>>
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>



-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to